Critical Apache HTTP Server Vulnerabilities Expose Millions of Websites to Cyber Attack

The Apache Tool Foundation has disclosed several excessive vulnerabilities within the Apache HTTP Server, which can per chance per chance per chance possibly picture hundreds and hundreds of internet sites to cyber-assaults.

These vulnerabilities, recognized by their Long-established Vulnerabilities and Exposures (CVE) numbers, dangle an affect on varied variations of the Apache HTTP Server and might possibly possibly per chance tranquil lead to excessive consequences akin to provide code disclosure, server-facet demand forgery (SSRF), and denial of provider (DoS).

Detailed Vulnerabilities

Source Code Disclosure with Handlers Configured by strategy of AddType (CVE-2024-40725)

A partial fix for CVE-2024-39884 in Apache HTTP Server 2.4.61 skipped over some uses of legacy stammer-kind-based fully fully handler configurations.

Under distinct conditions, configurations adore “AddType” can lead to disclosing native provide code when files are requested indirectly. Let’s train, PHP scripts might possibly possibly per chance wait on as straightforward textual stammer as a replace of being interpreted.

SSRF with mod_rewrite on Windows (CVE-2024-40898)

A Server-Side Ask Forgery (SSRF) vulnerability in Apache HTTP Server on Windows, using mod_rewrite in server/vhost context, might possibly possibly per chance per chance possibly leak NTLM hashes to a malicious server by SSRF and crafted requests.

Source Code Disclosure with Handlers Configured by strategy of AddType (CVE-2024-39884)

A regression in Apache HTTP Server 2.4.60 skipped over some uses of legacy stammer-kind-based fully fully handler configurations. This would per chance per chance lead to disclosing native provide code when files are requested indirectly.

DoS by Null Pointer in WebSocket over HTTP/2 (CVE-2024-36387)

Serving WebSocket protocol upgrades over an HTTP/2 connection might possibly possibly per chance per chance consequence in a Null Pointer dereference, inflicting a server fracture and efficiency degradation.

UNC SSRF on Windows (CVE-2024-38472)

A Server-Side Ask Forgery (SSRF) vulnerability within the Apache HTTP Server on Windows might possibly possibly per chance per chance possibly leak NTLM hashes to a malicious server by strategy of SSRF and crafted requests or stammer.

Proxy Encoding Discipline (CVE-2024-38473)

An encoding scenario in mod_proxy in Apache HTTP Server 2.4.59 and earlier lets in incorrectly encoded demand URLs to be sent to backend services and products, possibly bypassing authentication by strategy of crafted requests.

Weak point with Encoded Quiz Marks in Backreferences (CVE-2024-38474)

A substitution encoding mission in mod_rewrite in Apache HTTP Server 2.4.59 and earlier lets in attackers to attain scripts in directories accredited by the configuration but no longer right this moment reachable by any URL, or whisper scripts meant to be performed as CGI.

Weak point in mod_rewrite with File System Course (CVE-2024-38475)

Inferior escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier lets in an attacker to plot URLs to filesystem locations accredited to be served by the server but no longer deliberately/right this moment reachable by any URL, main to code execution or provide code disclosure.

Exploitable/Malicious Backend Application Output (CVE-2024-38476)

A vulnerability within the core of Apache HTTP Server 2.4.59 and earlier lets in data disclosure, SSRF, or native script execution by strategy of backend capabilities with malicious or exploitable response headers.

Wreck Main to DoS in mod_proxy (CVE-2024-38477)

A null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier lets in an attacker to fracture the server by strategy of a malicious demand.

mod_rewrite Proxy Handler Substitution (CVE-2024-39573)

A doable SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier lets in an attacker to jam off unsafe RewriteRules to jam up URLs to be dealt with by mod_proxy with out warning.

HTTP Response Splitting (CVE-2023-38709)

A unfriendly enter validation within the core of the Apache HTTP Server lets in malicious or exploitable backend/stammer mills to separate HTTP responses. This mission affects the Apache HTTP Server by model 2.4.58.

HTTP Response Splitting in A few Modules (CVE-2024-24795)

HTTP Response splitting in just a few modules in Apache HTTP Server lets in attackers to inject malicious response headers into backend capabilities, possibly inflicting an HTTP desynchronization attack.

HTTP/2 DoS by Reminiscence Exhaustion on Endless Continuation Frames (CVE-2024-27316)

HTTP/2 incoming headers exceeding the limit are rapidly buffered in nghttp2 to generate an informative HTTP 413 response. If a consumer continues sending headers, this will per chance per chance lead to memory exhaustion.

mod_macro Buffer Over-learn (CVE-2023-31122)

An out-of-bounds learn vulnerability in mod_macro of Apache HTTP Server affects variations by 2.4.57.

DoS in HTTP/2 with Preliminary Window Size 0 (CVE-2023-43622)

An attacker opening an HTTP/2 reference to an preliminary window dimension of 0 can block the handling of that connection indefinitely, the same to the “slack loris” attack sample.

HTTP/2 Circulate Reminiscence No longer Reclaimed Honest Away on RST (CVE-2023-45802)

When a consumer resets an HTTP/2 circulate, the demand’s memory sources are no longer right this moment reclaimed, main to skill memory exhaustion.

HTTP Ask Splitting with mod_rewrite and mod_proxy (CVE-2023-25690)

Definite mod_proxy configurations on Apache HTTP Server variations 2.4.0 by 2.4.55 enable an HTTP Ask Smuggling attack, possibly bypassing entry controls and inflicting cache poisoning.

mod_proxy_uwsgi HTTP Response Splitting (CVE-2023-27522)

A vulnerability within the Apache HTTP Server by strategy of mod_proxy_uwsgi lets in special characters within the origin response header to truncate/split the response forwarded to the customer.

mod_dav Out of Bounds Read or Write of Zero Byte (CVE-2006-20001)

A carefully crafted If: demand header can jam off a memory learn or write of a single zero byte in a pool (heap) memory space previous the header price sent, possibly inflicting a job fracture.

mod_proxy_ajp Imaginable Ask Smuggling (CVE-2022-36760)

An HTTP Ask Smuggling vulnerability in mod_proxy_ajp of Apache HTTP Server lets in an attacker to smuggle requests to the AJP server it forwards requests to.

mod_proxy Earlier than 2.4.55 Allows Backend to Living off HTTP Response Splitting (CVE-2022-37436)

A malicious backend can jam off response headers to be truncated early, main to some headers being incorporated into the response physique.

mod_proxy_ajp Imaginable Ask Smuggling (CVE-2022-26377)

An HTTP Ask Smuggling vulnerability in mod_proxy_ajp of Apache HTTP Server lets in an attacker to smuggle requests to the AJP server it forwards requests to.

Read Beyond Bounds in mod_isapi (CVE-2022-28330)

Apache HTTP Server 2.4.53 and earlier on Windows might possibly possibly per chance learn previous bounds when configured to job requests with the mod_isapi module.

Read Beyond Bounds by strategy of ap_rwrite() (CVE-2022-28614)

The ap_rwrite() characteristic in Apache HTTP Server 2.4.53 and earlier might possibly possibly per chance learn unintended memory if an attacker can jam off the server to deem very sizable enter using ap_rwrite() or ap_rputs().

Read Beyond Bounds in ap_strcmp_match() (CVE-2022-28615)

Apache HTTP Server 2.4.53 and earlier might possibly possibly per chance fracture or whisper data due to the a learn previous bounds in ap_strcmp_match() when provided with an extraordinarily sizable enter buffer.

Denial of Provider in mod_lua r:parsebody (CVE-2022-29404)

In Apache HTTP Server 2.4.53 and earlier, a malicious demand to a lua script that calls r:parsebody(0) might possibly possibly per chance jam off a denial of provider due to the no default limit on seemingly enter dimension.

mod_sed Denial of Provider (CVE-2022-30522)

If Apache HTTP Server 2.4.53 is configured to cease transformations with mod_sed in contexts the save the enter to mod_sed will be very sizable, mod_sed might possibly possibly per chance allocate excessive memory and jam off an abort.

HTTP Response Splitting (CVE-2023-38709)

Contaminated enter validation within the core of Apache HTTP Server lets in malicious or exploitable backend/stammer mills to separate HTTP responses. This mission affects the Apache HTTP Server by model 2.4.58.

HTTP Response Splitting in A few Modules (CVE-2024-24795)

HTTP Response splitting in just a few modules in Apache HTTP Server lets in attackers to inject malicious response headers into backend capabilities, possibly inflicting an HTTP desynchronization attack.

HTTP/2 DoS by Reminiscence Exhaustion on Endless Continuation Frames (CVE-2024-27316)

HTTP/2 incoming headers exceeding the limit are rapidly buffered in nghttp2 to generate an informative HTTP 413 response. If a consumer continues sending headers, this will per chance per chance lead to memory exhaustion.

mod_macro Buffer Over-learn (CVE-2023-31122)

An out-of-bounds learn vulnerability in mod_macro of Apache HTTP Server affects variations by 2.4.57.

DoS in HTTP/2 with Preliminary Window Size 0 (CVE-2023-43622)

An attacker opening an HTTP/2 reference to an preliminary window dimension of 0 can block the handling of that connection indefinitely, the same to the “slack loris” attack sample. Jafarov (Metropolis College of Recent York), Prof. Heejo Lee (Korea College), Choongin Lee (Korea College)

HTTP/2 Circulate Reminiscence No longer Reclaimed Honest Away on RST (CVE-2023-45802)

When a consumer resets an HTTP/2 circulate, the demand’s memory sources are no longer right this moment reclaimed, main to skill memory exhaustion.

HTTP Ask Splitting with mod_rewrite and mod_proxy (CVE-2023-25690)

Definite mod_proxy configurations on Apache HTTP Server variations 2.4.0 by 2.4.55 enable an HTTP Ask Smuggling attack, possibly bypassing entry controls and inflicting cache poisoning.

mod_proxy_uwsgi HTTP Response Splitting (CVE-2023-27522)

A vulnerability within the Apache HTTP Server by strategy of mod_proxy_uwsgi lets in special characters within the origin response header to truncate/split the response forwarded to the customer.

mod_dav Out of Bounds Read or Write of Zero Byte (CVE-2006-20001)

A carefully crafted If: demand header can jam off a memory learn or write of a single zero byte in a pool (heap) memory space previous the header price sent, possibly inflicting a job fracture.

mod_proxy_ajp Imaginable Ask Smuggling (CVE-2022-36760)

An HTTP Ask Smuggling vulnerability in mod_proxy_ajp of Apache HTTP Server lets in an attacker to smuggle requests to the AJP server it forwards requests to.

mod_proxy Earlier than 2.4.55 Allows Backend to Living off HTTP Response Splitting (CVE-2022-37436)

A malicious backend can jam off response headers to be truncated early, main to some headers being incorporated into the response physique.

mod_proxy_ajp Imaginable Ask Smuggling (CVE-2022-26377)

An HTTP Ask Smuggling vulnerability in mod_proxy_ajp of Apache HTTP Server lets in an attacker to smuggle requests to the AJP server it forwards requests to.

Read Beyond Bounds in mod_isapi (CVE-2022-28330)

Apache HTTP Server 2.4.53 and earlier on Windows might possibly possibly per chance learn previous bounds when configured to job requests with the mod_isapi module.

Read Beyond Bounds by strategy of ap_rwrite() (CVE-2022-28614)

The ap_rwrite() characteristic in Apache HTTP Server 2.4.53 and earlier might possibly possibly per chance learn unintended memory if an attacker can jam off the server to deem very sizable enter using ap_rwrite() or ap_rputs().

Read Beyond Bounds in ap_strcmp_match() (CVE-2022-28615)

Apache HTTP Server 2.4.53 and earlier might possibly possibly per chance fracture or whisper data due to the a learn previous bounds in ap_strcmp_match() when provided with an extraordinarily sizable enter buffer.

Denial of Provider in mod_lua r:parsebody (CVE-2022-29404)

In Apache HTTP Server 2.4.53 and earlier, a malicious demand to a lua script that calls r:parsebody(0) might possibly possibly per chance jam off a denial of provider due to the no default limit on seemingly enter dimension.

mod_sed Denial of Provider (CVE-2022-30522)

If Apache HTTP Server 2.4.53 is configured to cease transformations with mod_sed in contexts the save the enter to mod_sed will be very sizable, mod_sed might possibly possibly per chance allocate excessive memory and jam off an abort.

HTTP Response Splitting (CVE-2023-38709)

Contaminated enter validation within the core of Apache HTTP Server lets in malicious or exploitable backend/stammer mills to separate HTTP responses. This mission affects the Apache HTTP Server by model 2.4.58.

HTTP Response Splitting in A few Modules (CVE-2024-24795)

HTTP Response splitting in just a few modules in Apache HTTP Server lets in attackers to inject malicious response headers into backend capabilities, possibly inflicting an HTTP desynchronization attack.

HTTP/2 DoS by Reminiscence Exhaustion on Endless Continuation Frames (CVE-2024-27316)

HTTP/2 incoming headers exceeding the limit are rapidly buffered in nghttp2 to generate an informative HTTP 413 response. If a consumer continues sending headers, this will per chance per chance lead to memory exhaustion.

mod_macro Buffer Over-learn (CVE-2023-31122)

An out-of-bounds learn vulnerability in mod_macro of Apache HTTP Server affects variations by 2.4.57.

DoS in HTTP/2 with Preliminary Window Size 0 (CVE-2023-43622)

An attacker opening an HTTP/2 reference to an preliminary window dimension of 0 can block the handling of that connection indefinitely, the same to the “slack loris” attack sample.

HTTP/2 Circulate Reminiscence No longer Reclaimed Honest Away on RST (CVE-2023-45802)

When a consumer resets an HTTP/2 circulate, the demand’s memory sources are no longer right this moment reclaimed, main to skill memory exhaustion.

HTTP Ask Splitting with mod_rewrite and mod_proxy (CVE-2023-25690)

Definite mod_proxy configurations on Apache HTTP Server variations 2.4.0 by 2.4.55 enable an HTTP Ask Smuggling attack, possibly bypassing entry controls and inflicting cache poisoning.

mod_proxy_uwsgi HTTP Response Splitting (CVE-2023-27522)

A vulnerability within the Apache HTTP Server by strategy of mod_proxy_uwsgi lets in special characters within the origin response header to truncate/split the response forwarded to the customer.

mod_dav Out of Bounds Read or Write of Zero Byte (CVE-2006-20001)

A carefully crafted If: demand header can jam off a memory learn or write of a single zero byte in a pool (heap) memory space previous the header price sent, possibly inflicting a job fracture.

mod_proxy_ajp Imaginable Ask Smuggling (CVE-2022-36760)

An HTTP Ask Smuggling vulnerability in mod_proxy_ajp of Apache HTTP Server lets in an attacker to smuggle requests to the AJP server it forwards requests to.

mod_proxy Earlier than 2.4.55 Allows Backend to Living off HTTP Response Splitting (CVE-2022-37436)

A malicious backend can jam off response headers to be truncated early, main to some headers being incorporated into the response physique.

mod_proxy_ajp Imaginable Ask Smuggling (CVE-2022-26377)

An HTTP Ask Smuggling vulnerability in mod_proxy_ajp of Apache HTTP Server lets in an attacker to smuggle requests to the AJP server it forwards requests to.

Read Beyond Bounds in mod_isapi (CVE-2022-28330)

Apache HTTP Server 2.4.53 and earlier on Windows might possibly possibly per chance learn previous bounds when configured to job requests with the mod_isapi module.

Read Beyond Bounds by strategy of ap_rwrite() (CVE-2022-28614)

The ap_rwrite() characteristic in Apache HTTP Server 2.4.53 and earlier might possibly possibly per chance learn unintended memory if an attacker can jam off the server to deem very sizable enter using ap_rwrite() or ap_rputs().

Read Beyond Bounds in ap_strcmp_match() (CVE-2022-28615)

Apache HTTP Server 2.4.53 and earlier might possibly possibly per chance fracture or whisper data due to the a learn previous bounds in ap_strcmp_match() when provided with an extraordinarily sizable enter buffer.

Denial of Provider in mod_lua r:parsebody (CVE-2022-29404)

In Apache HTTP Server 2.4.53 and earlier, a malicious demand to a lua script that calls r:parsebody(0) might possibly possibly per chance jam off a denial of provider due to the no default limit on seemingly enter dimension.

mod_sed Denial of Provider (CVE-2022-30522)

If Apache HTTP Server 2.4.53 is configured to cease transformations with mod_sed in contexts the save the enter to mod_sed will be very sizable, mod_sed might possibly possibly per chance allocate excessive memory and jam off an abort.

Fixed in Apache HTTP Server 2.4.41

mod_http2, DoS Assault by Difficult h2 Employees (CVE-2019-9517)

A malicious client might possibly possibly per chance per chance manufacture a DoS attack by flooding a reference to requests and never discovering out responses on the TCP connection. Reckoning on h2 worker dimensioning, blocking those with relatively few connections was seemingly.

mod_http2, Reminiscence Corruption on Early Pushes (CVE-2019-10081)

HTTP/2 very early pushes, configured with “H2PushResource”, might possibly possibly per chance lead to an overwrite of memory within the pushing demand’s pool, main to crashes. The memory copied is that of the configured push hyperlink header values, no longer files provided by the customer.

mod_http2, Read-After-Free in h2 Connection Shutdown (CVE-2019-10082)

Using fuzzed community enter, the HTTP/2 session handling will be made to learn memory after being freed at some stage in connection shutdown.

Restricted Inappropriate-Living Scripting in mod_proxy Error Page (CVE-2019-10092)

A restricted execrable-situation scripting mission was reported, affecting the mod_proxy error internet page. An attacker might possibly possibly per chance per chance jam off the hyperlink on the error internet page to be malformed and as a replace tune a internet page of their resolution.

This might possibly possibly most attention-grabbing be exploitable if a server were jam up with proxying enabled but misconfigured in explain that the Proxy Error internet page was displayed.

CVE-2019-10097 mod_remoteip: Stack Buffer Overflow and NULL Pointer Dereference (CVE-2019-10097)

When mod_remoteip was configured to use a relied on middleman proxy server using the “PROXY” protocol, a specifically crafted PROXY header might possibly possibly per chance per chance jam off a stack buffer overflow or NULL pointer dereference. This vulnerability might possibly possibly per chance per chance most attention-grabbing be precipitated by a relied on proxy, no longer by untrusted HTTP customers.

mod_rewrite Doable Originate Redirect (CVE-2019-10098)

Redirects configured with mod_rewrite that were meant to be self-referential might possibly possibly per chance be fooled by encoded newlines and redirected to an unexpected URL at some stage within the demand URL.

Fixed in Apache HTTP Server 2.4.39

mod_http2, Read-After-Free on a String Review (CVE-2019-0196)

Using fuzzed community enter, the HTTP/2 demand handling will be made to entry freed memory in string comparability when figuring out the trend of a requirement and thus job the demand incorrectly.

mod_http2, Imaginable Wreck on Behind Upgrade (CVE-2019-0197)

When HTTP/2 was enabled for an HTTP host or H2Upgrade was enabled for h2 on an HTTPS host, an Upgrade demand from HTTP/1.1 to HTTP/2 that was no longer the first demand on a connection might possibly possibly per chance lead to a misconfiguration and fracture.

A server that never enabled the h2 protocol or that most attention-grabbing enabled it for HTTPS and did not configure the “H2Upgrade on” is unaffected by this.

Apache HTTP Server Privilege Escalation from Modules’ Scripts (CVE-2019-0211)

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM match, worker, or prefork, code executing in less-privileged minute one processes or threads (including scripts performed by an in-job scripting interpreter) might possibly possibly per chance per chance manipulate the scoreboard to attain arbitrary code with the privileges of the guardian job (normally root). Non-Unix systems are no longer affected.

mod_ssl Win entry to Support watch over Bypass (CVE-2019-0215)

In Apache HTTP Server 2.4 releases 2.4.37 and a pair of.4.38, a trojan horse in mod_ssl when using per-space client certificate verification with TLSv1.3 allowed a consumer supporting Post-Handshake Authentication to avoid configured entry control restrictions.

mod_auth_digest Win entry to Support watch over Bypass (CVE-2019-0217)

In Apache HTTP Server 2.4 liberate 2.4.38 and prior, a jog condition in mod_auth_digest when working in a threaded server might possibly possibly per chance per chance enable a individual with steady credentials to authenticate using one other username, bypassing configured entry control restrictions.

Apache httpd URL Normalization Inconsistency (CVE-2019-0220)

When the direction element of a requirement URL comprises just a few consecutive slashes (‘/’), directives akin to LocationMatch and RewriteRule must story for duplicates in approved expressions, while diverse aspects of the server’s processing will implicitly crumple them.

Fixed in Apache HTTP Server 2.4.38

DoS for HTTP/2 Connections by strategy of Gradual Ask Our bodies (CVE-2018-17189)

By sending demand our bodies in a slack loris system to straightforward sources, the h2 circulate for that demand unnecessarily occupied a server thread cleansing up that incoming files. This affects most attention-grabbing HTTP/2 connections. A seemingly mitigation is now to not enable the h2 protocol.

mod_session_cookie Does No longer Respect Expiry Time (CVE-2018-17199)

In Apache HTTP Server 2.4, liberate 2.4.37; prior, mod_session tests the session expiration time sooner than decoding the session.

This causes session expiry time to be skipped over for mod_session_cookie intervals since the expiry time is loaded when the session is decoded.

mod_ssl 2.4.37 Far-off DoS When Worn with OpenSSL 1.1.1 (CVE-2019-0190)

A trojan horse exists within the plan mod_ssl dealt with client renegotiations. A faraway attacker might possibly possibly per chance per chance ship a carefully crafted demand that will jam off mod_ssl to enter a loop, main to a denial of provider.

This trojan horse can most attention-grabbing be precipitated with Apache HTTP Server model 2.4.37 when using OpenSSL model 1.1.1 or later due to the an interaction in adjustments to the handling of renegotiation attempts.

Fixed in Apache HTTP Server 2.4.35

DoS for HTTP/2 Connections by Continuous SETTINGS (CVE-2018-11763)

By sending continuous SETTINGS frames of most dimension, an ongoing HTTP/2 connection will be saved busy and would never time out. This will be abused for a DoS on the server. This most attention-grabbing affects a server that has enabled the h2 protocol.