Apache 2.0 — Vulnerabilities

Critical 10.0

2003-10-30< 2.0.48

security flaw

CVE

Critical 10.0

2005-09-06< 2.0.55

security flaw

CVE

Critical 10.0

2010-03-05≥ 2.0.37 and ≤ 2.0.63

CVE

Critical 9.8 Unfixed

2018-03-26≤ 2.0.65

httpd: Weak Digest auth nonce generation in mod_auth_digest

CVE

High 7.8

2004-09-17≥ 2.0.35 and ≤ 2.0.50

security flaw

CVE

High 7.8

2011-08-29< 2.0.65

httpd: multiple ranges DoS

CVE

High 7.6

2006-07-28< 2.0.59

CVE

High 7.5 Unfixed

0000-00-00≤ 2.0.65

Mod_auth_openidc: dos via empty post in mod_auth_openidc with oidcpreservepost enabled

CVE

High 7.5 Unfixed

2009-01-22≤ 2.0.65

mod_auth_mysql: character encoding SQL injection flaw

CVE

High 7.5

2005-04-27= 2.0.52

CVE

High 7.5 Unfixed

2018-03-26≥ 2.0.23 and ≤ 2.0.65

httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values

CVE

High 7.5

2003-04-02< 2.0.34

CVE

High 7.5

2005-06-28≥ 2.0.39 and ≤ 2.0.40

CVE

High 7.5

2003-04-02< 2.0.37

security flaw

CVE

High 7.5

2002-08-10< 2.0.40

CVE

High 7.5

2004-09-01< 2.0.44

CVE

High 7.5

2004-03-25< 2.0.49

security flaw

CVE

High 7.5

2004-05-28< 2.0.50

mod_ssl ssl_util_uuencode_binary CA issue

CVE

High 7.5

2004-09-24< 2.0.52

CVE

High 7.5

2004-10-16< 2.0.53

mod_ssl SSLCipherSuite bypass

CVE

High 7.4 Unfixed

2025-07-10≤ 2.0.65

Apache HTTP Server: mod_ssl TLS upgrade attack

CVE

High 7.2

2005-08-16≤ 2.0.47

CVE

High 7.2

2003-10-30< 2.0.48

security flaw

CVE

High 7.1

2009-07-10≥ 2.0.35 and < 2.0.64

httpd: possible temporary DoS (CPU consumption) in mod_deflate

CVE

Medium 6.8

2006-10-16≤ 2.0.58

CVE

Medium 6.8

2004-09-01< 2.0.43

security flaw

CVE

Medium 6.4

2003-07-10< 2.0.47

security flaw

CVE

Medium 6.4

2004-06-30< 2.0.50

security flaw

CVE

Medium 6.1

2007-09-14< 2.0.61

mod_autoindex XSS

CVE

Medium 5.4

2006-01-06< 2.0.58

security flaw

CVE

Medium 5.1

2013-06-10< 2.0.65

httpd: mod_rewrite allows terminal escape sequences to be written to the log file

CVE

Medium 5.0

2004-09-01≤ 2.0.48

CVE

Medium 5.0

2004-09-01≤ 2.0.48

CVE

Medium 5.0

2002-05-03= 2.0.28

CVE

Medium 5.0

2002-05-03= 2.0.28

CVE

Medium 5.0

2011-12-27≤ 2.0.63

httpd: Apache Slowloris denial of service

CVE

Medium 5.0

2005-03-13< 2.0.36

CVE

Medium 5.0

2002-08-20< 2.0.40

CVE

Medium 5.0

2005-03-13< 2.0.42

CVE

Medium 5.0

2004-09-01< 2.0.43

CVE

Medium 5.0

2004-09-01< 2.0.44

CVE

Medium 5.0

2003-04-03< 2.0.45

security flaw

CVE

Medium 5.0

2003-05-30≥ 2.0.37 and < 2.0.46

security flaw

CVE

Medium 5.0

2003-05-30≥ 2.0.40 and ≤ 2.0.45

security flaw

CVE

Medium 5.0

2003-04-03< 2.0.46

CVE

Medium 5.0

2003-03-28< 2.0.46

security flaw

CVE

Medium 5.0

2003-07-10< 2.0.47

security flaw

CVE

Medium 5.0

2003-07-10< 2.0.47

security flaw

CVE

Medium 5.0

2004-09-01< 2.0.49

security flaw

CVE

Medium 5.0

2004-09-01< 2.0.49

security flaw

CVE

Medium 5.0

2004-09-17< 2.0.51

security flaw

CVE

Medium 5.0

2004-09-17< 2.0.51

security flaw

CVE

Medium 5.0

2004-09-10< 2.0.51

security flaw

CVE

Medium 5.0

2004-09-10< 2.0.51

security flaw

CVE

Medium 5.0

2004-11-04< 2.0.53

security flaw

CVE

Medium 5.0

2005-10-25< 2.0.55

security flaw

CVE

Medium 5.0

2005-08-29< 2.0.55

security flaw

CVE

Medium 5.0

2005-08-05< 2.0.55

security flaw

CVE

Medium 5.0

2007-08-23≥ 2.0.35 and < 2.0.61

httpd: out of bounds read

CVE

Medium 5.0

2007-06-27< 2.0.61

httpd mod_cache segfault

CVE

Medium 5.0

2010-10-04≥ 2.0.35 and < 2.0.64

apr-util: high memory consumption in apr_brigade_split_line()

CVE

Medium 5.0

2010-07-28≥ 2.0.35 and < 2.0.64

mod_dav: DoS (httpd child process crash) by parsing URI structure with missing path segments

CVE

Medium 5.0

2009-11-03≥ 2.0.35 and < 2.0.64

expat: buffer over-read and crash on XML with malformed UTF-8 sequences

CVE

Medium 5.0

2009-12-04≥ 2.0.35 and < 2.0.64

expat: buffer over-read and crash in big2_toUtf8() on XML with malformed UTF-8 sequences

CVE

Medium 5.0

2009-09-08≥ 2.0.35 and < 2.0.64

httpd: mod_proxy_ftp FTP command injection via Authorization HTTP header

CVE

Medium 5.0

2008-06-13≥ 2.0.35 and < 2.0.64

httpd: mod_proxy_http DoS via excessive interim responses from the origin server

CVE

Medium 5.0

2011-10-05< 2.0.65

httpd: reverse web proxy vulnerability

CVE

Medium 4.9

2007-06-20= 2.0.59

CVE

Medium 4.7

2007-06-20< 2.0.61

httpd scoreboard lack of PID protection

CVE

Medium 4.6

2012-01-18< 2.0.65

httpd: possible crash on shutdown due to flaw in scoreboard handling

CVE

Medium 4.4

2011-11-08≤ 2.0.64

httpd: ap_pregsub Integer overflow to buffer overflow

CVE

Medium 4.3

2006-10-23≤ 2.0.48

CVE

Medium 4.3

2006-08-14= 2.0.58

CVE

Medium 4.3

2007-12-03≥ 2.0.46 and ≤ 2.0.59

httpd: Garbage before http method name is not escaped in a reply in case of errorneous request

CVE

Medium 4.3

2008-05-13≤ 2.0.61

httpd: XSS via UTF-7 encoded urls on the 403 Forbidden error page

CVE

Medium 4.3

2010-02-05= 2.0.44

CVE

Medium 4.3

2011-11-30≥ 2.0.11 and ≤ 2.0.64

httpd: http 0.9 request bypass of the reverse proxy vulnerability CVE-2011-3368 fix

CVE

Medium 4.3

2011-11-30≤ 2.0.64

httpd: uri scheme bypass of the reverse proxy vulnerability CVE-2011-3368 fix

CVE

Medium 4.3

2005-06-30≥ 2.0.35 and ≤ 2.0.54

security flaw

CVE

Medium 4.3

2005-12-13< 2.0.56

httpd cross-site scripting flaw in mod_imap

CVE

Medium 4.3

2007-06-27< 2.0.61

httpd mod_status XSS

CVE

Medium 4.3

2008-01-12< 2.0.63

mod_proxy_ftp XSS

CVE

Medium 4.3

2008-01-08< 2.0.62

apache mod_status cross-site scripting

CVE

Medium 4.3

2007-12-13< 2.0.63

httpd: mod_imagemap XSS

CVE

Medium 4.3

2010-03-05≥ 2.0.35 and < 2.0.64

httpd: request header information leak

CVE

Medium 4.3

2008-08-06< 2.0.64

httpd: mod_proxy_ftp globbing XSS

CVE

Medium 4.3

2012-01-28< 2.0.65

httpd: cookie exposure due to error responses

CVE

Medium 4.3

2011-05-16≤ 2.0.65

apr: unconstrained recursion in apr_fnmatch

CVE

Low 3.3

2005-07-14< 2.0.49

httpd: log files contain information directly supplied by clients and does not filter or quote control characters

CVE

Low 2.9

2001-02-14< 2.0.0

httpd: allows local users to overwrite arbitrary files via a symlink attack

CVE

Low 2.6

2008-01-25≤ 2.0.61

httpd: mod_negotiation CRLF injection via untrusted file names in directories with MultiViews enabled

CVE

Low 2.6

2010-02-05= 2.0.44

httpd: Injection of arbitrary text into log files when DNS resolution is enabled

CVE

Low 2.6

2009-09-08≥ 2.0.35 and < 2.0.64

httpd: NULL pointer defer in mod_proxy_ftp caused by crafted EPSV and PASV reply

CVE

Low 2.1

2005-05-10< 2.0.53

security flaw

CVE

Low 1.2

2011-11-08≤ 2.0.64

httpd: SetEnvIf resource exhaustion

CVE

N/A

2005-08-22< 2.0.55

CVE

N/A

2009-08-06< 2.0.64

CVE