Vulnerabilities (CVE)

Vendor filter

Apache Subscribe

Filter

1123 total CVE
CVE Vendors Products Updated CVSS
CVE-2018-1333 1 Apache 1 Http Server 2019-02-19 5.0
By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.18-2.4.30,2.4.33).
CVE-2018-1312 2 Apache, Debian 2 Http Server, Debian Linux 2019-02-19 6.8
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication...
CVE-2018-1303 2 Apache, Debian 2 Http Server, Debian Linux 2019-02-19 5.0
A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users...
CVE-2018-1302 2 Apache, Debian 2 Http Server, Debian Linux 2019-02-19 4.3
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability...
CVE-2018-1301 2 Apache, Debian 2 Http Server, Debian Linux 2019-02-19 4.3
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to...
CVE-2018-1283 2 Apache, Debian 2 Http Server, Debian Linux 2019-02-19 3.5
In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the...
CVE-2018-11763 4 Apache, Oracle, Canonical and 1 more 4 Http Server, Secure Global Desktop, Ubuntu Linux and 1 more 2019-02-19 4.3
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible...
CVE-2017-15715 2 Apache, Debian 2 Http Server, Debian Linux 2019-02-19 6.8
In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of...
CVE-2017-15710 3 Apache, Canonical, Debian 3 Http Server, Ubuntu Linux, Debian Linux 2019-02-19 5.0
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials....
CVE-2018-17189 2 Apache, Netapp 2 Http Server, Santricity Cloud Connector 2019-02-15 5.0
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2...
CVE-2018-17199 3 Apache, Netapp, Debian 3 Http Server, Santricity Cloud Connector, Debian Linux 2019-02-15 5.0
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the...
CVE-2019-0190 3 Apache, Netapp, Openssl 3 Http Server, Santricity Cloud Connector, Openssl 2019-02-15 5.0
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP...
CVE-2018-17188 1 Apache 1 Couchdb 2019-02-14 6.5
Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of the database. In some cases, this lead to vulnerabilities where CouchDB admin users could access the underlying operating system as the CouchDB user....
CVE-2018-17191 1 Apache 1 Netbeans 2019-02-14 7.5
Apache NetBeans (incubating) 9.0 NetBeans Proxy Auto-Configuration (PAC) interpretation is vulnerable for remote command execution (RCE). Using the nashorn script engine the environment of the javascript execution for the Proxy Auto-Configuration...
CVE-2017-5656 1 Apache 1 Cxf 2019-02-14 5.0
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for...
CVE-2018-8039 2 Apache, Redhat 2 Cxf, Jboss Enterprise Application Platform 2019-02-14 6.8
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try...
CVE-2015-7520 1 Apache 1 Wicket 2019-02-13 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script...
CVE-2016-1182 1 Apache 1 Struts 2019-02-13 6.4
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related...
CVE-2016-1181 2 Apache, Oracle 3 Struts, Portal, Banking Platform 2019-02-13 6.8
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart...
CVE-2016-3092 4 Hp, Apache, Debian and 1 more 6 Ubuntu Linux, Tomcat, Debian Linux and 3 more 2019-02-13 7.8
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of...