Search Results (Refine Search)
- CPE Product Version: cpe:/a:apache:http_server:2.2.20
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2013-6438 |
The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request. Published: March 18, 2014; 1:18:18 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2013-1896 |
mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI. Published: July 10, 2013; 4:55:01 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-1862 |
mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator. Published: June 10, 2013; 1:55:01 PM -0400 |
V3.x:(not available) V2.0: 5.1 MEDIUM |
CVE-2012-4558 |
Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string. Published: February 26, 2013; 11:55:01 AM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-3499 |
Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules. Published: February 26, 2013; 11:55:01 AM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-4557 |
The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request. Published: November 30, 2012; 2:55:01 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-2687 |
Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list. Published: August 22, 2012; 3:55:01 PM -0400 |
V3.x:(not available) V2.0: 2.6 LOW |
CVE-2012-0883 |
envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl. Published: April 18, 2012; 6:33:33 AM -0400 |
V3.x:(not available) V2.0: 6.9 MEDIUM |
CVE-2012-0053 |
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script. Published: January 27, 2012; 11:05:00 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-0021 |
The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value. Published: January 27, 2012; 11:05:00 PM -0500 |
V3.x:(not available) V2.0: 2.6 LOW |
CVE-2012-0031 |
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function. Published: January 18, 2012; 3:55:02 PM -0500 |
V3.x:(not available) V2.0: 4.6 MEDIUM |
CVE-2011-4317 |
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368. Published: November 29, 2011; 11:05:58 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2011-4415 |
The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the "len +=" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE-2011-3607. Published: November 08, 2011; 6:55:05 AM -0500 |
V3.x:(not available) V2.0: 1.2 LOW |
CVE-2011-3607 |
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. Published: November 08, 2011; 6:55:05 AM -0500 |
V3.x:(not available) V2.0: 4.4 MEDIUM |
CVE-2011-3368 |
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. Published: October 05, 2011; 6:55:02 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2011-3348 |
The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request. Published: September 20, 2011; 1:55:02 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2008-0455 |
Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file. Published: January 24, 2008; 8:00:00 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |