National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • Keyword (text search): Apache
There are 1,572 matching records.
Displaying matches 1481 through 1500.
Vuln ID Summary CVSS Severity
CVE-2003-0042

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.

Published: February 07, 2003; 12:00:00 AM -05:00
V2: 5.0 MEDIUM
CVE-2003-0043

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.

Published: February 07, 2003; 12:00:00 AM -05:00
V2: 5.0 MEDIUM
CVE-2003-0044

Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.

Published: February 07, 2003; 12:00:00 AM -05:00
V2: 6.8 MEDIUM
CVE-2003-0045

Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.

Published: February 07, 2003; 12:00:00 AM -05:00
V2: 5.0 MEDIUM
CVE-2002-1394

Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148.

Published: January 17, 2003; 12:00:00 AM -05:00
V2: 7.5 HIGH
CVE-2002-1635

The Apache configuration file (httpd.conf) in Oracle 9i Application Server (9iAS) uses a Location alias for /perl directory instead of a ScriptAlias, which allows remote attackers to read the source code of arbitrary CGI files via a URL containing the /perl directory instead of /cgi-bin.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 5.0 MEDIUM
CVE-2002-1658

Buffer overflow in htdigest in Apache 1.3.26 and 1.3.27 may allow attackers to execute arbitrary code via a long user argument. NOTE: since htdigest is normally only locally accessible and not setuid or setgid, there are few attack vectors which would lead to an escalation of privileges, unless htdigest is executed from a CGI program. Therefore this may not be a vulnerability.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 4.6 MEDIUM
CVE-2002-1793

HTTP Server mod_ssl module running on HP-UX 11.04 with Virtualvault OS (VVOS) 4.5 through 4.6 closes the connection when the Apache server times out during an SSL request, which may allow attackers to cause a denial of service.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 5.0 MEDIUM
CVE-2002-1850

mod_cgi in Apache 2.0.39 and 2.0.40 allows local users and possibly remote attackers to cause a denial of service (hang and memory consumption) by causing a CGI script to send a large amount of data to stderr, which results in a read/write deadlock between httpd and the CGI script.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 5.0 MEDIUM
CVE-2002-1895

The servlet engine in Jakarta Apache Tomcat 3.3 and 4.0.4, when using IIS and the ajp1.3 connector, allows remote attackers to cause a denial of service (crash) via a large number of HTTP GET requests for an MS-DOS device such as AUX, LPT1, CON, or PRN.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 5.0 MEDIUM
CVE-2002-2006

The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 5.0 MEDIUM
CVE-2002-2007

The default installations of Apache Tomcat 3.2.3 and 3.2.4 allows remote attackers to obtain sensitive system information such as directory listings and web root path, via erroneous HTTP requests for Java Server Pages (JSP) in the (1) test/jsp, (2) samples/jsp and (3) examples/jsp directories, or the (4) test/realPath.jsp servlet, which leaks pathnames in error messages.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 5.0 MEDIUM
CVE-2002-2008

Apache Tomcat 4.0.3 for Windows allows remote attackers to obtain the web root path via an HTTP request for a resource that does not exist, such as lpt9, which leaks the information in an error message.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 5.0 MEDIUM
CVE-2002-2009

Apache Tomcat 4.0.1 allows remote attackers to obtain the web root path via HTTP requests for JSP files preceded by (1) +/, (2) >/, (3) </, and (4) %20/, which leaks the pathname in an error message.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 5.0 MEDIUM
CVE-2002-2012

Unknown vulnerability in Apache 1.3.19 running on HP Secure OS for Linux 1.0 allows remote attackers to cause "unexpected results" via an HTTP request.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 5.0 MEDIUM
CVE-2002-2029

PHP, when installed on Windows with Apache and ScriptAlias for /php/ set to c:/php/, allows remote attackers to read arbitrary files and possibly execute arbitrary programs via an HTTP request for php.exe with a filename in the query string.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 7.5 HIGH
CVE-2002-2103

Apache before 1.3.24, when writing to the log file, records a spoofed hostname from the reverse lookup of an IP address, even when a double-reverse lookup fails, which allows remote attackers to hide the original source of activities.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 5.0 MEDIUM
CVE-2002-2272

Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 7.8 HIGH
CVE-2002-2309

php.exe in PHP 3.0 through 4.2.2, when running on Apache, does not terminate properly, which allows remote attackers to cause a denial of service via a direct request without arguments.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 7.8 HIGH
CVE-2002-2310

ClickCartPro 4.0 stores the admin_user.db data file under the web document root with insufficient access control on servers other than Apache, which allows remote attackers to obtain usernames and passwords.

Published: December 31, 2002; 12:00:00 AM -05:00
V2: 5.0 MEDIUM