the resulting site build has cost problems on the vuln page, looking into it.
On Thu, Jul 10, 2025 at 7:57 AM <cove...@apache.org> wrote: > > This is an automated email from the ASF dual-hosted git repository. > > covener pushed a commit to branch main > in repository https://gitbox.apache.org/repos/asf/httpd-site.git > > > The following commit(s) were added to refs/heads/main by this push: > new 85be1ee publishing release httpd-2.4.64 > 85be1ee is described below > > commit 85be1eee518146ba1ee948cb81d17d42047de779 > Author: Eric Covener <ecove...@us.ibm.com> > AuthorDate: Thu Jul 10 07:57:06 2025 -0400 > > publishing release httpd-2.4.64 > --- > content/doap.rdf | 4 +- > content/download.md | 24 +++--- > content/index.md | 6 +- > content/security/json/CVE-2024-42516.json | 94 ++++++++++++++++++++++ > content/security/json/CVE-2024-43204.json | 86 ++++++++++++++++++++ > content/security/json/CVE-2024-43394.json | 93 ++++++++++++++++++++++ > content/security/json/CVE-2024-47252.json | 101 +++++++++++++++++++++++ > content/security/json/CVE-2025-23048.json | 101 +++++++++++++++++++++++ > content/security/json/CVE-2025-49630.json | 93 ++++++++++++++++++++++ > content/security/json/CVE-2025-49812.json | 128 > ++++++++++++++++++++++++++++++ > content/security/json/CVE-2025-53020.json | 98 +++++++++++++++++++++++ > 11 files changed, 811 insertions(+), 17 deletions(-) > > diff --git a/content/doap.rdf b/content/doap.rdf > index f87ea37..2971426 100644 > --- a/content/doap.rdf > +++ b/content/doap.rdf > @@ -38,8 +38,8 @@ > <release> > <Version> > <name>Recommended current 2.4 release</name> > - <created>2025-01-23</created> > - <revision>2.4.63</revision> > + <created>2025-07-10</created> > + <revision>2.4.64</revision> > </Version> > </release> > > diff --git a/content/download.md b/content/download.md > index 6275319..220801f 100644 > --- a/content/download.md > +++ b/content/download.md > @@ -19,16 +19,16 @@ Apache httpd for Microsoft Windows is available from > > Stable Release - Latest Version: > > -- [2.4.63](#apache24) (released 2025-01-23) > +- [2.4.64](#apache24) (released 2025-07-10) > > If you are downloading the Win32 distribution, please read these [important > notes]([preferred]httpd/binaries/win32/README.html). > > -# Apache HTTP Server 2.4.63 (httpd): 2.4.63 is the latest available version > <span>2025-01-23</span> {#apache24} > +# Apache HTTP Server 2.4.64 (httpd): 2.4.64 is the latest available version > <span>2025-07-10</span> {#apache24} > > The Apache HTTP Server Project is pleased to > [announce](//downloads.apache.org/httpd/Announcement2.4.txt) the > -release of version 2.4.63 of the Apache HTTP Server ("Apache" and "httpd"). > +release of version 2.4.64 of the Apache HTTP Server ("Apache" and "httpd"). > This version of Apache is our latest GA release of the new generation 2.4.x > branch of Apache HTTPD and represents fifteen years of innovation by the > project, and is recommended over all previous releases! > @@ -36,17 +36,17 @@ project, and is recommended over all previous releases! > For details, see the [Official > Announcement](//downloads.apache.org/httpd/Announcement2.4.html) and > the [CHANGES_2.4]([preferred]httpd/CHANGES_2.4) and > -[CHANGES_2.4.63]([preferred]httpd/CHANGES_2.4.63) lists. > +[CHANGES_2.4.64]([preferred]httpd/CHANGES_2.4.64) lists. > > -- Source: [httpd-2.4.63.tar.bz2]([preferred]httpd/httpd-2.4.63.tar.bz2) > -[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.63.tar.bz2.asc) ] [ > -[SHA256](https://downloads.apache.org/httpd/httpd-2.4.63.tar.bz2.sha256) ] [ > -[SHA512](https://downloads.apache.org/httpd/httpd-2.4.63.tar.bz2.sha512) ] > +- Source: [httpd-2.4.64.tar.bz2]([preferred]httpd/httpd-2.4.64.tar.bz2) > +[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.64.tar.bz2.asc) ] [ > +[SHA256](https://downloads.apache.org/httpd/httpd-2.4.64.tar.bz2.sha256) ] [ > +[SHA512](https://downloads.apache.org/httpd/httpd-2.4.64.tar.bz2.sha512) ] > > -- Source: [httpd-2.4.63.tar.gz]([preferred]httpd/httpd-2.4.63.tar.gz) [ > -[PGP](https://downloads.apache.org/httpd/httpd-2.4.63.tar.gz.asc) ] [ > -[SHA256](https://downloads.apache.org/httpd/httpd-2.4.63.tar.gz.sha256) ] [ > -[SHA512](https://downloads.apache.org/httpd/httpd-2.4.63.tar.gz.sha512) ] > +- Source: [httpd-2.4.64.tar.gz]([preferred]httpd/httpd-2.4.64.tar.gz) [ > +[PGP](https://downloads.apache.org/httpd/httpd-2.4.64.tar.gz.asc) ] [ > +[SHA256](https://downloads.apache.org/httpd/httpd-2.4.64.tar.gz.sha256) ] [ > +[SHA512](https://downloads.apache.org/httpd/httpd-2.4.64.tar.gz.sha512) ] > > - [Security and official patches]([preferred]httpd/patches/) > > diff --git a/content/index.md b/content/index.md > index e46b023..6a5e338 100644 > --- a/content/index.md > +++ b/content/index.md > @@ -14,11 +14,11 @@ April 1996. It has celebrated its 25th birthday as a > project in February 2020. > The Apache HTTP Server is a project of [The Apache Software > Foundation](https://www.apache.org/). > > -# Apache httpd 2.4.63 Released <span>2025-01-23</span> > +# Apache httpd 2.4.64 Released <span>2025-07-10</span> > The Apache Software Foundation and the Apache HTTP Server Project are > pleased to > [announce](https://downloads.apache.org/httpd/Announcement2.4.html) the > -release of version 2.4.63 of the Apache HTTP Server ("httpd"). > +release of version 2.4.64 of the Apache HTTP Server ("httpd"). > > This latest release from the 2.4.x stable branch represents the best > available > version of Apache HTTP Server. > @@ -27,7 +27,7 @@ version of Apache HTTP Server. > Apache HTTP Server version 2.<span>4</span>.43 or newer is required in order > to operate a TLS 1.3 web server with OpenSSL 1.1.1. > > [Download](download.cgi#apache24) | [ChangeLog for > -2.4.63](https://downloads.apache.org/httpd/CHANGES_2.4.63) | [Complete > ChangeLog for > +2.4.64](https://downloads.apache.org/httpd/CHANGES_2.4.64) | [Complete > ChangeLog for > 2.4](https://downloads.apache.org/httpd/CHANGES_2.4) | [New Features in httpd > 2.4](docs/trunk/new_features_2_4.html) {.centered} > > diff --git a/content/security/json/CVE-2024-42516.json > b/content/security/json/CVE-2024-42516.json > new file mode 100644 > index 0000000..e776c52 > --- /dev/null > +++ b/content/security/json/CVE-2024-42516.json > @@ -0,0 +1,94 @@ > +{ > + "containers": { > + "cna": { > + "affected": [ > + { > + "defaultStatus": "unaffected", > + "product": "Apache HTTP Server", > + "vendor": "Apache Software Foundation", > + "versions": [ > + { > + "lessThanOrEqual": "2.4.63", > + "status": "affected", > + "version": "2.4.0", > + "versionType": "semver" > + } > + ] > + } > + ], > + "descriptions": [ > + { > + "lang": "en", > + "supportingMedia": [ > + { > + "base64": false, > + "type": "text/html", > + "value": "HTTP response splitting in the core of Apache HTTP > Server allows an attacker who can manipulate the Content-Type response > headers of applications hosted or proxied by the server can split the HTTP > response.<br><br>This vulnerability was described as CVE-2023-38709 but the > patch included in Apache HTTP Server 2.4.59 did not address the > issue.<br><br>Users are recommended to upgrade to version 2.4.64, which fixes > this issue." > + } > + ], > + "value": "HTTP response splitting in the core of Apache HTTP > Server allows an attacker who can manipulate the Content-Type response > headers of applications hosted or proxied by the server can split the HTTP > response.\n\nThis vulnerability was described as CVE-2023-38709 but the patch > included in Apache HTTP Server 2.4.59 did not address the issue.\n\nUsers are > recommended to upgrade to version 2.4.64, which fixes this issue." > + } > + ], > + "metrics": [ > + { > + "other": { > + "content": { > + "text": "moderate" > + }, > + "type": "Textual description of severity" > + } > + } > + ], > + "problemTypes": [ > + { > + "descriptions": [ > + { > + "cweId": "CWE-20", > + "description": "CWE-20 Improper Input Validation", > + "lang": "en", > + "type": "CWE" > + } > + ] > + } > + ], > + "providerMetadata": { > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > + }, > + "references": [ > + { > + "tags": [ > + "vendor-advisory" > + ], > + "url": "https://httpd.apache.org/security/vulnerabilities_24.html"; > + } > + ], > + "source": { > + "discovery": "INTERNAL" > + }, > + "timeline": [ > + { > + "lang": "en", > + "time": "2024-07-18T12:00:00.000Z", > + "value": "reported" > + }, > + { > + "lang": "eng", > + "time": "2025-07-10", > + "value": "2.4.64 released" > + } > + ], > + "title": "Apache HTTP Server: HTTP response splitting", > + "x_generator": { > + "engine": "Vulnogram 0.1.0-dev" > + } > + } > + }, > + "cveMetadata": { > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > + "cveId": "CVE-2024-42516", > + "serial": 1, > + "state": "PUBLISHED" > + }, > + "dataType": "CVE_RECORD", > + "dataVersion": "5.1" > +} > diff --git a/content/security/json/CVE-2024-43204.json > b/content/security/json/CVE-2024-43204.json > new file mode 100644 > index 0000000..ef8e740 > --- /dev/null > +++ b/content/security/json/CVE-2024-43204.json > @@ -0,0 +1,86 @@ > +{ > + "containers": { > + "cna": { > + "affected": [ > + { > + "defaultStatus": "unaffected", > + "product": "Apache HTTP Server", > + "vendor": "Apache Software Foundation", > + "versions": [ > + { > + "lessThanOrEqual": "2.4.63", > + "status": "affected", > + "version": "2.4.0", > + "versionType": "semver" > + } > + ] > + } > + ], > + "descriptions": [ > + { > + "lang": "en", > + "supportingMedia": [ > + { > + "base64": false, > + "type": "text/html", > + "value": "SSRF in Apache HTTP Server with mod_proxy loaded > allows an attacker to send outbound proxy requests to a URL controlled by the > attacker. Requires an unlikely configuration where mod_headers is > configured to modify the Content-Type request or response header with a value > provided in the HTTP request.<br><br>Users are recommended to upgrade to > version 2.4.64 which fixes this issue. " > + } > + ], > + "value": "SSRF in Apache HTTP Server with mod_proxy loaded allows > an attacker to send outbound proxy requests to a URL controlled by the > attacker. Requires an unlikely configuration where mod_headers is configured > to modify the Content-Type request or response header with a value provided > in the HTTP request.\n\nUsers are recommended to upgrade to version 2.4.64 > which fixes this issue. " > + } > + ], > + "metrics": [ > + { > + "other": { > + "content": { > + "text": "low" > + }, > + "type": "Textual description of severity" > + } > + } > + ], > + "problemTypes": [ > + { > + "descriptions": [ > + { > + "cweId": "CWE-918", > + "description": "CWE-918 Server-Side Request Forgery (SSRF)", > + "lang": "en", > + "type": "CWE" > + } > + ] > + } > + ], > + "providerMetadata": { > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > + }, > + "source": { > + "discovery": "UNKNOWN" > + }, > + "timeline": [ > + { > + "lang": "en", > + "time": "2024-08-07T09:00:00.000Z", > + "value": "reported" > + }, > + { > + "lang": "eng", > + "time": "2025-07-10", > + "value": "2.4.64 released" > + } > + ], > + "title": "Apache HTTP Server: SSRF with mod_headers setting > Content-Type header", > + "x_generator": { > + "engine": "Vulnogram 0.1.0-dev" > + } > + } > + }, > + "cveMetadata": { > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > + "cveId": "CVE-2024-43204", > + "serial": 1, > + "state": "PUBLISHED" > + }, > + "dataType": "CVE_RECORD", > + "dataVersion": "5.0" > +} > diff --git a/content/security/json/CVE-2024-43394.json > b/content/security/json/CVE-2024-43394.json > new file mode 100644 > index 0000000..3e6feec > --- /dev/null > +++ b/content/security/json/CVE-2024-43394.json > @@ -0,0 +1,93 @@ > +{ > + "containers": { > + "cna": { > + "affected": [ > + { > + "defaultStatus": "unaffected", > + "product": "Apache HTTP Server", > + "vendor": "Apache Software Foundation", > + "versions": [ > + { > + "lessThanOrEqual": "2.4.63", > + "status": "affected", > + "version": "2.4.0", > + "versionType": "semver" > + } > + ] > + } > + ], > + "credits": [ > + { > + "lang": "en", > + "type": "finder", > + "value": "Kainan Zhang (@4xpl0r3r) from Fortinet" > + } > + ], > + "descriptions": [ > + { > + "lang": "en", > + "supportingMedia": [ > + { > + "base64": false, > + "type": "text/html", > + "value": "<p></p><p>Server-Side Request Forgery (SSRF) in > Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a > malicious server via <br>mod_rewrite or apache expressions that pass > unvalidated request input.</p><p>This issue affects Apache HTTP Server: from > 2.4.0 through 2.4.63.</p>Note: <span style=\"background-color: rgb(255, 255, > 255);\"> The Apache HTTP Server Project will be setting a higher bar for > accepting vulnerability reports reg [...] > + } > + ], > + "value": "Server-Side Request Forgery (SSRF) in Apache HTTP Server > on Windows allows to potentially leak NTLM hashes to a malicious server via > \nmod_rewrite or apache expressions that pass unvalidated request > input.\n\nThis issue affects Apache HTTP Server: from 2.4.0 through > 2.4.63.\n\nNote: The Apache HTTP Server Project will be setting a higher bar > for accepting vulnerability reports regarding SSRF via UNC paths. \n\nThe > server offers limited protection against administrato [...] > + } > + ], > + "metrics": [ > + { > + "other": { > + "content": { > + "text": "moderate" > + }, > + "type": "Textual description of severity" > + } > + } > + ], > + "problemTypes": [ > + { > + "descriptions": [ > + { > + "cweId": "CWE-918", > + "description": "CWE-918 Server-Side Request Forgery (SSRF)", > + "lang": "en", > + "type": "CWE" > + } > + ] > + } > + ], > + "providerMetadata": { > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > + }, > + "source": { > + "discovery": "UNKNOWN" > + }, > + "timeline": [ > + { > + "lang": "en", > + "time": "2024-08-10T00:00:00.000Z", > + "value": "reported" > + }, > + { > + "lang": "eng", > + "time": "2025-07-10", > + "value": "2.4.64 released" > + } > + ], > + "title": "Apache HTTP Server: SSRF on Windows due to UNC paths", > + "x_generator": { > + "engine": "Vulnogram 0.1.0-dev" > + } > + } > + }, > + "cveMetadata": { > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > + "cveId": "CVE-2024-43394", > + "serial": 1, > + "state": "PUBLISHED" > + }, > + "dataType": "CVE_RECORD", > + "dataVersion": "5.1" > +} > diff --git a/content/security/json/CVE-2024-47252.json > b/content/security/json/CVE-2024-47252.json > new file mode 100644 > index 0000000..5e77017 > --- /dev/null > +++ b/content/security/json/CVE-2024-47252.json > @@ -0,0 +1,101 @@ > +{ > + "containers": { > + "cna": { > + "affected": [ > + { > + "defaultStatus": "unaffected", > + "product": "Apache HTTP Server", > + "vendor": "Apache Software Foundation", > + "versions": [ > + { > + "lessThanOrEqual": "2.4.63", > + "status": "affected", > + "version": "2.4", > + "versionType": "semver" > + } > + ] > + } > + ], > + "credits": [ > + { > + "lang": "en", > + "type": "finder", > + "value": "John Runyon" > + } > + ], > + "descriptions": [ > + { > + "lang": "en", > + "supportingMedia": [ > + { > + "base64": false, > + "type": "text/html", > + "value": "Insufficient escaping of user-supplied data in > mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS > client to insert escape characters into log files in some > configurations.<br><br>In a logging configuration where CustomLog is used > with \"%{varname}x\" or \"%{varname}c\" to log variables provided by mod_ssl > such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or > mod_ssl and unsanitized data provided by the client may appea [...] > + } > + ], > + "value": "Insufficient escaping of user-supplied data in mod_ssl > in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client > to insert escape characters into log files in some configurations.\n\nIn a > logging configuration where CustomLog is used with \"%{varname}x\" or > \"%{varname}c\" to log variables provided by mod_ssl such as SSL_TLS_SNI, no > escaping is performed by either mod_log_config or mod_ssl and unsanitized > data provided by the client may appear in log [...] > + } > + ], > + "metrics": [ > + { > + "other": { > + "content": { > + "text": "low" > + }, > + "type": "Textual description of severity" > + } > + } > + ], > + "problemTypes": [ > + { > + "descriptions": [ > + { > + "cweId": "CWE-150", > + "description": "CWE-150 Improper Neutralization of Escape, > Meta, or Control Sequences", > + "lang": "en", > + "type": "CWE" > + } > + ] > + } > + ], > + "providerMetadata": { > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > + }, > + "references": [ > + { > + "tags": [ > + "vendor-advisory" > + ], > + "url": "https://httpd.apache.org/security/vulnerabilities_24.html"; > + } > + ], > + "source": { > + "discovery": "EXTERNAL" > + }, > + "timeline": [ > + { > + "lang": "en", > + "time": "2024-09-18T15:26:00.000Z", > + "value": "reported" > + }, > + { > + "lang": "eng", > + "time": "2025-07-10", > + "value": "2.4.64 released" > + } > + ], > + "title": "Apache HTTP Server: mod_ssl error log variable escaping", > + "x_generator": { > + "engine": "Vulnogram 0.2.0" > + } > + } > + }, > + "cveMetadata": { > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > + "cveId": "CVE-2024-47252", > + "serial": 1, > + "state": "PUBLISHED" > + }, > + "dataType": "CVE_RECORD", > + "dataVersion": "5.1" > +} > diff --git a/content/security/json/CVE-2025-23048.json > b/content/security/json/CVE-2025-23048.json > new file mode 100644 > index 0000000..0f9f3a5 > --- /dev/null > +++ b/content/security/json/CVE-2025-23048.json > @@ -0,0 +1,101 @@ > +{ > + "containers": { > + "cna": { > + "affected": [ > + { > + "defaultStatus": "unaffected", > + "product": "Apache HTTP Server", > + "vendor": "Apache Software Foundation", > + "versions": [ > + { > + "lessThanOrEqual": "2.4.63", > + "status": "affected", > + "version": "2.4.35", > + "versionType": "semver" > + } > + ] > + } > + ], > + "credits": [ > + { > + "lang": "en", > + "type": "finder", > + "value": "Sven Hebrok, Felix Cramer, Tim Storm, Maximilian Radoy, > and Juraj Somorovsky at Paderborn University" > + } > + ], > + "descriptions": [ > + { > + "lang": "en", > + "supportingMedia": [ > + { > + "base64": false, > + "type": "text/html", > + "value": "In some mod_ssl configurations on Apache HTTP Server > 2.4.35 through to 2.4.62, an access control bypass by trusted clients is > possible using TLS 1.3 session resumption.<br><br>Configurations are affected > when mod_ssl is configured for multiple virtual hosts, with each restricted > to a different set of trusted client certificates (for example with a > different SSLCACertificateFile/Path setting). In such a case, a client > trusted to access one virtual host may be able [...] > + } > + ], > + "value": "In some mod_ssl configurations on Apache HTTP Server > 2.4.35 through to 2.4.62, an access control bypass by trusted clients is > possible using TLS 1.3 session resumption.\n\nConfigurations are affected > when mod_ssl is configured for multiple virtual hosts, with each restricted > to a different set of trusted client certificates (for example with a > different SSLCACertificateFile/Path setting). In such a case, a client > trusted to access one virtual host may be able to acces [...] > + } > + ], > + "metrics": [ > + { > + "other": { > + "content": { > + "text": "moderate" > + }, > + "type": "Textual description of severity" > + } > + } > + ], > + "problemTypes": [ > + { > + "descriptions": [ > + { > + "cweId": "CWE-284", > + "description": "CWE-284 Improper Access Control", > + "lang": "en", > + "type": "CWE" > + } > + ] > + } > + ], > + "providerMetadata": { > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > + }, > + "references": [ > + { > + "tags": [ > + "vendor-advisory" > + ], > + "url": "https://httpd.apache.org/security/vulnerabilities_24.html"; > + } > + ], > + "source": { > + "discovery": "EXTERNAL" > + }, > + "timeline": [ > + { > + "lang": "en", > + "time": "2024-11-25T15:01:00.000Z", > + "value": "reported" > + }, > + { > + "lang": "eng", > + "time": "2025-07-10", > + "value": "2.4.64 released" > + } > + ], > + "title": "Apache HTTP Server: mod_ssl access control bypass with > session resumption", > + "x_generator": { > + "engine": "Vulnogram 0.2.0" > + } > + } > + }, > + "cveMetadata": { > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > + "cveId": "CVE-2025-23048", > + "serial": 1, > + "state": "PUBLISHED" > + }, > + "dataType": "CVE_RECORD", > + "dataVersion": "5.1" > +} > diff --git a/content/security/json/CVE-2025-49630.json > b/content/security/json/CVE-2025-49630.json > new file mode 100644 > index 0000000..eaf2360 > --- /dev/null > +++ b/content/security/json/CVE-2025-49630.json > @@ -0,0 +1,93 @@ > +{ > + "containers": { > + "cna": { > + "affected": [ > + { > + "defaultStatus": "unaffected", > + "product": "Apache HTTP Server", > + "vendor": "Apache Software Foundation", > + "versions": [ > + { > + "lessThanOrEqual": "2.4.63", > + "status": "affected", > + "version": "2.4.26", > + "versionType": "semver" > + } > + ] > + } > + ], > + "credits": [ > + { > + "lang": "en", > + "type": "finder", > + "value": "Anthony CORSIEZ" > + } > + ], > + "descriptions": [ > + { > + "lang": "en", > + "supportingMedia": [ > + { > + "base64": false, > + "type": "text/html", > + "value": "In certain proxy configurations, a denial of service > attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can > be triggered by untrusted clients causing an assertion in > mod_proxy_http2.<br><br>Configurations affected are a reverse proxy is > configured for an HTTP/2 backend, with ProxyPreserveHost set to \"on\".<br>" > + } > + ], > + "value": "In certain proxy configurations, a denial of service > attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be > triggered by untrusted clients causing an assertion in > mod_proxy_http2.\n\nConfigurations affected are a reverse proxy is configured > for an HTTP/2 backend, with ProxyPreserveHost set to \"on\"." > + } > + ], > + "metrics": [ > + { > + "other": { > + "content": { > + "text": "low" > + }, > + "type": "Textual description of severity" > + } > + } > + ], > + "problemTypes": [ > + { > + "descriptions": [ > + { > + "cweId": "CWE-617", > + "description": "CWE-617 Reachable Assertion", > + "lang": "en", > + "type": "CWE" > + } > + ] > + } > + ], > + "providerMetadata": { > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > + }, > + "source": { > + "discovery": "EXTERNAL" > + }, > + "timeline": [ > + { > + "lang": "en", > + "time": "2025-06-04T14:20:00.000Z", > + "value": "Report received" > + }, > + { > + "lang": "eng", > + "time": "2025-07-10", > + "value": "2.4.64 released" > + } > + ], > + "title": "Apache HTTP Server: mod_proxy_http2 denial of service", > + "x_generator": { > + "engine": "Vulnogram 0.2.0" > + } > + } > + }, > + "cveMetadata": { > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > + "cveId": "CVE-2025-49630", > + "serial": 1, > + "state": "PUBLISHED" > + }, > + "dataType": "CVE_RECORD", > + "dataVersion": "5.1" > +} > diff --git a/content/security/json/CVE-2025-49812.json > b/content/security/json/CVE-2025-49812.json > new file mode 100644 > index 0000000..d101007 > --- /dev/null > +++ b/content/security/json/CVE-2025-49812.json > @@ -0,0 +1,128 @@ > +{ > + "containers": { > + "cna": { > + "affected": [ > + { > + "defaultStatus": "unaffected", > + "product": "Apache HTTP Server", > + "vendor": "Apache Software Foundation", > + "versions": [ > + { > + "lessThanOrEqual": "2.4.63", > + "status": "affected", > + "version": "0", > + "versionType": "semver" > + } > + ] > + } > + ], > + "credits": [ > + { > + "lang": "en", > + "type": "finder", > + "value": "Robert Merget (Technology Innovation Institute)" > + }, > + { > + "lang": "en", > + "type": "finder", > + "value": "Nurullah Erinola (Ruhr University Bochum)" > + }, > + { > + "lang": "en", > + "type": "finder", > + "value": "Marcel Maehren (Ruhr University Bochum)" > + }, > + { > + "lang": "en", > + "type": "finder", > + "value": "Lukas Knittel (Ruhr University Bochum)" > + }, > + { > + "lang": "en", > + "type": "finder", > + "value": "Sven Hebrok (Paderborn University)" > + }, > + { > + "lang": "en", > + "type": "finder", > + "value": "Marcus Brinkmann (Ruhr University Bochum)" > + }, > + { > + "lang": "en", > + "type": "finder", > + "value": "Juraj Somorovsky (Paderborn University)" > + }, > + { > + "lang": "en", > + "type": "finder", > + "value": "Jörg Schwenk (Ruhr University Bochum)" > + } > + ], > + "descriptions": [ > + { > + "lang": "en", > + "supportingMedia": [ > + { > + "base64": false, > + "type": "text/html", > + "value": "In some mod_ssl configurations on Apache HTTP Server > versions through to 2.4.63, an HTTP desynchronisation attack allows a > man-in-the-middle attacker to hijack an HTTP session via a TLS > upgrade.<br><br>Only configurations using \"SSLEngine optional\" to enable > TLS upgrades are affected. Users are recommended to upgrade to version > 2.4.64, which removes support for TLS upgrade." > + } > + ], > + "value": "In some mod_ssl configurations on Apache HTTP Server > versions through to 2.4.63, an HTTP desynchronisation attack allows a > man-in-the-middle attacker to hijack an HTTP session via a TLS > upgrade.\n\nOnly configurations using \"SSLEngine optional\" to enable TLS > upgrades are affected. Users are recommended to upgrade to version 2.4.64, > which removes support for TLS upgrade." > + } > + ], > + "metrics": [ > + { > + "other": { > + "content": { > + "text": "moderate" > + }, > + "type": "Textual description of severity" > + } > + } > + ], > + "problemTypes": [ > + { > + "descriptions": [ > + { > + "cweId": "CWE-287", > + "description": "CWE-287 Improper Authentication", > + "lang": "en", > + "type": "CWE" > + } > + ] > + } > + ], > + "providerMetadata": { > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > + }, > + "source": { > + "discovery": "UNKNOWN" > + }, > + "timeline": [ > + { > + "lang": "en", > + "time": "2025-04-22T07:26:00.000Z", > + "value": "Report received" > + }, > + { > + "lang": "eng", > + "time": "2025-07-10", > + "value": "2.4.64 released" > + } > + ], > + "title": "Apache HTTP Server: mod_ssl TLS upgrade attack", > + "x_generator": { > + "engine": "Vulnogram 0.2.0" > + } > + } > + }, > + "cveMetadata": { > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > + "cveId": "CVE-2025-49812", > + "serial": 1, > + "state": "PUBLISHED" > + }, > + "dataType": "CVE_RECORD", > + "dataVersion": "5.1" > +} > diff --git a/content/security/json/CVE-2025-53020.json > b/content/security/json/CVE-2025-53020.json > new file mode 100644 > index 0000000..3867285 > --- /dev/null > +++ b/content/security/json/CVE-2025-53020.json > @@ -0,0 +1,98 @@ > +{ > + "containers": { > + "cna": { > + "affected": [ > + { > + "defaultStatus": "unaffected", > + "product": "Apache HTTP Server", > + "vendor": "Apache Software Foundation", > + "versions": [ > + { > + "lessThanOrEqual": "2.4.63", > + "status": "affected", > + "version": "2.4.17", > + "versionType": "semver" > + } > + ] > + } > + ], > + "credits": [ > + { > + "lang": "en", > + "type": "finder", > + "value": "Gal Bar Nahum" > + } > + ], > + "descriptions": [ > + { > + "lang": "en", > + "supportingMedia": [ > + { > + "base64": false, > + "type": "text/html", > + "value": "<p>Late Release of Memory after Effective Lifetime > vulnerability in Apache HTTP Server.</p><p>This issue affects Apache HTTP > Server: from 2.4.17 up to 2.4.63.</p><p>Users are recommended to upgrade to > version 2.4.64, which fixes the issue.</p>" > + } > + ], > + "value": "Late Release of Memory after Effective Lifetime > vulnerability in Apache HTTP Server.\n\nThis issue affects Apache HTTP > Server: from 2.4.17 up to 2.4.63.\n\nUsers are recommended to upgrade to > version 2.4.64, which fixes the issue." > + } > + ], > + "metrics": [ > + { > + "other": { > + "content": { > + "text": "moderate" > + }, > + "type": "Textual description of severity" > + } > + } > + ], > + "problemTypes": [ > + { > + "descriptions": [ > + { > + "cweId": "CWE-401", > + "description": "CWE-401 Missing Release of Memory after > Effective Lifetime", > + "lang": "en", > + "type": "CWE" > + } > + ] > + } > + ], > + "providerMetadata": { > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > + }, > + "source": { > + "discovery": "UNKNOWN" > + }, > + "timeline": [ > + { > + "lang": "en", > + "time": "2025-06-18T09:19:00.000Z", > + "value": "reported" > + }, > + { > + "lang": "en", > + "time": "2025-06-19T09:20:00.000Z", > + "value": "fix developed" > + }, > + { > + "lang": "eng", > + "time": "2025-07-10", > + "value": "2.4.64 released" > + } > + ], > + "title": "Apache HTTP Server: HTTP/2 DoS by Memory Increase", > + "x_generator": { > + "engine": "Vulnogram 0.2.0" > + } > + } > + }, > + "cveMetadata": { > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > + "cveId": "CVE-2025-53020", > + "serial": 1, > + "state": "PUBLISHED" > + }, > + "dataType": "CVE_RECORD", > + "dataVersion": "5.1" > +} > -- Eric Covener cove...@gmail.com
