National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:apache:http_server:2.4.6
There are 33 matching records.
Displaying matches 21 through 33.
Vuln ID Summary CVSS Severity
CVE-2015-3184

mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read hidden files via the path name.

Published: August 12, 2015; 10:59:10 AM -04:00
V2: 5.0 MEDIUM
CVE-2015-3185

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.

Published: July 20, 2015; 07:59:03 PM -04:00
V2: 4.3 MEDIUM
CVE-2015-3183

The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.

Published: July 20, 2015; 07:59:02 PM -04:00
V2: 5.0 MEDIUM
CVE-2015-0228

The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function.

Published: March 07, 2015; 09:59:00 PM -05:00
V2: 5.0 MEDIUM
CVE-2014-8109

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.

Published: December 29, 2014; 06:59:00 PM -05:00
V2: 4.3 MEDIUM
CVE-2014-3523

Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted requests.

Published: July 20, 2014; 07:12:50 AM -04:00
V2: 5.0 MEDIUM
CVE-2014-0231

The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.

Published: July 20, 2014; 07:12:48 AM -04:00
V2: 5.0 MEDIUM
CVE-2014-0226

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.

Published: July 20, 2014; 07:12:48 AM -04:00
V2: 6.8 MEDIUM
CVE-2014-0118

The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size.

Published: July 20, 2014; 07:12:48 AM -04:00
V2: 4.3 MEDIUM
CVE-2014-0117

The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header.

Published: July 20, 2014; 07:12:48 AM -04:00
V2: 4.3 MEDIUM
CVE-2013-4352

The cache_invalidate function in modules/cache/cache_storage.c in the mod_cache module in the Apache HTTP Server 2.4.6, when a caching forward proxy is enabled, allows remote HTTP servers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger a missing hostname value.

Published: July 20, 2014; 07:12:48 AM -04:00
V2: 4.3 MEDIUM
CVE-2014-0098

The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.

Published: March 18, 2014; 01:18:18 AM -04:00
V2: 5.0 MEDIUM
CVE-2013-6438

The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.

Published: March 18, 2014; 01:18:18 AM -04:00
V2: 5.0 MEDIUM