Apache HTTP Server 2.4.48 Released
June 01, 2021
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.48 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new
CVE-2019-17567: mod_proxy_wstunnel tunneling of non Upgraded connections
Severity: moderate
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.6 to 2.4.46
Description:
Apache HTTP Server 2.4.6 to 2.4.46
mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded
CVE-2020-13938: Improper Handling of Insufficient Privileges
Severity: moderate
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.0 to 2.4.47
Description:
Apache HTTP Server 2.4.0 to 2.4.47
Unprivileged local users can stop httpd on Windows
Mitigation:
n/a
Credit:
Disc
CVE-2020-13950: mod_proxy_http NULL pointer dereference
Severity: low
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.41 to 2.4.46
Description:
Apache HTTP Server 2.4.41 to 2.4.46
mod_proxy_http can be made to crash (NULL pointer dereference) with specially
crafted reques
CVE-2020-35452: mod_auth_digest possible stack overflow by one nul byte
Severity: low
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.0 to 2.4.46
Description:
Apache HTTP Server 2.4.0 to 2.4.46
A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest.
CVE-2021-26690: mod_session NULL pointer dereference
Severity: low
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.0 to 2.4.46
Description:
Apache HTTP Server 2.4.0 to 2.4.46
A specially crafted Cookie header handled by mod_session can cause a NULL
pointer dereference and
CVE-2021-30641: Unexpected URL matching with 'MergeSlashes OFF'
Severity: moderate
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.39 to 2.4.46
Description:
Apache HTTP Server 2.4.39 to 2.4.46
Unexpected matching behavior with 'MergeSlashes OFF'
Mitigation:
n/a
Credi
Mitigation:
None
Credit:
Discovered internally by Christophe Jaillet
References:
https://httpd.apache.org/security/vulnerabilities_24.html
CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request
Severity: important
Vendor: The Apache Software Foundation
Versions Affected:
2.4.47
httpd
Description:
Apache HTTP Server 2.4.47
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received
request h