Total
5267 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-29133 | 2 Apache, Fedoraproject | 2 Commons Configuration, Fedora | 2025-05-01 | N/A | 5.4 MEDIUM |
| Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue. | |||||
| CVE-2020-11993 | 7 Apache, Canonical, Debian and 4 more | 13 Http Server, Ubuntu Linux, Debian Linux and 10 more | 2025-05-01 | 4.3 MEDIUM | 7.5 HIGH |
| Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers. | |||||
| CVE-2021-33193 | 5 Apache, Debian, Fedoraproject and 2 more | 6 Http Server, Debian Linux, Fedora and 3 more | 2025-05-01 | 5.0 MEDIUM | 7.5 HIGH |
| A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48. | |||||
| CVE-2021-36160 | 6 Apache, Broadcom, Debian and 3 more | 13 Http Server, Brocade Fabric Operating System Firmware, Debian Linux and 10 more | 2025-05-01 | 5.0 MEDIUM | 7.5 HIGH |
| A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). | |||||
| CVE-2021-39275 | 6 Apache, Debian, Fedoraproject and 3 more | 11 Http Server, Debian Linux, Fedora and 8 more | 2025-05-01 | 7.5 HIGH | 9.8 CRITICAL |
| ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. | |||||
| CVE-2021-44790 | 7 Apache, Apple, Debian and 4 more | 14 Http Server, Mac Os X, Macos and 11 more | 2025-05-01 | 7.5 HIGH | 9.8 CRITICAL |
| A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. | |||||
| CVE-2022-23943 | 4 Apache, Debian, Fedoraproject and 1 more | 5 Http Server, Debian Linux, Fedora and 2 more | 2025-05-01 | 7.5 HIGH | 9.8 CRITICAL |
| Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions. | |||||
| CVE-2022-26377 | 3 Apache, Fedoraproject, Netapp | 3 Http Server, Fedora, Clustered Data Ontap | 2025-05-01 | 5.0 MEDIUM | 7.5 HIGH |
| Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. | |||||
| CVE-2022-28615 | 3 Apache, Fedoraproject, Netapp | 3 Http Server, Fedora, Clustered Data Ontap | 2025-05-01 | 6.4 MEDIUM | 9.1 CRITICAL |
| Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. | |||||
| CVE-2022-30556 | 3 Apache, Fedoraproject, Netapp | 3 Http Server, Fedora, Clustered Data Ontap | 2025-05-01 | 5.0 MEDIUM | 7.5 HIGH |
| Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. | |||||
| CVE-2022-31813 | 3 Apache, Fedoraproject, Netapp | 3 Http Server, Fedora, Clustered Data Ontap | 2025-05-01 | 7.5 HIGH | 9.8 CRITICAL |
| Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. | |||||
| CVE-2022-45062 | 3 Debian, Fedoraproject, Xfce | 3 Debian Linux, Fedora, Xfce4-settings | 2025-05-01 | N/A | 9.8 CRITICAL |
| In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper. | |||||
| CVE-2022-45061 | 3 Fedoraproject, Netapp, Python | 10 Fedora, Active Iq Unified Manager, Bootstrap Os and 7 more | 2025-05-01 | N/A | 7.5 HIGH |
| An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. | |||||
| CVE-2022-45060 | 4 Debian, Fedoraproject, Varnish-software and 1 more | 5 Debian Linux, Fedora, Varnish Cache and 2 more | 2025-05-01 | N/A | 7.5 HIGH |
| An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected. | |||||
| CVE-2022-45059 | 2 Fedoraproject, Varnish Cache Project | 2 Fedora, Varnish Cache | 2025-05-01 | N/A | 7.5 HIGH |
| An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend. | |||||
| CVE-2022-37290 | 2 Fedoraproject, Gnome | 2 Fedora, Nautilus | 2025-05-01 | N/A | 5.5 MEDIUM |
| GNOME Nautilus 42.2 allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive. | |||||
| CVE-2023-5218 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2025-04-30 | N/A | 8.8 HIGH |
| Use after free in Site Isolation in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | |||||
| CVE-2023-4813 | 4 Fedoraproject, Gnu, Netapp and 1 more | 21 Fedora, Glibc, Active Iq Unified Manager and 18 more | 2025-04-30 | N/A | 5.9 MEDIUM |
| A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge. | |||||
| CVE-2023-4806 | 3 Fedoraproject, Gnu, Redhat | 22 Fedora, Glibc, Codeready Linux Builder Eus and 19 more | 2025-04-30 | N/A | 5.9 MEDIUM |
| A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags. | |||||
| CVE-2023-5482 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2025-04-30 | N/A | 8.8 HIGH |
| Insufficient data validation in USB in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | |||||