Versions
2.4.2
2.4.17-2.4.23
Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.33)
Apache HTTP Server 2.4 2.4.49
2.4.23
2.4.35
2.4.61
2.4.17 to 2.4.34
2.4.10
2.4.6
Apache HTTP Server 2.4.50
2.4.39
2.4.57
2.4.0 to 2.4.23
2.4.47
2.4.1 to 2.4.26
2.4.55
2.4.16
2.4.0 to 2.4.29
2.2.0 to 2.2.34
2.4.51
2.4.0 to 2.4.38
2.4.38
Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31)
2.4.7
2.4.34 to 2.4.38
2.2.0 to 2.2.31, 2.4.1 to 2.4.23
2.4.9
2.4.34
Apache HTTP Server 2.4.0 to 2.4.37
2.4.17 to 2.4.37
2.2.32
Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27
2.4.4
Apache HTTP Server 2.4
2.0.23 to 2.0.65
2.4.28
2.4.58
2.4.17 to 2.4.38
0
2.4.3
2.4.49
2.4.27
2.4.41
Apache HTTP Server
2.4.26
2.4.25
2.2.0 to 2.2.32
2.4.24, 2.4.25
2.4.43
2.4.46
Apache HTTP Server 2.4.49
2.4
2.4.0
2.4.29
2.0.42 to 2.4.29
2.4.30
2.4.17
2.4.1
2.4.5 to 2.4.29
Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.18-2.4.30,2.4.33)
Apache HTTP Server 2.4.37
2.4.37
2.4.54
2.4.60
2.2.0 to 2.4.29
Apache HTTP Server 2.4 2.4.17 to 2.4.48
2.4.48
2.4.0 to 2.4.25
2.4.52
2.4.33
2.4.20
unspecified
2.4.59
2.4.12
2.2.0 to 2.2.33
2.4.53
2.4.17 to 2.4.29
Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23)
2.4.18
Recent CVEs
CVE-2024-40725
A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue.
CVE-2024-40898
SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue.
CVE-2024-39884
A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.
CVE-2023-25690
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
CVE-2021-26691
In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
CVE-2021-26690
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service
CVE-2020-35452
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow
CVE-2020-13938
Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows