Search Results (Refine Search)
- CPE Product Version: cpe:/a:apache:http_server:2.4.9
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2014-8109 |
mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory. Published: December 29, 2014; 6:59:00 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-3581 |
The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header. Published: October 10, 2014; 6:55:07 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-3523 |
Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted requests. Published: July 20, 2014; 7:12:50 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-0231 |
The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor. Published: July 20, 2014; 7:12:48 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-0226 |
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c. Published: July 20, 2014; 7:12:48 AM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2014-0118 |
The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size. Published: July 20, 2014; 7:12:48 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-0117 |
The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header. Published: July 20, 2014; 7:12:48 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-5704 |
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such." Published: April 15, 2014; 6:55:11 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |