the resulting site build has cost problems on the vuln page, looking into it.

On Thu, Jul 10, 2025 at 7:57 AM <cove...@apache.org> wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> covener pushed a commit to branch main
> in repository https://gitbox.apache.org/repos/asf/httpd-site.git
>
>
> The following commit(s) were added to refs/heads/main by this push:
>      new 85be1ee  publishing release httpd-2.4.64
> 85be1ee is described below
>
> commit 85be1eee518146ba1ee948cb81d17d42047de779
> Author: Eric Covener <ecove...@us.ibm.com>
> AuthorDate: Thu Jul 10 07:57:06 2025 -0400
>
>     publishing release httpd-2.4.64
> ---
>  content/doap.rdf                          |   4 +-
>  content/download.md                       |  24 +++---
>  content/index.md                          |   6 +-
>  content/security/json/CVE-2024-42516.json |  94 ++++++++++++++++++++++
>  content/security/json/CVE-2024-43204.json |  86 ++++++++++++++++++++
>  content/security/json/CVE-2024-43394.json |  93 ++++++++++++++++++++++
>  content/security/json/CVE-2024-47252.json | 101 +++++++++++++++++++++++
>  content/security/json/CVE-2025-23048.json | 101 +++++++++++++++++++++++
>  content/security/json/CVE-2025-49630.json |  93 ++++++++++++++++++++++
>  content/security/json/CVE-2025-49812.json | 128 
> ++++++++++++++++++++++++++++++
>  content/security/json/CVE-2025-53020.json |  98 +++++++++++++++++++++++
>  11 files changed, 811 insertions(+), 17 deletions(-)
>
> diff --git a/content/doap.rdf b/content/doap.rdf
> index f87ea37..2971426 100644
> --- a/content/doap.rdf
> +++ b/content/doap.rdf
> @@ -38,8 +38,8 @@
>      <release>
>        <Version>
>          <name>Recommended current 2.4 release</name>
> -        <created>2025-01-23</created>
> -        <revision>2.4.63</revision>
> +        <created>2025-07-10</created>
> +        <revision>2.4.64</revision>
>        </Version>
>      </release>
>
> diff --git a/content/download.md b/content/download.md
> index 6275319..220801f 100644
> --- a/content/download.md
> +++ b/content/download.md
> @@ -19,16 +19,16 @@ Apache httpd for Microsoft Windows is available from
>
>  Stable Release - Latest Version:
>
> --  [2.4.63](#apache24) (released 2025-01-23)
> +-  [2.4.64](#apache24) (released 2025-07-10)
>
>  If you are downloading the Win32 distribution, please read these [important
>  notes]([preferred]httpd/binaries/win32/README.html).
>
> -# Apache HTTP Server 2.4.63 (httpd): 2.4.63 is the latest available version 
> <span>2025-01-23</span>  {#apache24}
> +# Apache HTTP Server 2.4.64 (httpd): 2.4.64 is the latest available version 
> <span>2025-07-10</span>  {#apache24}
>
>  The Apache HTTP Server Project is pleased to
>  [announce](//downloads.apache.org/httpd/Announcement2.4.txt) the
> -release of version 2.4.63 of the Apache HTTP Server ("Apache" and "httpd").
> +release of version 2.4.64 of the Apache HTTP Server ("Apache" and "httpd").
>  This version of Apache is our latest GA release of the new generation 2.4.x
>  branch of Apache HTTPD and represents fifteen years of innovation by the
>  project, and is recommended over all previous releases!
> @@ -36,17 +36,17 @@ project, and is recommended over all previous releases!
>  For details, see the [Official
>  Announcement](//downloads.apache.org/httpd/Announcement2.4.html) and
>  the [CHANGES_2.4]([preferred]httpd/CHANGES_2.4) and
> -[CHANGES_2.4.63]([preferred]httpd/CHANGES_2.4.63) lists.
> +[CHANGES_2.4.64]([preferred]httpd/CHANGES_2.4.64) lists.
>
> -- Source: [httpd-2.4.63.tar.bz2]([preferred]httpd/httpd-2.4.63.tar.bz2)
> -[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.63.tar.bz2.asc) ] [
> -[SHA256](https://downloads.apache.org/httpd/httpd-2.4.63.tar.bz2.sha256) ] [
> -[SHA512](https://downloads.apache.org/httpd/httpd-2.4.63.tar.bz2.sha512) ]
> +- Source: [httpd-2.4.64.tar.bz2]([preferred]httpd/httpd-2.4.64.tar.bz2)
> +[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.64.tar.bz2.asc) ] [
> +[SHA256](https://downloads.apache.org/httpd/httpd-2.4.64.tar.bz2.sha256) ] [
> +[SHA512](https://downloads.apache.org/httpd/httpd-2.4.64.tar.bz2.sha512) ]
>
> -- Source: [httpd-2.4.63.tar.gz]([preferred]httpd/httpd-2.4.63.tar.gz) [
> -[PGP](https://downloads.apache.org/httpd/httpd-2.4.63.tar.gz.asc) ] [
> -[SHA256](https://downloads.apache.org/httpd/httpd-2.4.63.tar.gz.sha256) ] [
> -[SHA512](https://downloads.apache.org/httpd/httpd-2.4.63.tar.gz.sha512) ]
> +- Source: [httpd-2.4.64.tar.gz]([preferred]httpd/httpd-2.4.64.tar.gz) [
> +[PGP](https://downloads.apache.org/httpd/httpd-2.4.64.tar.gz.asc) ] [
> +[SHA256](https://downloads.apache.org/httpd/httpd-2.4.64.tar.gz.sha256) ] [
> +[SHA512](https://downloads.apache.org/httpd/httpd-2.4.64.tar.gz.sha512) ]
>
>  -  [Security and official patches]([preferred]httpd/patches/)
>
> diff --git a/content/index.md b/content/index.md
> index e46b023..6a5e338 100644
> --- a/content/index.md
> +++ b/content/index.md
> @@ -14,11 +14,11 @@ April 1996. It has celebrated its 25th birthday as a 
> project in February 2020.
>  The Apache HTTP Server is a project of [The Apache Software
>  Foundation](https://www.apache.org/).
>
> -# Apache httpd 2.4.63 Released <span>2025-01-23</span>
> +# Apache httpd 2.4.64 Released <span>2025-07-10</span>
>  The Apache Software Foundation and the Apache HTTP Server Project are
>  pleased to
>  [announce](https://downloads.apache.org/httpd/Announcement2.4.html) the
> -release of version 2.4.63 of the Apache HTTP Server ("httpd").
> +release of version 2.4.64 of the Apache HTTP Server ("httpd").
>
>  This latest release from the 2.4.x stable branch represents the best 
> available
>  version of Apache HTTP Server.
> @@ -27,7 +27,7 @@ version of Apache HTTP Server.
>  Apache HTTP Server version 2.<span>4</span>.43 or newer is required in order 
> to operate a TLS 1.3 web server with OpenSSL 1.1.1.
>
>  [Download](download.cgi#apache24) | [ChangeLog for
> -2.4.63](https://downloads.apache.org/httpd/CHANGES_2.4.63) | [Complete 
> ChangeLog for
> +2.4.64](https://downloads.apache.org/httpd/CHANGES_2.4.64) | [Complete 
> ChangeLog for
>  2.4](https://downloads.apache.org/httpd/CHANGES_2.4) | [New Features in httpd
>  2.4](docs/trunk/new_features_2_4.html)  {.centered}
>
> diff --git a/content/security/json/CVE-2024-42516.json 
> b/content/security/json/CVE-2024-42516.json
> new file mode 100644
> index 0000000..e776c52
> --- /dev/null
> +++ b/content/security/json/CVE-2024-42516.json
> @@ -0,0 +1,94 @@
> +{
> +  "containers": {
> +    "cna": {
> +      "affected": [
> +        {
> +          "defaultStatus": "unaffected",
> +          "product": "Apache HTTP Server",
> +          "vendor": "Apache Software Foundation",
> +          "versions": [
> +            {
> +              "lessThanOrEqual": "2.4.63",
> +              "status": "affected",
> +              "version": "2.4.0",
> +              "versionType": "semver"
> +            }
> +          ]
> +        }
> +      ],
> +      "descriptions": [
> +        {
> +          "lang": "en",
> +          "supportingMedia": [
> +            {
> +              "base64": false,
> +              "type": "text/html",
> +              "value": "HTTP response splitting in the core of Apache HTTP 
> Server allows an attacker who can manipulate the Content-Type response 
> headers of applications hosted or proxied by the server can split the HTTP 
> response.<br><br>This vulnerability was described as CVE-2023-38709 but the 
> patch included in Apache HTTP Server 2.4.59 did not address the 
> issue.<br><br>Users are recommended to upgrade to version 2.4.64, which fixes 
> this issue."
> +            }
> +          ],
> +          "value": "HTTP response splitting in the core of Apache HTTP 
> Server allows an attacker who can manipulate the Content-Type response 
> headers of applications hosted or proxied by the server can split the HTTP 
> response.\n\nThis vulnerability was described as CVE-2023-38709 but the patch 
> included in Apache HTTP Server 2.4.59 did not address the issue.\n\nUsers are 
> recommended to upgrade to version 2.4.64, which fixes this issue."
> +        }
> +      ],
> +      "metrics": [
> +        {
> +          "other": {
> +            "content": {
> +              "text": "moderate"
> +            },
> +            "type": "Textual description of severity"
> +          }
> +        }
> +      ],
> +      "problemTypes": [
> +        {
> +          "descriptions": [
> +            {
> +              "cweId": "CWE-20",
> +              "description": "CWE-20 Improper Input Validation",
> +              "lang": "en",
> +              "type": "CWE"
> +            }
> +          ]
> +        }
> +      ],
> +      "providerMetadata": {
> +        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
> +      },
> +      "references": [
> +        {
> +          "tags": [
> +            "vendor-advisory"
> +          ],
> +          "url": "https://httpd.apache.org/security/vulnerabilities_24.html";
> +        }
> +      ],
> +      "source": {
> +        "discovery": "INTERNAL"
> +      },
> +      "timeline": [
> +        {
> +          "lang": "en",
> +          "time": "2024-07-18T12:00:00.000Z",
> +          "value": "reported"
> +        },
> +        {
> +          "lang": "eng",
> +          "time": "2025-07-10",
> +          "value": "2.4.64 released"
> +        }
> +      ],
> +      "title": "Apache HTTP Server: HTTP response splitting",
> +      "x_generator": {
> +        "engine": "Vulnogram 0.1.0-dev"
> +      }
> +    }
> +  },
> +  "cveMetadata": {
> +    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
> +    "cveId": "CVE-2024-42516",
> +    "serial": 1,
> +    "state": "PUBLISHED"
> +  },
> +  "dataType": "CVE_RECORD",
> +  "dataVersion": "5.1"
> +}
> diff --git a/content/security/json/CVE-2024-43204.json 
> b/content/security/json/CVE-2024-43204.json
> new file mode 100644
> index 0000000..ef8e740
> --- /dev/null
> +++ b/content/security/json/CVE-2024-43204.json
> @@ -0,0 +1,86 @@
> +{
> +  "containers": {
> +    "cna": {
> +      "affected": [
> +        {
> +          "defaultStatus": "unaffected",
> +          "product": "Apache HTTP Server",
> +          "vendor": "Apache Software Foundation",
> +          "versions": [
> +            {
> +              "lessThanOrEqual": "2.4.63",
> +              "status": "affected",
> +              "version": "2.4.0",
> +              "versionType": "semver"
> +            }
> +          ]
> +        }
> +      ],
> +      "descriptions": [
> +        {
> +          "lang": "en",
> +          "supportingMedia": [
> +            {
> +              "base64": false,
> +              "type": "text/html",
> +              "value": "SSRF in Apache HTTP Server with mod_proxy loaded 
> allows an attacker to send outbound proxy requests to a URL controlled by the 
> attacker.&nbsp; Requires an unlikely configuration where mod_headers is 
> configured to modify the Content-Type request or response header with a value 
> provided in the HTTP request.<br><br>Users are recommended to upgrade to 
> version 2.4.64 which fixes this issue. "
> +            }
> +          ],
> +          "value": "SSRF in Apache HTTP Server with mod_proxy loaded allows 
> an attacker to send outbound proxy requests to a URL controlled by the 
> attacker.  Requires an unlikely configuration where mod_headers is configured 
> to modify the Content-Type request or response header with a value provided 
> in the HTTP request.\n\nUsers are recommended to upgrade to version 2.4.64 
> which fixes this issue. "
> +        }
> +      ],
> +      "metrics": [
> +        {
> +          "other": {
> +            "content": {
> +              "text": "low"
> +            },
> +            "type": "Textual description of severity"
> +          }
> +        }
> +      ],
> +      "problemTypes": [
> +        {
> +          "descriptions": [
> +            {
> +              "cweId": "CWE-918",
> +              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
> +              "lang": "en",
> +              "type": "CWE"
> +            }
> +          ]
> +        }
> +      ],
> +      "providerMetadata": {
> +        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
> +      },
> +      "source": {
> +        "discovery": "UNKNOWN"
> +      },
> +      "timeline": [
> +        {
> +          "lang": "en",
> +          "time": "2024-08-07T09:00:00.000Z",
> +          "value": "reported"
> +        },
> +        {
> +          "lang": "eng",
> +          "time": "2025-07-10",
> +          "value": "2.4.64 released"
> +        }
> +      ],
> +      "title": "Apache HTTP Server: SSRF with mod_headers setting 
> Content-Type header",
> +      "x_generator": {
> +        "engine": "Vulnogram 0.1.0-dev"
> +      }
> +    }
> +  },
> +  "cveMetadata": {
> +    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
> +    "cveId": "CVE-2024-43204",
> +    "serial": 1,
> +    "state": "PUBLISHED"
> +  },
> +  "dataType": "CVE_RECORD",
> +  "dataVersion": "5.0"
> +}
> diff --git a/content/security/json/CVE-2024-43394.json 
> b/content/security/json/CVE-2024-43394.json
> new file mode 100644
> index 0000000..3e6feec
> --- /dev/null
> +++ b/content/security/json/CVE-2024-43394.json
> @@ -0,0 +1,93 @@
> +{
> +  "containers": {
> +    "cna": {
> +      "affected": [
> +        {
> +          "defaultStatus": "unaffected",
> +          "product": "Apache HTTP Server",
> +          "vendor": "Apache Software Foundation",
> +          "versions": [
> +            {
> +              "lessThanOrEqual": "2.4.63",
> +              "status": "affected",
> +              "version": "2.4.0",
> +              "versionType": "semver"
> +            }
> +          ]
> +        }
> +      ],
> +      "credits": [
> +        {
> +          "lang": "en",
> +          "type": "finder",
> +          "value": "Kainan Zhang (@4xpl0r3r) from Fortinet"
> +        }
> +      ],
> +      "descriptions": [
> +        {
> +          "lang": "en",
> +          "supportingMedia": [
> +            {
> +              "base64": false,
> +              "type": "text/html",
> +              "value": "<p></p><p>Server-Side Request Forgery (SSRF)&nbsp;in 
> Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a 
> malicious server via&nbsp;<br>mod_rewrite or apache expressions that pass 
> unvalidated request input.</p><p>This issue affects Apache HTTP Server: from 
> 2.4.0 through 2.4.63.</p>Note: <span style=\"background-color: rgb(255, 255, 
> 255);\">&nbsp;The Apache HTTP Server Project will be setting a higher bar for 
> accepting vulnerability reports reg [...]
> +            }
> +          ],
> +          "value": "Server-Side Request Forgery (SSRF) in Apache HTTP Server 
> on Windows allows to potentially leak NTLM hashes to a malicious server via 
> \nmod_rewrite or apache expressions that pass unvalidated request 
> input.\n\nThis issue affects Apache HTTP Server: from 2.4.0 through 
> 2.4.63.\n\nNote:  The Apache HTTP Server Project will be setting a higher bar 
> for accepting vulnerability reports regarding SSRF via UNC paths. \n\nThe 
> server offers limited protection against administrato [...]
> +        }
> +      ],
> +      "metrics": [
> +        {
> +          "other": {
> +            "content": {
> +              "text": "moderate"
> +            },
> +            "type": "Textual description of severity"
> +          }
> +        }
> +      ],
> +      "problemTypes": [
> +        {
> +          "descriptions": [
> +            {
> +              "cweId": "CWE-918",
> +              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
> +              "lang": "en",
> +              "type": "CWE"
> +            }
> +          ]
> +        }
> +      ],
> +      "providerMetadata": {
> +        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
> +      },
> +      "source": {
> +        "discovery": "UNKNOWN"
> +      },
> +      "timeline": [
> +        {
> +          "lang": "en",
> +          "time": "2024-08-10T00:00:00.000Z",
> +          "value": "reported"
> +        },
> +        {
> +          "lang": "eng",
> +          "time": "2025-07-10",
> +          "value": "2.4.64 released"
> +        }
> +      ],
> +      "title": "Apache HTTP Server: SSRF on Windows due to UNC paths",
> +      "x_generator": {
> +        "engine": "Vulnogram 0.1.0-dev"
> +      }
> +    }
> +  },
> +  "cveMetadata": {
> +    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
> +    "cveId": "CVE-2024-43394",
> +    "serial": 1,
> +    "state": "PUBLISHED"
> +  },
> +  "dataType": "CVE_RECORD",
> +  "dataVersion": "5.1"
> +}
> diff --git a/content/security/json/CVE-2024-47252.json 
> b/content/security/json/CVE-2024-47252.json
> new file mode 100644
> index 0000000..5e77017
> --- /dev/null
> +++ b/content/security/json/CVE-2024-47252.json
> @@ -0,0 +1,101 @@
> +{
> +  "containers": {
> +    "cna": {
> +      "affected": [
> +        {
> +          "defaultStatus": "unaffected",
> +          "product": "Apache HTTP Server",
> +          "vendor": "Apache Software Foundation",
> +          "versions": [
> +            {
> +              "lessThanOrEqual": "2.4.63",
> +              "status": "affected",
> +              "version": "2.4",
> +              "versionType": "semver"
> +            }
> +          ]
> +        }
> +      ],
> +      "credits": [
> +        {
> +          "lang": "en",
> +          "type": "finder",
> +          "value": "John Runyon"
> +        }
> +      ],
> +      "descriptions": [
> +        {
> +          "lang": "en",
> +          "supportingMedia": [
> +            {
> +              "base64": false,
> +              "type": "text/html",
> +              "value": "Insufficient escaping of user-supplied data in 
> mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS 
> client to insert escape characters into log files in some 
> configurations.<br><br>In a logging configuration where CustomLog is used 
> with \"%{varname}x\" or \"%{varname}c\" to log variables provided by mod_ssl 
> such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or 
> mod_ssl and unsanitized data provided by the client may appea [...]
> +            }
> +          ],
> +          "value": "Insufficient escaping of user-supplied data in mod_ssl 
> in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client 
> to insert escape characters into log files in some configurations.\n\nIn a 
> logging configuration where CustomLog is used with \"%{varname}x\" or 
> \"%{varname}c\" to log variables provided by mod_ssl such as SSL_TLS_SNI, no 
> escaping is performed by either mod_log_config or mod_ssl and unsanitized 
> data provided by the client may appear in log [...]
> +        }
> +      ],
> +      "metrics": [
> +        {
> +          "other": {
> +            "content": {
> +              "text": "low"
> +            },
> +            "type": "Textual description of severity"
> +          }
> +        }
> +      ],
> +      "problemTypes": [
> +        {
> +          "descriptions": [
> +            {
> +              "cweId": "CWE-150",
> +              "description": "CWE-150 Improper Neutralization of Escape, 
> Meta, or Control Sequences",
> +              "lang": "en",
> +              "type": "CWE"
> +            }
> +          ]
> +        }
> +      ],
> +      "providerMetadata": {
> +        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
> +      },
> +      "references": [
> +        {
> +          "tags": [
> +            "vendor-advisory"
> +          ],
> +          "url": "https://httpd.apache.org/security/vulnerabilities_24.html";
> +        }
> +      ],
> +      "source": {
> +        "discovery": "EXTERNAL"
> +      },
> +      "timeline": [
> +        {
> +          "lang": "en",
> +          "time": "2024-09-18T15:26:00.000Z",
> +          "value": "reported"
> +        },
> +        {
> +          "lang": "eng",
> +          "time": "2025-07-10",
> +          "value": "2.4.64 released"
> +        }
> +      ],
> +      "title": "Apache HTTP Server: mod_ssl error log variable escaping",
> +      "x_generator": {
> +        "engine": "Vulnogram 0.2.0"
> +      }
> +    }
> +  },
> +  "cveMetadata": {
> +    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
> +    "cveId": "CVE-2024-47252",
> +    "serial": 1,
> +    "state": "PUBLISHED"
> +  },
> +  "dataType": "CVE_RECORD",
> +  "dataVersion": "5.1"
> +}
> diff --git a/content/security/json/CVE-2025-23048.json 
> b/content/security/json/CVE-2025-23048.json
> new file mode 100644
> index 0000000..0f9f3a5
> --- /dev/null
> +++ b/content/security/json/CVE-2025-23048.json
> @@ -0,0 +1,101 @@
> +{
> +  "containers": {
> +    "cna": {
> +      "affected": [
> +        {
> +          "defaultStatus": "unaffected",
> +          "product": "Apache HTTP Server",
> +          "vendor": "Apache Software Foundation",
> +          "versions": [
> +            {
> +              "lessThanOrEqual": "2.4.63",
> +              "status": "affected",
> +              "version": "2.4.35",
> +              "versionType": "semver"
> +            }
> +          ]
> +        }
> +      ],
> +      "credits": [
> +        {
> +          "lang": "en",
> +          "type": "finder",
> +          "value": "Sven Hebrok, Felix Cramer, Tim Storm, Maximilian Radoy, 
> and Juraj Somorovsky at Paderborn University"
> +        }
> +      ],
> +      "descriptions": [
> +        {
> +          "lang": "en",
> +          "supportingMedia": [
> +            {
> +              "base64": false,
> +              "type": "text/html",
> +              "value": "In some mod_ssl configurations on Apache HTTP Server 
> 2.4.35 through to 2.4.62, an access control bypass by trusted clients is 
> possible using TLS 1.3 session resumption.<br><br>Configurations are affected 
> when mod_ssl is configured for multiple virtual hosts, with each restricted 
> to a different set of trusted client certificates (for example with a 
> different SSLCACertificateFile/Path setting). In such a case, a client 
> trusted to access one virtual host may be able  [...]
> +            }
> +          ],
> +          "value": "In some mod_ssl configurations on Apache HTTP Server 
> 2.4.35 through to 2.4.62, an access control bypass by trusted clients is 
> possible using TLS 1.3 session resumption.\n\nConfigurations are affected 
> when mod_ssl is configured for multiple virtual hosts, with each restricted 
> to a different set of trusted client certificates (for example with a 
> different SSLCACertificateFile/Path setting). In such a case, a client 
> trusted to access one virtual host may be able to acces [...]
> +        }
> +      ],
> +      "metrics": [
> +        {
> +          "other": {
> +            "content": {
> +              "text": "moderate"
> +            },
> +            "type": "Textual description of severity"
> +          }
> +        }
> +      ],
> +      "problemTypes": [
> +        {
> +          "descriptions": [
> +            {
> +              "cweId": "CWE-284",
> +              "description": "CWE-284 Improper Access Control",
> +              "lang": "en",
> +              "type": "CWE"
> +            }
> +          ]
> +        }
> +      ],
> +      "providerMetadata": {
> +        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
> +      },
> +      "references": [
> +        {
> +          "tags": [
> +            "vendor-advisory"
> +          ],
> +          "url": "https://httpd.apache.org/security/vulnerabilities_24.html";
> +        }
> +      ],
> +      "source": {
> +        "discovery": "EXTERNAL"
> +      },
> +      "timeline": [
> +        {
> +          "lang": "en",
> +          "time": "2024-11-25T15:01:00.000Z",
> +          "value": "reported"
> +        },
> +        {
> +          "lang": "eng",
> +          "time": "2025-07-10",
> +          "value": "2.4.64 released"
> +        }
> +      ],
> +      "title": "Apache HTTP Server: mod_ssl access control bypass with 
> session resumption",
> +      "x_generator": {
> +        "engine": "Vulnogram 0.2.0"
> +      }
> +    }
> +  },
> +  "cveMetadata": {
> +    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
> +    "cveId": "CVE-2025-23048",
> +    "serial": 1,
> +    "state": "PUBLISHED"
> +  },
> +  "dataType": "CVE_RECORD",
> +  "dataVersion": "5.1"
> +}
> diff --git a/content/security/json/CVE-2025-49630.json 
> b/content/security/json/CVE-2025-49630.json
> new file mode 100644
> index 0000000..eaf2360
> --- /dev/null
> +++ b/content/security/json/CVE-2025-49630.json
> @@ -0,0 +1,93 @@
> +{
> +  "containers": {
> +    "cna": {
> +      "affected": [
> +        {
> +          "defaultStatus": "unaffected",
> +          "product": "Apache HTTP Server",
> +          "vendor": "Apache Software Foundation",
> +          "versions": [
> +            {
> +              "lessThanOrEqual": "2.4.63",
> +              "status": "affected",
> +              "version": "2.4.26",
> +              "versionType": "semver"
> +            }
> +          ]
> +        }
> +      ],
> +      "credits": [
> +        {
> +          "lang": "en",
> +          "type": "finder",
> +          "value": "Anthony CORSIEZ"
> +        }
> +      ],
> +      "descriptions": [
> +        {
> +          "lang": "en",
> +          "supportingMedia": [
> +            {
> +              "base64": false,
> +              "type": "text/html",
> +              "value": "In certain proxy configurations, a denial of service 
> attack against&nbsp;Apache HTTP Server versions 2.4.26 through to 2.4.63 can 
> be triggered by untrusted clients causing an assertion in 
> mod_proxy_http2.<br><br>Configurations affected are a reverse proxy is 
> configured for an HTTP/2 backend, with ProxyPreserveHost set to \"on\".<br>"
> +            }
> +          ],
> +          "value": "In certain proxy configurations, a denial of service 
> attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be 
> triggered by untrusted clients causing an assertion in 
> mod_proxy_http2.\n\nConfigurations affected are a reverse proxy is configured 
> for an HTTP/2 backend, with ProxyPreserveHost set to \"on\"."
> +        }
> +      ],
> +      "metrics": [
> +        {
> +          "other": {
> +            "content": {
> +              "text": "low"
> +            },
> +            "type": "Textual description of severity"
> +          }
> +        }
> +      ],
> +      "problemTypes": [
> +        {
> +          "descriptions": [
> +            {
> +              "cweId": "CWE-617",
> +              "description": "CWE-617 Reachable Assertion",
> +              "lang": "en",
> +              "type": "CWE"
> +            }
> +          ]
> +        }
> +      ],
> +      "providerMetadata": {
> +        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
> +      },
> +      "source": {
> +        "discovery": "EXTERNAL"
> +      },
> +      "timeline": [
> +        {
> +          "lang": "en",
> +          "time": "2025-06-04T14:20:00.000Z",
> +          "value": "Report received"
> +        },
> +        {
> +          "lang": "eng",
> +          "time": "2025-07-10",
> +          "value": "2.4.64 released"
> +        }
> +      ],
> +      "title": "Apache HTTP Server: mod_proxy_http2 denial of service",
> +      "x_generator": {
> +        "engine": "Vulnogram 0.2.0"
> +      }
> +    }
> +  },
> +  "cveMetadata": {
> +    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
> +    "cveId": "CVE-2025-49630",
> +    "serial": 1,
> +    "state": "PUBLISHED"
> +  },
> +  "dataType": "CVE_RECORD",
> +  "dataVersion": "5.1"
> +}
> diff --git a/content/security/json/CVE-2025-49812.json 
> b/content/security/json/CVE-2025-49812.json
> new file mode 100644
> index 0000000..d101007
> --- /dev/null
> +++ b/content/security/json/CVE-2025-49812.json
> @@ -0,0 +1,128 @@
> +{
> +  "containers": {
> +    "cna": {
> +      "affected": [
> +        {
> +          "defaultStatus": "unaffected",
> +          "product": "Apache HTTP Server",
> +          "vendor": "Apache Software Foundation",
> +          "versions": [
> +            {
> +              "lessThanOrEqual": "2.4.63",
> +              "status": "affected",
> +              "version": "0",
> +              "versionType": "semver"
> +            }
> +          ]
> +        }
> +      ],
> +      "credits": [
> +        {
> +          "lang": "en",
> +          "type": "finder",
> +          "value": "Robert Merget (Technology Innovation Institute)"
> +        },
> +        {
> +          "lang": "en",
> +          "type": "finder",
> +          "value": "Nurullah Erinola (Ruhr University Bochum)"
> +        },
> +        {
> +          "lang": "en",
> +          "type": "finder",
> +          "value": "Marcel Maehren (Ruhr University Bochum)"
> +        },
> +        {
> +          "lang": "en",
> +          "type": "finder",
> +          "value": "Lukas Knittel (Ruhr University Bochum)"
> +        },
> +        {
> +          "lang": "en",
> +          "type": "finder",
> +          "value": "Sven Hebrok (Paderborn University)"
> +        },
> +        {
> +          "lang": "en",
> +          "type": "finder",
> +          "value": "Marcus Brinkmann (Ruhr University Bochum)"
> +        },
> +        {
> +          "lang": "en",
> +          "type": "finder",
> +          "value": "Juraj Somorovsky (Paderborn University)"
> +        },
> +        {
> +          "lang": "en",
> +          "type": "finder",
> +          "value": "Jörg Schwenk (Ruhr University Bochum)"
> +        }
> +      ],
> +      "descriptions": [
> +        {
> +          "lang": "en",
> +          "supportingMedia": [
> +            {
> +              "base64": false,
> +              "type": "text/html",
> +              "value": "In some mod_ssl configurations on Apache HTTP Server 
> versions through to 2.4.63, an HTTP desynchronisation attack allows a 
> man-in-the-middle attacker to hijack an HTTP session via a TLS 
> upgrade.<br><br>Only configurations using \"SSLEngine optional\" to enable 
> TLS upgrades are affected. Users are recommended to upgrade to version 
> 2.4.64, which removes support for TLS upgrade."
> +            }
> +          ],
> +          "value": "In some mod_ssl configurations on Apache HTTP Server 
> versions through to 2.4.63, an HTTP desynchronisation attack allows a 
> man-in-the-middle attacker to hijack an HTTP session via a TLS 
> upgrade.\n\nOnly configurations using \"SSLEngine optional\" to enable TLS 
> upgrades are affected. Users are recommended to upgrade to version 2.4.64, 
> which removes support for TLS upgrade."
> +        }
> +      ],
> +      "metrics": [
> +        {
> +          "other": {
> +            "content": {
> +              "text": "moderate"
> +            },
> +            "type": "Textual description of severity"
> +          }
> +        }
> +      ],
> +      "problemTypes": [
> +        {
> +          "descriptions": [
> +            {
> +              "cweId": "CWE-287",
> +              "description": "CWE-287 Improper Authentication",
> +              "lang": "en",
> +              "type": "CWE"
> +            }
> +          ]
> +        }
> +      ],
> +      "providerMetadata": {
> +        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
> +      },
> +      "source": {
> +        "discovery": "UNKNOWN"
> +      },
> +      "timeline": [
> +        {
> +          "lang": "en",
> +          "time": "2025-04-22T07:26:00.000Z",
> +          "value": "Report received"
> +        },
> +        {
> +          "lang": "eng",
> +          "time": "2025-07-10",
> +          "value": "2.4.64 released"
> +        }
> +      ],
> +      "title": "Apache HTTP Server: mod_ssl TLS upgrade attack",
> +      "x_generator": {
> +        "engine": "Vulnogram 0.2.0"
> +      }
> +    }
> +  },
> +  "cveMetadata": {
> +    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
> +    "cveId": "CVE-2025-49812",
> +    "serial": 1,
> +    "state": "PUBLISHED"
> +  },
> +  "dataType": "CVE_RECORD",
> +  "dataVersion": "5.1"
> +}
> diff --git a/content/security/json/CVE-2025-53020.json 
> b/content/security/json/CVE-2025-53020.json
> new file mode 100644
> index 0000000..3867285
> --- /dev/null
> +++ b/content/security/json/CVE-2025-53020.json
> @@ -0,0 +1,98 @@
> +{
> +  "containers": {
> +    "cna": {
> +      "affected": [
> +        {
> +          "defaultStatus": "unaffected",
> +          "product": "Apache HTTP Server",
> +          "vendor": "Apache Software Foundation",
> +          "versions": [
> +            {
> +              "lessThanOrEqual": "2.4.63",
> +              "status": "affected",
> +              "version": "2.4.17",
> +              "versionType": "semver"
> +            }
> +          ]
> +        }
> +      ],
> +      "credits": [
> +        {
> +          "lang": "en",
> +          "type": "finder",
> +          "value": "Gal Bar Nahum"
> +        }
> +      ],
> +      "descriptions": [
> +        {
> +          "lang": "en",
> +          "supportingMedia": [
> +            {
> +              "base64": false,
> +              "type": "text/html",
> +              "value": "<p>Late Release of Memory after Effective Lifetime 
> vulnerability in Apache HTTP Server.</p><p>This issue affects Apache HTTP 
> Server: from 2.4.17 up to 2.4.63.</p><p>Users are recommended to upgrade to 
> version 2.4.64, which fixes the issue.</p>"
> +            }
> +          ],
> +          "value": "Late Release of Memory after Effective Lifetime 
> vulnerability in Apache HTTP Server.\n\nThis issue affects Apache HTTP 
> Server: from 2.4.17 up to 2.4.63.\n\nUsers are recommended to upgrade to 
> version 2.4.64, which fixes the issue."
> +        }
> +      ],
> +      "metrics": [
> +        {
> +          "other": {
> +            "content": {
> +              "text": "moderate"
> +            },
> +            "type": "Textual description of severity"
> +          }
> +        }
> +      ],
> +      "problemTypes": [
> +        {
> +          "descriptions": [
> +            {
> +              "cweId": "CWE-401",
> +              "description": "CWE-401 Missing Release of Memory after 
> Effective Lifetime",
> +              "lang": "en",
> +              "type": "CWE"
> +            }
> +          ]
> +        }
> +      ],
> +      "providerMetadata": {
> +        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
> +      },
> +      "source": {
> +        "discovery": "UNKNOWN"
> +      },
> +      "timeline": [
> +        {
> +          "lang": "en",
> +          "time": "2025-06-18T09:19:00.000Z",
> +          "value": "reported"
> +        },
> +        {
> +          "lang": "en",
> +          "time": "2025-06-19T09:20:00.000Z",
> +          "value": "fix developed"
> +        },
> +        {
> +          "lang": "eng",
> +          "time": "2025-07-10",
> +          "value": "2.4.64 released"
> +        }
> +      ],
> +      "title": "Apache HTTP Server: HTTP/2 DoS by Memory Increase",
> +      "x_generator": {
> +        "engine": "Vulnogram 0.2.0"
> +      }
> +    }
> +  },
> +  "cveMetadata": {
> +    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
> +    "cveId": "CVE-2025-53020",
> +    "serial": 1,
> +    "state": "PUBLISHED"
> +  },
> +  "dataType": "CVE_RECORD",
> +  "dataVersion": "5.1"
> +}
>


-- 
Eric Covener
cove...@gmail.com

Reply via email to