National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • Keyword (text search): Apache
There are 1,610 matching records.
Displaying matches 1541 through 1560.
Vuln ID Summary CVSS Severity
CVE-2002-0839

The shared memory scoreboard in the HTTP daemon for Apache 1.3.x before 1.3.27 allows any user running as the Apache UID to send a SIGUSR1 signal to any process as root, resulting in a denial of service (process kill) or possibly other behaviors that would not normally be allowed, by modifying the parent[].pid and parent[].last_rtime segments in the scoreboard.

Published: October 11, 2002; 12:00:00 AM -04:00
V2: 7.2 HIGH
CVE-2002-0840

Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header, a different vulnerability than CAN-2002-1157.

Published: October 11, 2002; 12:00:00 AM -04:00
V2: 6.8 MEDIUM
CVE-2002-0843

Buffer overflows in the ApacheBench benchmark support program (ab.c) in Apache before 1.3.27, and Apache 2.x before 2.0.43, allow a malicious web server to cause a denial of service and possibly execute arbitrary code via a long response.

Published: October 11, 2002; 12:00:00 AM -04:00
V2: 7.5 HIGH
CVE-2002-1148

The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.

Published: October 11, 2002; 12:00:00 AM -04:00
V2: 5.0 MEDIUM
CVE-2002-1156

Apache 2.0.42 allows remote attackers to view the source code of a CGI script via a POST request to a directory with both WebDAV and CGI enabled.

Published: October 11, 2002; 12:00:00 AM -04:00
V2: 5.0 MEDIUM
CVE-2002-0935

Apache Tomcat 4.0.3, and possibly other versions before 4.1.3 beta, allows remote attackers to cause a denial of service (resource exhaustion) via a large number of requests to the server with null characters, which causes the working threads to hang.

Published: October 04, 2002; 12:00:00 AM -04:00
V2: 5.0 MEDIUM
CVE-2002-0936

The Java Server Pages (JSP) engine in Tomcat allows web page owners to cause a denial of service (engine crash) on the web server via a JSP page that calls WPrinterJob().pageSetup(null,null).

Published: October 04, 2002; 12:00:00 AM -04:00
V2: 5.0 MEDIUM
CVE-2002-1593

mod_dav in Apache before 2.0.42 does not properly handle versioning hooks, which may allow remote attackers to kill a child process via a null dereference and cause a denial of service (CPU consumption) in a preforked multi-processing module.

Published: September 25, 2002; 12:00:00 AM -04:00
V2: 5.0 MEDIUM
CVE-2002-0654

Apache 2.0 through 2.0.39 on Windows, OS2, and Netware allows remote attackers to determine the full pathname of the server via (1) a request for a .var file, which leaks the pathname in the resulting error message, or (2) via an error message that occurs when a script (child process) cannot be invoked.

Published: September 05, 2002; 12:00:00 AM -04:00
V2: 5.0 MEDIUM
CVE-2002-0493

Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.

Published: August 12, 2002; 12:00:00 AM -04:00
V2: 7.5 HIGH
CVE-2002-0513

The PHP administration script in popper_mod 1.2.1 and earlier relies on Apache .htaccess authentication, which allows remote attackers to gain privileges if the script is not appropriately configured by the administrator.

Published: August 12, 2002; 12:00:00 AM -04:00
V2: 10.0 HIGH
CVE-2002-0658

OSSP mm library (libmm) before 1.2.0 allows the local Apache user to gain privileges via temporary files, possibly via a symbolic link attack.

Published: August 12, 2002; 12:00:00 AM -04:00
V2: 6.2 MEDIUM
CVE-2002-0661

Directory traversal vulnerability in Apache 2.0 through 2.0.39 on Windows, OS2, and Netware allows remote attackers to read arbitrary files and execute commands via .. (dot dot) sequences containing \ (backslash) characters.

Published: August 12, 2002; 12:00:00 AM -04:00
V2: 7.5 HIGH
CVE-2002-0682

Cross-site scripting vulnerability in Apache Tomcat 4.0.3 allows remote attackers to execute script as other web users via script in a URL with the /servlet/ mapping, which does not filter the script when an exception is thrown by the servlet.

Published: July 23, 2002; 12:00:00 AM -04:00
V2: 7.5 HIGH
CVE-2002-0653

Off-by-one buffer overflow in the ssl_compat_directive function, as called by the rewrite_command hook for mod_ssl Apache module 2.8.9 and earlier, allows local users to execute arbitrary code as the Apache server user via .htaccess files with long entries.

Published: July 11, 2002; 12:00:00 AM -04:00
V2: 4.6 MEDIUM
CVE-2002-0392

Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a chunk-encoded HTTP request that causes Apache to use an incorrect size.

Published: July 03, 2002; 12:00:00 AM -04:00
V2: 7.5 HIGH
CVE-2002-0240

PHP, when installed with Apache and configured to search for index.php as a default web page, allows remote attackers to obtain the full pathname of the server via the HTTP OPTIONS method, which reveals the pathname in the resulting error message.

Published: May 29, 2002; 12:00:00 AM -04:00
V2: 5.0 MEDIUM
CVE-2002-0249

PHP for Windows, when installed on Apache 2.0.28 beta as a standalone CGI module, allows remote attackers to obtain the physical path of the php.exe via a request with malformed arguments such as /123, which leaks the pathname in the error message.

Published: May 29, 2002; 12:00:00 AM -04:00
V2: 5.0 MEDIUM
CVE-2002-0259

InstantServers MiniPortal 1.1.5 and earlier stores sensitive login and account data in plaintext in (1) .pwd files in the miniportal/apache directory, or (2) mplog.txt, which could allow local users to gain privileges.

Published: May 29, 2002; 12:00:00 AM -04:00
V2: 4.6 MEDIUM
CVE-2002-1592

The ap_log_rerror function in Apache 2.0 through 2.035, when a CGI application encounters an error, sends error messages to the client that include the full path for the server, which allows remote attackers to obtain sensitive information.

Published: May 06, 2002; 12:00:00 AM -04:00
V2: 5.0 MEDIUM