Vulnerabilities > Apache > Http Server > 2.4.24

DATE CVE VULNERABILITY TITLE RISK
2018-03-26 CVE-2018-1303 Out-of-bounds Read vulnerability in multiple products
A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory.
network
low complexity
apache debian canonical netapp CWE-125
7.5
7.5
2018-03-26 CVE-2018-1302 NULL Pointer Dereference vulnerability in multiple products
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory.
network
high complexity
apache canonical netapp CWE-476
5.9
5.9
2018-03-26 CVE-2018-1301 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header.
network
high complexity
apache debian canonical netapp redhat CWE-119
5.9
5.9
2018-03-26 CVE-2018-1283 In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header.
network
high complexity
apache debian canonical netapp redhat
5.3
5.3
2018-03-26 CVE-2017-15715 Improper Input Validation vulnerability in multiple products
In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename.
network
high complexity
apache debian canonical netapp redhat CWE-20
8.1
8.1
2017-07-26 CVE-2017-7659 NULL Pointer Dereference vulnerability in Apache Http Server 2.4.24/2.4.25
A maliciously constructed HTTP/2 request could cause mod_http2 in Apache HTTP Server 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process.
network
low complexity
apache CWE-476
7.5
7.5
2017-07-13 CVE-2017-9788 Improper Input Validation vulnerability in multiple products
In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest.
network
low complexity
apache debian apple netapp redhat oracle CWE-20
critical
 9.1
9.1
2017-06-20 CVE-2017-7679 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apache Http Server
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.
network
low complexity
apache CWE-119
critical
 9.8
9.8
2017-06-20 CVE-2017-7668 Out-of-bounds Read vulnerability in multiple products
The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string.
network
low complexity
apache netapp redhat debian oracle apple CWE-125
7.5
7.5
2017-06-20 CVE-2017-3167 Improper Authentication vulnerability in multiple products
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
network
low complexity
apache netapp redhat apple debian oracle CWE-287
critical
 9.8
9.8