This page lists all security vulnerabilities fixed in released versions of Apache httpd 2.2. Each vulnerability is given a security impact rating by the Apache security team - please note that this rating may well vary from platform to platform. We also list the versions of Apache httpd the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

This page is created from a database of vulnerabilities originally populated by Apache Week. Please send comments or corrections for these vulnerabilities to the Security Team.

low: mod_proxy_ftp UTF-7 XSS CVE-2008-0005

A workaround was added in the mod_proxy_ftp module. On sites where mod_proxy_ftp is enabled and a forward proxy is configured, a cross-site scripting attack is possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616.

Update Released: 19th January 2008

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

low: mod_proxy_balancer DoS CVE-2007-6422

A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, an authorized user could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module.

Update Released: 19th January 2008

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

low: mod_proxy_balancer XSS CVE-2007-6421

A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, a cross-site scripting attack against an authorized user is possible.

Update Released: 19th January 2008

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_status XSS CVE-2007-6388

A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.

Update Released: 19th January 2008

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_imagemap XSS CVE-2007-5000

A flaw was found in the mod_imagemap module. On sites where mod_imagemap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.

Update Released: 19th January 2008

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_proxy crash CVE-2007-3847

A flaw was found in the Apache HTTP Server mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module.

Update Released: 7th September 2007

Affects: 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_status cross-site scripting CVE-2006-5752

A flaw was found in the mod_status module. On sites where the server-status page is publicly accessible and ExtendedStatus is enabled this could lead to a cross-site scripting attack. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.

Update Released: 7th September 2007

Affects: 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: Signals to arbitrary processes CVE-2007-3304

The Apache HTTP server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the HTTP server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service.

Update Released: 7th September 2007

Affects: 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_cache information leak CVE-2007-1862

The recall_headers function in mod_mem_cache in Apache 2.2.4 did not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously used data, which could be used by remote attackers to obtain potentially sensitive information.

Update Released: 7th September 2007

Affects: 2.2.4

moderate: mod_cache proxy DoS CVE-2007-1863

A bug was found in the mod_cache module. On sites where caching is enabled, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module.

Update Released: 7th September 2007

Affects: 2.2.4, 2.2.3, 2.2.2, 2.2.0

important: mod_rewrite off-by-one error CVE-2006-3747

An off-by-one flaw exists in the Rewrite module, mod_rewrite. Depending on the manner in which Apache httpd was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution.

Update Released: 27th July 2006

Affects: 2.2.2, 2.2.0

low: mod_ssl access control DoS CVE-2005-3357

A NULL pointer dereference flaw in mod_ssl was discovered affecting server configurations where an SSL virtual host is configured with access control and a custom 400 error document. A remote attacker could send a carefully crafted request to trigger this issue which would lead to a crash. This crash would only be a denial of service if using the worker MPM.

Update Released: 1st May 2006

Affects: 2.2.0

moderate: mod_imap Referer Cross-Site Scripting CVE-2005-3352

A flaw in mod_imap when using the Referer directive with image maps. In certain site configurations a remote attacker could perform a cross-site scripting attack if a victim can be forced to visit a malicious URL using certain web browsers.

Update Released: 1st May 2006

Affects: 2.2.0