2.2.28

DATE	CVE	VULNERABILITY TITLE	RISK
2018-03-09	CVE-2016-8612	Apache HTTP Server mod_cluster before version httpd 2.4.23 is vulnerable to an Improper Input Validation in the protocol parsing logic in the load balancer resulting in a Segmentation Fault in the serving httpd process. low complexity apache redhat netapp	4.3
2017-09-18	CVE-2017-9798	Use After Free vulnerability in multiple products Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. network low complexity apache debian CWE-416	7.5
2017-07-27	CVE-2016-8743	Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. network low complexity apache netapp debian redhat	7.5
2017-07-13	CVE-2017-9788	Improper Input Validation vulnerability in multiple products In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. network low complexity apache debian apple netapp redhat oracle CWE-20 critical	9.1
2017-06-20	CVE-2017-7679	Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apache Http Server In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. network low complexity apache CWE-119 critical	9.8
2017-06-20	CVE-2017-3167	Improper Authentication vulnerability in multiple products In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. network low complexity apache netapp redhat apple debian oracle CWE-287 critical	9.8
2016-07-19	CVE-2016-5387	The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. network high complexity apache hp oracle fedoraproject redhat debian canonical opensuse	8.1