This page lists all security vulnerabilities fixed in released versions of Apache httpd 2.4. Each vulnerability is given a security impact rating by the Apache security team - please note that this rating may well vary from platform to platform. We also list the versions of Apache httpd the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.
Please note that if a vulnerability is shown below as being fixed in a "-dev" release then this means that a fix has been applied to the development source tree and will be part of an upcoming full release.
This page is created from a database of vulnerabilities originally populated by Apache Week. Please send comments or corrections for these vulnerabilities to the Security Team.
The initial GA release, Apache httpd 2.4.1, includes fixes for all vulnerabilities which have been resolved in Apache httpd 2.2.22 and all older releases. Consult the Apache httpd 2.2 vulnerabilities list for more information.
Various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
Acknowledgements: This issue was reported by Niels Heinen of Google
A XSS flaw affected the mod_proxy_balancer manager interface.
Acknowledgements: This issue was reported by Niels Heinen of google
The modules mod_proxy_ajp and mod_proxy_http did not always close the connection to the back end server when necessary as part of error handling. This could lead to an information disclosure due to a response mixup between users.
Possible XSS for sites which use mod_negotiation and allow untrusted uploads to locations which have MultiViews enabled.
Note: This issue is also known as CVE-2008-0455.
Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory.