This page lists all security vulnerabilities fixed in released versions of Apache httpd 2.2. Each vulnerability is given a security impact rating by the Apache security team - please note that this rating may well vary from platform to platform. We also list the versions of Apache httpd the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please note that if a vulnerability is shown below as being fixed in a "-dev" release then this means that a fix has been applied to the development source tree and will be part of an upcoming full release.

This page is created from a database of vulnerabilities originally populated by Apache Week. Please send comments or corrections for these vulnerabilities to the Security Team.

important: Timeout detection flaw (mod_proxy_http) CVE-2010-2068

An information disclosure flaw was found in mod_proxy_http in versions 2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha. Under certain timeout conditions, the server could return a response intended for another user. Only Windows, Netware and OS2 operating systems are affected. Only those configurations which trigger the use of proxy worker pools are affected. There was no vulnerability on earlier versions, as proxy pools were not yet introduced. The simplest workaround is to globally configure;

SetEnv proxy-nokeepalive 1

Source code patches are at;

• http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch
• http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch

Binary replacement modules are at

• http://www.apache.org/dist/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip

Acknowledgements: We would like to thank Loren Anderson for the detailed analysis and reporting of this issue.

Update Released: 25th July 2010

Affects: 2.3.5-alpha, 2.3.4-alpha, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9

low: mod_cache and mod_dav DoS CVE-2010-1452

A flaw was found in the handling of requests by mod_cache and mod_dav. A malicious remote attacker could send a carefully crafted request and cause a httpd child process to crash. This crash would only be a denial of service if using the worker MPM. This issue is further mitigated as mod_dav is only affected by requests that are most likely to be authenticated, and mod_cache is only affected if the uncommon "CacheIgnoreURLSessionIdentifiers" directive, introduced in version 2.2.14, is used.

Acknowledgements: This issue was reported by Mark Drayton.

Update Released: 25th July 2010

Affects: 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

important: mod_isapi module unload flaw CVE-2010-0425

A flaw was found with within mod_isapi which would attempt to unload the ISAPI dll when it encountered various error states. This could leave the callbacks in an undefined state and result in a segfault. On Windows platforms using mod_isapi, a remote attacker could send a malicious request to trigger this issue, and as win32 MPM runs only one process, this would result in a denial of service, and potentially allow arbitrary code execution.

Acknowledgements: We would like to thank Brett Gervasoni of Sense of Security for reporting and proposing a patch fix for this issue.

Update Released: 5th March 2010

Affects: 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

low: Subrequest handling of request headers (mod_headers) CVE-2010-0434

A flaw in the core subrequest process code was fixed, to always provide a shallow copy of the headers_in array to the subrequest, instead of a pointer to the parent request's array as it had for requests without request bodies. This meant all modules such as mod_headers which may manipulate the input headers for a subrequest would poison the parent request in two ways, one by modifying the parent request, which might not be intended, and second by leaving pointers to modified header fields in memory allocated to the subrequest scope, which could be freed before the main request processing was finished, resulting in a segfault or in revealing data from another request on threaded servers, such as the worker or winnt MPMs.

Acknowledgements: We would like to thank Philip Pickett of VMware for reporting and proposing a fix for this issue.

Update Released: 5th March 2010

Affects: 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_proxy_ajp DoS CVE-2010-0408

mod_proxy_ajp would return the wrong status code if it encountered an error, causing a backend server to be put into an error state until the retry timeout expired. A remote attacker could send malicious requests to trigger this issue, resulting in denial of service.

Acknowledgements: We would like to thank Niku Toivola of Sulake Corporation for reporting and proposing a patch fix for this issue.

Update Released: 5th March 2010

Affects: 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

low: mod_proxy_ftp DoS CVE-2009-3094

A NULL pointer dereference flaw was found in the mod_proxy_ftp module. A malicious FTP server to which requests are being proxied could use this flaw to crash an httpd child process via a malformed reply to the EPSV or PASV commands, resulting in a limited denial of service.

Update Released: 5th October 2009

Affects: 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

low: mod_proxy_ftp FTP command injection CVE-2009-3095

A flaw was found in the mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server.

Update Released: 5th October 2009

Affects: 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: Solaris pollset DoS CVE-2009-2699

Faulty error handling was found affecting Solaris pollset support (Event Port backend) caused by a bug in APR. A remote attacker could trigger this issue on Solaris servers which used prefork or event MPMs, resulting in a denial of service.

Update Released: 5th October 2009

Affects: 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

low: APR apr_palloc heap overflow CVE-2009-2412

A flaw in apr_palloc() in the bundled copy of APR could cause heap overflows in programs that try to apr_palloc() a user controlled size. The Apache HTTP Server itself does not pass unsanitized user-provided sizes to this function, so it could only be triggered through some other application which uses apr_palloc() in a vulnerable way.

Update Released: 9th August 2009

Affects: 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

important: mod_proxy reverse proxy DoS CVE-2009-1890

A denial of service flaw was found in the mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time.

Update Released: 27th July 2009

Affects: 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

important: mod_proxy_ajp information disclosure CVE-2009-1191

An information disclosure flaw was found in mod_proxy_ajp in version 2.2.11 only. In certain situations, if a user sent a carefully crafted HTTP request, the server could return a response intended for another user.

Update Released: 27th July 2009

Affects: 2.2.11

low: mod_deflate DoS CVE-2009-1891

A denial of service flaw was found in the mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file.

Update Released: 27th July 2009

Affects: 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

low: AllowOverride Options handling bypass CVE-2009-1195

A flaw was found in the handling of the "Options" and "AllowOverride" directives. In configurations using the "AllowOverride" directive with certain "Options=" arguments, local users were not restricted from executing commands from a Server-Side-Include script as intended.

Update Released: 27th July 2009

Affects: 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: APR-util off-by-one overflow CVE-2009-1956

An off-by-one overflow flaw was found in the way the bundled copy of the APR-util library processed a variable list of arguments. An attacker could provide a specially-crafted string as input for the formatted output conversion routine, which could, on big-endian platforms, potentially lead to the disclosure of sensitive information or a denial of service.

Update Released: 72th  2009

Affects: 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: APR-util XML DoS CVE-2009-1955

A denial of service flaw was found in the bundled copy of the APR-util library Extensible Markup Language (XML) parser. A remote attacker could create a specially-crafted XML document that would cause excessive memory consumption when processed by the XML decoding engine.

Update Released: 27th July 2009

Affects: 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: APR-util heap underwrite CVE-2009-0023

A heap-based underwrite flaw was found in the way the bundled copy of the APR-util library created compiled forms of particular search patterns. An attacker could formulate a specially-crafted search keyword, that would overwrite arbitrary heap memory locations when processed by the pattern preparation engine.

Update Released: 27th July 2009

Affects: 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

important: Timeout detection flaw (mod_proxy_http) CVE-2010-2791

An information disclosure flaw was found in mod_proxy_http in version 2.2.9 only, on Unix platforms. Under certain timeout conditions, the server could return a response intended for another user. Only those configurations which trigger the use of proxy worker pools are affected. There was no vulnerability on earlier versions, as proxy pools were not yet introduced. The simplest workaround is to globally configure:

SetEnv proxy-nokeepalive 1

Update Released: 31st October 2008

Affects: 2.2.9

low: mod_proxy_ftp globbing XSS CVE-2008-2939

A flaw was found in the handling of wildcards in the path of a FTP URL with mod_proxy_ftp. If mod_proxy_ftp is enabled to support FTP-over-HTTP, requests containing globbing characters could lead to cross-site scripting (XSS) attacks.

Update Released: 31st October 2008

Affects: 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

low: mod_proxy_balancer CSRF CVE-2007-6420

The mod_proxy_balancer provided an administrative interface that could be vulnerable to cross-site request forgery (CSRF) attacks.

Update Released: 14th June 2008

Affects: 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_proxy_http DoS CVE-2008-2364

A flaw was found in the handling of excessive interim responses from an origin server when using mod_proxy_http. A remote attacker could cause a denial of service or high memory usage.

Update Released: 14th June 2008

Affects: 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

low: mod_proxy_ftp UTF-7 XSS CVE-2008-0005

A workaround was added in the mod_proxy_ftp module. On sites where mod_proxy_ftp is enabled and a forward proxy is configured, a cross-site scripting attack is possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616.

Update Released: 19th January 2008

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

low: mod_proxy_balancer DoS CVE-2007-6422

A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, an authorized user could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module.

Update Released: 19th January 2008

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

low: mod_proxy_balancer XSS CVE-2007-6421

A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, a cross-site scripting attack against an authorized user is possible.

Update Released: 19th January 2008

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_status XSS CVE-2007-6388

A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.

Update Released: 19th January 2008

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_imagemap XSS CVE-2007-5000

A flaw was found in the mod_imagemap module. On sites where mod_imagemap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.

Update Released: 19th January 2008

Affects: 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_proxy crash CVE-2007-3847

A flaw was found in the Apache HTTP Server mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module.

Update Released: 7th September 2007

Affects: 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_status cross-site scripting CVE-2006-5752

A flaw was found in the mod_status module. On sites where the server-status page is publicly accessible and ExtendedStatus is enabled this could lead to a cross-site scripting attack. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.

Update Released: 7th September 2007

Affects: 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: Signals to arbitrary processes CVE-2007-3304

The Apache HTTP server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the HTTP server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service.

Update Released: 7th September 2007

Affects: 2.2.4, 2.2.3, 2.2.2, 2.2.0

moderate: mod_cache information leak CVE-2007-1862

The recall_headers function in mod_mem_cache in Apache 2.2.4 did not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously used data, which could be used by remote attackers to obtain potentially sensitive information.

Update Released: 7th September 2007

Affects: 2.2.4

moderate: mod_cache proxy DoS CVE-2007-1863

A bug was found in the mod_cache module. On sites where caching is enabled, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module.

Update Released: 7th September 2007

Affects: 2.2.4, 2.2.3, 2.2.2, 2.2.0

important: mod_rewrite off-by-one error CVE-2006-3747

An off-by-one flaw exists in the Rewrite module, mod_rewrite. Depending on the manner in which Apache httpd was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution.

Update Released: 27th July 2006

Affects: 2.2.2, 2.2.0

low: mod_ssl access control DoS CVE-2005-3357

A NULL pointer dereference flaw in mod_ssl was discovered affecting server configurations where an SSL virtual host is configured with access control and a custom 400 error document. A remote attacker could send a carefully crafted request to trigger this issue which would lead to a crash. This crash would only be a denial of service if using the worker MPM.

Update Released: 1st May 2006

Affects: 2.2.0

moderate: mod_imap Referer Cross-Site Scripting CVE-2005-3352

A flaw in mod_imap when using the Referer directive with image maps. In certain site configurations a remote attacker could perform a cross-site scripting attack if a victim can be forced to visit a malicious URL using certain web browsers.

Update Released: 1st May 2006

Affects: 2.2.0