csaf_opensuse - opensuse-su-2025:15360-1

opensuse-su-2025:15360-1

Vulnerability from csaf_opensuse

Published

2025-07-20 00:00

Modified

2025-07-20 00:00

Summary

apache2-2.4.64-1.1 on GA media

Notes

Title of the patch

apache2-2.4.64-1.1 on GA media

Description of the patch

These are all security issues fixed in the apache2-2.4.64-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15360

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "apache2-2.4.64-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the apache2-2.4.64-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15360",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15360-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-42516 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-42516/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-43204 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-43204/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-43394 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-43394/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-47252 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-47252/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-23048 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-23048/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-49630 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-49630/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-49812 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-49812/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-53020 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-53020/"
      }
    ],
    "title": "apache2-2.4.64-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-07-20T00:00:00Z",
      "generator": {
        "date": "2025-07-20T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15360-1",
      "initial_release_date": "2025-07-20T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-07-20T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache2-2.4.64-1.1.aarch64",
                "product": {
                  "name": "apache2-2.4.64-1.1.aarch64",
                  "product_id": "apache2-2.4.64-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache2-2.4.64-1.1.ppc64le",
                "product": {
                  "name": "apache2-2.4.64-1.1.ppc64le",
                  "product_id": "apache2-2.4.64-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache2-2.4.64-1.1.s390x",
                "product": {
                  "name": "apache2-2.4.64-1.1.s390x",
                  "product_id": "apache2-2.4.64-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache2-2.4.64-1.1.x86_64",
                "product": {
                  "name": "apache2-2.4.64-1.1.x86_64",
                  "product_id": "apache2-2.4.64-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-2.4.64-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64"
        },
        "product_reference": "apache2-2.4.64-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-2.4.64-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le"
        },
        "product_reference": "apache2-2.4.64-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-2.4.64-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x"
        },
        "product_reference": "apache2-2.4.64-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-2.4.64-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
        },
        "product_reference": "apache2-2.4.64-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-42516",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-42516"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response.\n\nThis vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue.\n\nUsers are recommended to upgrade to version 2.4.64, which fixes this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-42516",
          "url": "https://www.suse.com/security/cve/CVE-2024-42516"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1227268 for CVE-2024-42516",
          "url": "https://bugzilla.suse.com/1227268"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1246477 for CVE-2024-42516",
          "url": "https://bugzilla.suse.com/1246477"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-20T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-42516"
    },
    {
      "cve": "CVE-2024-43204",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-43204"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.   Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.\n\nUsers are recommended to upgrade to version 2.4.64 which fixes this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-43204",
          "url": "https://www.suse.com/security/cve/CVE-2024-43204"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1246305 for CVE-2024-43204",
          "url": "https://bugzilla.suse.com/1246305"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-20T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-43204"
    },
    {
      "cve": "CVE-2024-43394",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-43394"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Server-Side Request Forgery (SSRF)  in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via  \nmod_rewrite or apache expressions that pass unvalidated request input.\n\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.63.\n\nNote:   The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. \n\nThe server offers limited protection against administrators directing the server to open UNC paths.\nWindows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-43394",
          "url": "https://www.suse.com/security/cve/CVE-2024-43394"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1246304 for CVE-2024-43394",
          "url": "https://bugzilla.suse.com/1246304"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-20T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-43394"
    },
    {
      "cve": "CVE-2024-47252",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-47252"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.\n\nIn a logging configuration where CustomLog is used with \"%{varname}x\" or \"%{varname}c\" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-47252",
          "url": "https://www.suse.com/security/cve/CVE-2024-47252"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1246303 for CVE-2024-47252",
          "url": "https://bugzilla.suse.com/1246303"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-20T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-47252"
    },
    {
      "cve": "CVE-2025-23048",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-23048"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.\n\nConfigurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-23048",
          "url": "https://www.suse.com/security/cve/CVE-2025-23048"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1246302 for CVE-2025-23048",
          "url": "https://bugzilla.suse.com/1246302"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-20T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-23048"
    },
    {
      "cve": "CVE-2025-49630",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-49630"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In certain proxy configurations, a denial of service attack against  Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.\n\nConfigurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to \"on\".",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-49630",
          "url": "https://www.suse.com/security/cve/CVE-2025-49630"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1246307 for CVE-2025-49630",
          "url": "https://bugzilla.suse.com/1246307"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-20T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-49630"
    },
    {
      "cve": "CVE-2025-49812",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-49812"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.\n\nOnly configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-49812",
          "url": "https://www.suse.com/security/cve/CVE-2025-49812"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1246161 for CVE-2025-49812",
          "url": "https://bugzilla.suse.com/1246161"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-20T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-49812"
    },
    {
      "cve": "CVE-2025-53020",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-53020"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.\n\nThis issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.\n\nUsers are recommended to upgrade to version 2.4.64, which fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
          "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-53020",
          "url": "https://www.suse.com/security/cve/CVE-2025-53020"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1246306 for CVE-2025-53020",
          "url": "https://bugzilla.suse.com/1246306"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.aarch64",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.ppc64le",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.s390x",
            "openSUSE Tumbleweed:apache2-2.4.64-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-20T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-53020"
    }
  ]
}

CVE-2025-23048 (GCVE-0-2025-23048)

Vulnerability from cvelistv5

Published

2025-07-10 16:56

Modified

2025-07-15 19:56

Severity ?

CWE

CWE-284 - Improper Access Control

Summary

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

References

►

URL

Tags

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache HTTP Server	Version: 2.4.35 ≤ 2.4.63

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-23048",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-11T16:06:16.003018Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T19:56:26.553Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.63",
              "status": "affected",
              "version": "2.4.35",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Sven Hebrok, Felix Cramer, Tim Storm, Maximilian Radoy, and Juraj Somorovsky at Paderborn University"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.\u003cbr\u003e\u003cbr\u003eConfigurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.\n\nConfigurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-10T16:56:53.545Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-11-25T15:01:00.000Z",
          "value": "reported"
        }
      ],
      "title": "Apache HTTP Server: mod_ssl access control bypass with session resumption",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-23048",
    "datePublished": "2025-07-10T16:56:53.545Z",
    "dateReserved": "2025-01-10T15:11:45.480Z",
    "dateUpdated": "2025-07-15T19:56:26.553Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-47252 (GCVE-0-2024-47252)

Vulnerability from cvelistv5

Published

2025-07-10 16:55

Modified

2025-07-15 19:56

Severity ?

CWE

CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences

Summary

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.

References

►

URL

Tags

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache HTTP Server	Version: 2.4 ≤ 2.4.63

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-47252",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-11T16:06:33.872531Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T19:56:38.784Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.63",
              "status": "affected",
              "version": "2.4",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "John Runyon"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.\u003cbr\u003e\u003cbr\u003eIn a logging configuration where CustomLog is used with \"%{varname}x\" or \"%{varname}c\" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.\n\nIn a logging configuration where CustomLog is used with \"%{varname}x\" or \"%{varname}c\" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-150",
              "description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-10T16:55:20.013Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-09-18T15:26:00.000Z",
          "value": "reported"
        }
      ],
      "title": "Apache HTTP Server: mod_ssl error log variable escaping",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-47252",
    "datePublished": "2025-07-10T16:55:20.013Z",
    "dateReserved": "2024-09-23T15:25:33.808Z",
    "dateUpdated": "2025-07-15T19:56:38.784Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-43394 (GCVE-0-2024-43394)

Vulnerability from cvelistv5

Published

2025-07-10 16:56

Modified

2025-07-15 19:56

Severity ?

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. The server offers limited protection against administrators directing the server to open UNC paths. Windows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication.

References

►

URL

Tags

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache HTTP Server	Version: 2.4.0 ≤ 2.4.63

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-43394",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-11T16:06:25.292340Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T19:56:32.755Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.63",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kainan Zhang (@4xpl0r3r) from Fortinet"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eServer-Side Request Forgery (SSRF)\u0026nbsp;in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via\u0026nbsp;\u003cbr\u003emod_rewrite or apache expressions that pass unvalidated request input.\u003c/p\u003e\u003cp\u003eThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.63.\u003c/p\u003eNote: \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. \u003cbr\u003e\u003cbr\u003eThe server offers limited protection against administrators directing the server to open UNC paths.\u003cbr\u003e\u003c/span\u003eWindows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication.\u003cbr\u003e"
            }
          ],
          "value": "Server-Side Request Forgery (SSRF)\u00a0in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via\u00a0\nmod_rewrite or apache expressions that pass unvalidated request input.\n\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.63.\n\nNote: \u00a0The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. \n\nThe server offers limited protection against administrators directing the server to open UNC paths.\nWindows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-10T16:56:07.720Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-08-10T00:00:00.000Z",
          "value": "reported"
        }
      ],
      "title": "Apache HTTP Server: SSRF on Windows due to UNC paths",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-43394",
    "datePublished": "2025-07-10T16:56:07.720Z",
    "dateReserved": "2024-08-12T14:02:35.969Z",
    "dateUpdated": "2025-07-15T19:56:32.755Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49812 (GCVE-0-2025-49812)

Vulnerability from cvelistv5

Published

2025-07-10 16:58

Modified

2025-07-15 19:56

Severity ?

CWE

CWE-287 - Improper Authentication

Summary

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

References

►

URL

Tags

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache HTTP Server	Version: 0 ≤ 2.4.63

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.4,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-49812",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-11T16:05:54.218961Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T19:56:14.709Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.63",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Robert Merget (Technology Innovation Institute)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Nurullah Erinola (Ruhr University Bochum)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Marcel Maehren (Ruhr University Bochum)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Lukas Knittel (Ruhr University Bochum)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Sven Hebrok (Paderborn University)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Marcus Brinkmann (Ruhr University Bochum)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Juraj Somorovsky (Paderborn University)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "J\u00f6rg Schwenk (Ruhr University Bochum)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.\u003cbr\u003e\u003cbr\u003eOnly configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade."
            }
          ],
          "value": "In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.\n\nOnly configurations using \"SSLEngine optional\" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-10T16:58:23.943Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-04-22T07:26:00.000Z",
          "value": "Report received"
        },
        {
          "lang": "en",
          "time": "2025-07-07T00:00:00.000Z",
          "value": "2.4.x revision 1927045"
        }
      ],
      "title": "Apache HTTP Server: mod_ssl TLS upgrade attack",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-49812",
    "datePublished": "2025-07-10T16:58:23.943Z",
    "dateReserved": "2025-06-11T09:36:54.723Z",
    "dateUpdated": "2025-07-15T19:56:14.709Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-43204 (GCVE-0-2024-43204)

Vulnerability from cvelistv5

Published

2025-07-10 16:54

Modified

2025-07-15 19:56

Severity ?

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.

References

►

URL

Tags

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache HTTP Server	Version: 2.4.0 ≤ 2.4.63

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-43204",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-11T16:06:58.631485Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T19:56:45.283Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.63",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.\u0026nbsp; Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 2.4.64 which fixes this issue."
            }
          ],
          "value": "SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.\u00a0 Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.\n\nUsers are recommended to upgrade to version 2.4.64 which fixes this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-10T16:54:15.759Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-08-07T09:00:00.000Z",
          "value": "reported"
        }
      ],
      "title": "Apache HTTP Server: SSRF with mod_headers setting Content-Type header",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-43204",
    "datePublished": "2025-07-10T16:54:15.759Z",
    "dateReserved": "2024-08-08T15:13:29.047Z",
    "dateUpdated": "2025-07-15T19:56:45.283Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49630 (GCVE-0-2025-49630)

Vulnerability from cvelistv5

Published

2025-07-10 16:57

Modified

2025-07-15 19:56

Severity ?

CWE

CWE-617 - Reachable Assertion

Summary

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

References

►

URL

Tags

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache HTTP Server	Version: 2.4.26 ≤ 2.4.63

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-49630",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-11T16:06:07.523613Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T19:56:20.614Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.63",
              "status": "affected",
              "version": "2.4.26",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Anthony CORSIEZ"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In certain proxy configurations, a denial of service attack against\u0026nbsp;Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.\u003cbr\u003e\u003cbr\u003eConfigurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to \"on\".\u003cbr\u003e"
            }
          ],
          "value": "In certain proxy configurations, a denial of service attack against\u00a0Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.\n\nConfigurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to \"on\"."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-617",
              "description": "CWE-617 Reachable Assertion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-10T16:57:40.117Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-06-04T14:20:00.000Z",
          "value": "Report received"
        }
      ],
      "title": "Apache HTTP Server: mod_proxy_http2 denial of service",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-49630",
    "datePublished": "2025-07-10T16:57:40.117Z",
    "dateReserved": "2025-06-08T19:44:51.747Z",
    "dateUpdated": "2025-07-15T19:56:20.614Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-53020 (GCVE-0-2025-53020)

Vulnerability from cvelistv5

Published

2025-07-10 16:59

Modified

2025-07-15 19:56

Severity ?

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Summary

Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue.

References

►

URL

Tags

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache HTTP Server	Version: 2.4.17 ≤ 2.4.63

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-53020",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-11T16:05:41.419033Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T19:56:07.763Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.63",
              "status": "affected",
              "version": "2.4.17",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Gal Bar Nahum"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eLate Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.\u003c/p\u003e\u003cp\u003eThis issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.4.64, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.\n\nThis issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.\n\nUsers are recommended to upgrade to version 2.4.64, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-10T16:59:06.340Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-06-18T09:19:00.000Z",
          "value": "reported"
        },
        {
          "lang": "en",
          "time": "2025-06-19T09:20:00.000Z",
          "value": "fix developed"
        },
        {
          "lang": "en",
          "time": "2025-07-07T00:00:00.000Z",
          "value": "2.4.x revision 1927046"
        }
      ],
      "title": "Apache HTTP Server: HTTP/2 DoS by Memory Increase",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-53020",
    "datePublished": "2025-07-10T16:59:06.340Z",
    "dateReserved": "2025-06-24T07:13:19.552Z",
    "dateUpdated": "2025-07-15T19:56:07.763Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-42516 (GCVE-0-2024-42516)

Vulnerability from cvelistv5

Published

2025-07-10 16:53

Modified

2025-07-15 19:56

Severity ?

CWE

CWE-20 - Improper Input Validation

Summary

HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue. Users are recommended to upgrade to version 2.4.64, which fixes this issue.

References

►

URL

Tags

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache HTTP Server	Version: 2.4.0 ≤ 2.4.63

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-42516",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-11T16:07:07.391732Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T19:56:51.797Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.63",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response.\u003cbr\u003e\u003cbr\u003eThis vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 2.4.64, which fixes this issue."
            }
          ],
          "value": "HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response.\n\nThis vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue.\n\nUsers are recommended to upgrade to version 2.4.64, which fixes this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-10T16:53:13.201Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-07-18T12:00:00.000Z",
          "value": "reported"
        }
      ],
      "title": "Apache HTTP Server: HTTP response splitting",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-42516",
    "datePublished": "2025-07-10T16:53:13.201Z",
    "dateReserved": "2024-08-03T18:37:28.141Z",
    "dateUpdated": "2025-07-15T19:56:51.797Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

opensuse-su-2025:15360-1

Vulnerability from csaf_opensuse

CVE-2025-23048 (GCVE-0-2025-23048)

Vulnerability from cvelistv5

CVE-2024-47252 (GCVE-0-2024-47252)

Vulnerability from cvelistv5

CVE-2024-43394 (GCVE-0-2024-43394)

Vulnerability from cvelistv5

CVE-2025-49812 (GCVE-0-2025-49812)

Vulnerability from cvelistv5

CVE-2024-43204 (GCVE-0-2024-43204)

Vulnerability from cvelistv5

CVE-2025-49630 (GCVE-0-2025-49630)

Vulnerability from cvelistv5

CVE-2025-53020 (GCVE-0-2025-53020)

Vulnerability from cvelistv5

CVE-2024-42516 (GCVE-0-2024-42516)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature