CVE Daily
← All tags

Tag: Apache HTTP Server

All CVEs associated with "Apache HTTP Server". Page 3/3 • 308 CVEs.

Subscribe CVEs: RSS for “Apache HTTP Server”  ·  RSS (High+Critical only)

About “Apache HTTP Server”

A curated feed of “Apache HTTP Server”-related CVEs appears below. We currently track 308 CVEs for this tag (all time). In the last 365 days, 25 were published. Average CVSS is 6.4 (all time; 7.2 over 365d), and 45% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-918 - Server-Side Request Forgery (SSRF), CWE-476 - NULL Pointer Dereference, CWE-125 - Out-of-bounds Read.

In our taxonomy this topic maps to a MODERATE impact class. Databases, proxies, and web servers often need coordinated restarts and config checks. Patch only modules you deploy, verify TLS and authentication, and tune limits. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2009-06-08
High

CVE-2009-1955

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to…

CVSS: 7.5 CWE: CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') View on NVD
Medium

CVE-2009-0023

The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .…

CVSS: 4.3 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2009-05-28
Medium

CVE-2009-1195

The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) O…

CVSS: 4.9 CWE: CWE-16 View on NVD
2009-04-23
Medium

CVE-2009-1191

mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no…

CVSS: 5.0 CWE: N/A View on NVD
2009-04-07
Low

CVE-2009-0796

Cross-site scripting (XSS) vulnerability in Status.pm in Apache::Status and Apache2::Status in mod_perl1 and mod_perl2 for the Apache HTTP Server, when /perl-status is accessible, allows remote attac…

CVSS: 2.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2009-03-16
High

CVE-2009-0918

Multiple unspecified vulnerabilities in DFLabs PTK 1.0.0 through 1.0.4 allow remote attackers to execute arbitrary commands in processes launched by PTK's Apache HTTP Server via (1) "external tools"…

CVSS: 7.5 CWE: N/A View on NVD
2009-01-22
High

CVE-2008-2384

SQL injection vulnerability in mod_auth_mysql.c in the mod-auth-mysql (aka libapache2-mod-auth-mysql) module for the Apache HTTP Server 2.x, when configured to use a multibyte character set that allo…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2008-12-19
Critical

CVE-2008-5696

Novell NetWare 6.5 before Support Pack 8, when an OES2 Linux server is installed into the NDS tree, does not require a password for the ApacheAdmin console, which allows remote attackers to reconfigu…

CVSS: 9.3 CWE: CWE-255 View on NVD
Medium

CVE-2008-5676

Multiple unspecified vulnerabilities in the ModSecurity (aka mod_security) module 2.5.0 through 2.5.5 for the Apache HTTP Server, when SecCacheTransformations is enabled, allow remote attackers to ca…

CVSS: 5.0 CWE: N/A View on NVD
2008-07-10
Medium

CVE-2008-1678

Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multipl…

CVSS: 5.0 CWE: CWE-399 View on NVD
2008-06-13
Medium

CVE-2008-2364

The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allo…

CVSS: 5.0 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2008-04-18
Low

CVE-2008-1734

Interpretation conflict in PHP Toolkit before 1.0.1 on Gentoo Linux might allow local users to cause a denial of service (PHP outage) and read contents of PHP scripts by creating a file with a one-le…

CVSS: 3.6 CWE: CWE-20 - Improper Input Validation View on NVD
2008-01-25
Medium

CVE-2008-0455

Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2008-0456

CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x…

CVSS: 2.6 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2008-01-12
Medium

CVE-2007-6420

Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers to gain privileges via unspecified vectors.

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
High

CVE-2007-6423

Unspecified vulnerability in mod_proxy_balancer for Apache HTTP Server 2.2.x before 2.2.7-dev, when running on Windows, allows remote attackers to trigger memory corruption via a long URL. NOTE: the…

CVSS: 7.8 CWE: CWE-399 View on NVD
2008-01-08
Low

CVE-2007-6421

Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2007-6388

Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows r…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2007-6422

The balancer_handler function in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6, when a threaded Multi-Processing Module is used, allows remote authenticated users to cause a denial…

CVSS: 4.0 CWE: CWE-399 View on NVD
2007-12-21
Medium

CVE-2007-6514

Apache HTTP Server, when running on Linux with a document root on a Windows share mounted using smbfs, allows remote attackers to obtain unprocessed content such as source files for .php programs via…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2007-12-15
Medium

CVE-2007-6361

Gekko 0.8.2 and earlier stores sensitive information under the web root with possibly insufficient access control, which might allow remote attackers to read certain files under temp/, as demonstrate…

CVSS: 5.0 CWE: CWE-264 View on NVD
2007-12-13
High

CVE-2007-6342

SQL injection vulnerability in the David Castro AuthCAS module (AuthCAS.pm) 0.4 for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the SESSION_COOKIE_NAME (sessi…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2007-5000

Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2007-12-04
High

CVE-2007-6231

Multiple PHP remote file inclusion vulnerabilities in tellmatic 1.0.7 allow remote attackers to execute arbitrary PHP code via a URL in the tm_includepath parameter to (1) Classes.inc.php, (2) statis…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2007-12-03
Medium

CVE-2007-6203

Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might all…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2007-10-01
High

CVE-2007-5156

Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload.php in FCKeditor, as used in SiteX CMS 0.7.3.beta, La-Nai CMS, Syntax CMS, Cardinal Cms, and probably other products, allows…

CVSS: 7.5 CWE: N/A View on NVD
2007-09-14
Medium

CVE-2007-4465

Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbit…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2007-09-05
High

CVE-2007-4723

Directory traversal vulnerability in Ragnarok Online Control Panel 4.3.4a, when the Apache HTTP Server is used, allows remote attackers to bypass authentication via directory traversal sequences in a…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2007-06-27
Medium

CVE-2006-5752

Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2007-1863

cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service…

CVSS: 5.0 CWE: N/A View on NVD
2007-05-25
Medium

CVE-2007-1860

mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protec…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2007-04-13
Low

CVE-2007-1742

suexec in Apache HTTP Server (httpd) 2.2.3 uses a partial comparison for verifying whether the current directory is within the document root, which might allow local users to perform unauthorized ope…

CVSS: 3.7 CWE: N/A View on NVD
Medium

CVE-2007-1743

suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combinations of user and group IDs on the command line, which might allow local users to leverage other vulnerabilities to create arbitrary…

CVSS: 4.4 CWE: N/A View on NVD
Medium

CVE-2007-1741

Multiple race conditions in suexec in Apache HTTP Server (httpd) 2.2.3 between directory and file validation, and their usage, allow local users to gain privileges and execute arbitrary code by renam…

CVSS: 6.2 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2007-04-03
High

CVE-2007-1842

Directory traversal vulnerability in login.php in JSBoard before 2.0.12 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the table parameter, as demonstrated…

CVSS: 7.5 CWE: N/A View on NVD
2007-04-02
High

CVE-2007-1801

Directory traversal vulnerability in inc/lang.php in sBLOG 0.7.3 Beta allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the conf_lang_default parameter, as de…

CVSS: 7.5 CWE: N/A View on NVD
2007-03-28
High

CVE-2007-1720

Directory traversal vulnerability in addressbook.php in the Addressbook 1.2 module for PHP-Nuke allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module_n…

CVSS: 7.5 CWE: N/A View on NVD
2007-03-23
High

CVE-2007-1633

Directory traversal vulnerability in bbcode_ref.php in the Giorgio Ciranni Splatt Forum 4.0 RC1 module for PHP-Nuke allows remote attackers to include and execute arbitrary local files via a .. (dot…

CVSS: 7.5 CWE: N/A View on NVD
2007-03-21
Medium

CVE-2007-1577

Directory traversal vulnerability in index.php in GeBlog 0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the GLOBALS[tplname] parameter, as demonstrated…

CVSS: 5.0 CWE: N/A View on NVD
2007-03-20
Medium

CVE-2007-1524

Directory traversal vulnerability in themes/default/ in ZomPlog 3.7.6 and earlier allows remote attackers to include arbitrary local files via a .. (dot dot) in the settings[skin] parameter, as demon…

CVSS: 5.0 CWE: N/A View on NVD
2007-03-16
Medium

CVE-2007-0450

Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2007-03-03
Medium

CVE-2006-7098

The Debian GNU/Linux 033_-F_NO_SETSID patch for the Apache HTTP Server 1.3.34-4 does not properly disassociate httpd from a controlling tty when httpd is started interactively, which allows local use…

CVSS: 6.6 CWE: CWE-264 View on NVD
2007-01-31
High

CVE-2007-0637

Directory traversal vulnerability in zd_numer.php in Galeria Zdjec 3.0 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the galeria parameter, as…

CVSS: 7.5 CWE: N/A View on NVD
2007-01-23
Medium

CVE-2007-0419

The BEA WebLogic Server proxy plug-in before June 2006 for the Apache HTTP Server does not properly handle protocol errors, which allows remote attackers to cause a denial of service (server outage).

CVSS: 5.0 CWE: N/A View on NVD
2007-01-11
Medium

CVE-2007-0173

Directory traversal vulnerability in index.php in L2J Statistik Script 0.09 and earlier, when register_globals is enabled and magic_quotes is disabled, allows remote attackers to include and execute…

CVSS: 6.8 CWE: N/A View on NVD
2007-01-05
High

CVE-2007-0086

The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that s…

CVSS: 7.8 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2007-0098

Directory traversal vulnerability in language.php in VerliAdmin 0.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot…

CVSS: 6.8 CWE: N/A View on NVD
2006-12-31
Critical

CVE-2006-6869

Directory traversal vulnerability in includes/search/search_mdforum.php in MAXdev MDForum 2.0.1 and earlier, when magic_quotes_gpc is disabled and register_globals is enabled, allows remote attackers…

CVSS: 9.3 CWE: N/A View on NVD
2006-12-18
Medium

CVE-2006-6613

Directory traversal vulnerability in language.php in phpAlbum 0.4.1 Beta 6 and earlier, when magic_quotes_gpc is disabled and register_globals is enabled, allows remote attackers to include and execu…

CVSS: 6.8 CWE: N/A View on NVD
2006-12-10
High

CVE-2006-6445

Directory traversal vulnerability in error.php in Envolution 1.1.0 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the PNSVlang (PNSV lang) para…

CVSS: 7.5 CWE: N/A View on NVD
2006-12-08
Medium

CVE-2006-6390

Multiple directory traversal vulnerabilities in Open Solution Quick.Cart 2.0, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrar…

CVSS: 6.8 CWE: N/A View on NVD
2006-11-22
Medium

CVE-2006-6047

Directory traversal vulnerability in manager/index.php in Etomite 0.6.1.2 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the f parameter…

CVSS: 5.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2006-11-14
Medium

CVE-2006-5894

Directory traversal vulnerability in lang.php in Rama CMS 0.68 and earlier, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) i…

CVSS: 6.8 CWE: N/A View on NVD
2006-11-06
High

CVE-2006-5733

Directory traversal vulnerability in error.php in PostNuke 0.763 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the PNSVlang (PNSV lang) cookie…

CVSS: 7.5 CWE: N/A View on NVD
2006-10-12
High

CVE-2006-5263

Directory traversal vulnerability in templates/header.php3 in phpMyAgenda 3.1 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language param…

CVSS: 7.5 CWE: N/A View on NVD
2006-09-12
Low

CVE-2006-4625

PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass certain Apache HTTP Server httpd.conf options, such as safe_mode and open_basedir, via the ini_restore function, which resets th…

CVSS: 3.6 CWE: N/A View on NVD
2006-09-08
High

CVE-2006-4636

Directory traversal vulnerability in SZEWO PhpCommander 3.0 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Directory paramet…

CVSS: 7.5 CWE: N/A View on NVD
2006-09-06
High

CVE-2006-4558

DeluxeBB 1.06 and earlier, when run on the Apache HTTP Server with the mod_mime module, allows remote attackers to execute arbitrary PHP code by uploading files with double extensions via the fileupl…

CVSS: 7.5 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2006-08-17
Medium

CVE-2006-4191

Directory traversal vulnerability in memcp.php in XMB (Extreme Message Board) 1.9.6 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences…

CVSS: 5.1 CWE: N/A View on NVD
2006-08-07
Medium

CVE-2006-4004

Directory traversal vulnerability in index.php in vbPortal 3.0.2 through 3.6.0 Beta 1, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via dire…

CVSS: 6.4 CWE: N/A View on NVD
2006-07-28
Medium

CVE-2006-3918

http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2006-05-12
Medium

CVE-2006-2330

PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more…

CVSS: 6.4 CWE: N/A View on NVD
2005-12-31
High

CVE-2005-4814

Unrestricted file upload vulnerability in Segue CMS before 1.3.6, when the Apache HTTP Server handles .phtml files with the PHP interpreter, allows remote attackers to upload and execute arbitrary PH…

CVSS: 7.5 CWE: N/A View on NVD
2005-07-05
Medium

CVE-2005-2088

The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct X…

CVSS: 4.3 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
2004-12-31
High

CVE-2004-2343

Apache HTTP Server 2.0.47 and earlier allows local users to bypass .htaccess file restrictions, as specified in httpd.conf with directives such as Deny From All, by using an ErrorDocument directive.…

CVSS: 7.2 CWE: N/A View on NVD
2003-12-31
Medium

CVE-2003-1307

The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2003-1418

Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, wh…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
1999-06-03
Medium

CVE-1999-1412

A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which ge…

CVSS: 5.0 CWE: N/A View on NVD