resolved, now waiting for caches to update On Thu, Jul 10, 2025 at 8:04 AM Eric Covener <cove...@gmail.com> wrote: > > the resulting site build has cost problems on the vuln page, looking into it. > > On Thu, Jul 10, 2025 at 7:57 AM <cove...@apache.org> wrote: > > > > This is an automated email from the ASF dual-hosted git repository. > > > > covener pushed a commit to branch main > > in repository https://gitbox.apache.org/repos/asf/httpd-site.git > > > > > > The following commit(s) were added to refs/heads/main by this push: > > new 85be1ee publishing release httpd-2.4.64 > > 85be1ee is described below > > > > commit 85be1eee518146ba1ee948cb81d17d42047de779 > > Author: Eric Covener <ecove...@us.ibm.com> > > AuthorDate: Thu Jul 10 07:57:06 2025 -0400 > > > > publishing release httpd-2.4.64 > > --- > > content/doap.rdf | 4 +- > > content/download.md | 24 +++--- > > content/index.md | 6 +- > > content/security/json/CVE-2024-42516.json | 94 ++++++++++++++++++++++ > > content/security/json/CVE-2024-43204.json | 86 ++++++++++++++++++++ > > content/security/json/CVE-2024-43394.json | 93 ++++++++++++++++++++++ > > content/security/json/CVE-2024-47252.json | 101 +++++++++++++++++++++++ > > content/security/json/CVE-2025-23048.json | 101 +++++++++++++++++++++++ > > content/security/json/CVE-2025-49630.json | 93 ++++++++++++++++++++++ > > content/security/json/CVE-2025-49812.json | 128 > > ++++++++++++++++++++++++++++++ > > content/security/json/CVE-2025-53020.json | 98 +++++++++++++++++++++++ > > 11 files changed, 811 insertions(+), 17 deletions(-) > > > > diff --git a/content/doap.rdf b/content/doap.rdf > > index f87ea37..2971426 100644 > > --- a/content/doap.rdf > > +++ b/content/doap.rdf > > @@ -38,8 +38,8 @@ > > <release> > > <Version> > > <name>Recommended current 2.4 release</name> > > - <created>2025-01-23</created> > > - <revision>2.4.63</revision> > > + <created>2025-07-10</created> > > + <revision>2.4.64</revision> > > </Version> > > </release> > > > > diff --git a/content/download.md b/content/download.md > > index 6275319..220801f 100644 > > --- a/content/download.md > > +++ b/content/download.md > > @@ -19,16 +19,16 @@ Apache httpd for Microsoft Windows is available from > > > > Stable Release - Latest Version: > > > > -- [2.4.63](#apache24) (released 2025-01-23) > > +- [2.4.64](#apache24) (released 2025-07-10) > > > > If you are downloading the Win32 distribution, please read these [important > > notes]([preferred]httpd/binaries/win32/README.html). > > > > -# Apache HTTP Server 2.4.63 (httpd): 2.4.63 is the latest available > > version <span>2025-01-23</span> {#apache24} > > +# Apache HTTP Server 2.4.64 (httpd): 2.4.64 is the latest available > > version <span>2025-07-10</span> {#apache24} > > > > The Apache HTTP Server Project is pleased to > > [announce](//downloads.apache.org/httpd/Announcement2.4.txt) the > > -release of version 2.4.63 of the Apache HTTP Server ("Apache" and "httpd"). > > +release of version 2.4.64 of the Apache HTTP Server ("Apache" and "httpd"). > > This version of Apache is our latest GA release of the new generation 2.4.x > > branch of Apache HTTPD and represents fifteen years of innovation by the > > project, and is recommended over all previous releases! > > @@ -36,17 +36,17 @@ project, and is recommended over all previous releases! > > For details, see the [Official > > Announcement](//downloads.apache.org/httpd/Announcement2.4.html) and > > the [CHANGES_2.4]([preferred]httpd/CHANGES_2.4) and > > -[CHANGES_2.4.63]([preferred]httpd/CHANGES_2.4.63) lists. > > +[CHANGES_2.4.64]([preferred]httpd/CHANGES_2.4.64) lists. > > > > -- Source: [httpd-2.4.63.tar.bz2]([preferred]httpd/httpd-2.4.63.tar.bz2) > > -[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.63.tar.bz2.asc) ] [ > > -[SHA256](https://downloads.apache.org/httpd/httpd-2.4.63.tar.bz2.sha256) ] > > [ > > -[SHA512](https://downloads.apache.org/httpd/httpd-2.4.63.tar.bz2.sha512) ] > > +- Source: [httpd-2.4.64.tar.bz2]([preferred]httpd/httpd-2.4.64.tar.bz2) > > +[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.64.tar.bz2.asc) ] [ > > +[SHA256](https://downloads.apache.org/httpd/httpd-2.4.64.tar.bz2.sha256) ] > > [ > > +[SHA512](https://downloads.apache.org/httpd/httpd-2.4.64.tar.bz2.sha512) ] > > > > -- Source: [httpd-2.4.63.tar.gz]([preferred]httpd/httpd-2.4.63.tar.gz) [ > > -[PGP](https://downloads.apache.org/httpd/httpd-2.4.63.tar.gz.asc) ] [ > > -[SHA256](https://downloads.apache.org/httpd/httpd-2.4.63.tar.gz.sha256) ] [ > > -[SHA512](https://downloads.apache.org/httpd/httpd-2.4.63.tar.gz.sha512) ] > > +- Source: [httpd-2.4.64.tar.gz]([preferred]httpd/httpd-2.4.64.tar.gz) [ > > +[PGP](https://downloads.apache.org/httpd/httpd-2.4.64.tar.gz.asc) ] [ > > +[SHA256](https://downloads.apache.org/httpd/httpd-2.4.64.tar.gz.sha256) ] [ > > +[SHA512](https://downloads.apache.org/httpd/httpd-2.4.64.tar.gz.sha512) ] > > > > - [Security and official patches]([preferred]httpd/patches/) > > > > diff --git a/content/index.md b/content/index.md > > index e46b023..6a5e338 100644 > > --- a/content/index.md > > +++ b/content/index.md > > @@ -14,11 +14,11 @@ April 1996. It has celebrated its 25th birthday as a > > project in February 2020. > > The Apache HTTP Server is a project of [The Apache Software > > Foundation](https://www.apache.org/). > > > > -# Apache httpd 2.4.63 Released <span>2025-01-23</span> > > +# Apache httpd 2.4.64 Released <span>2025-07-10</span> > > The Apache Software Foundation and the Apache HTTP Server Project are > > pleased to > > [announce](https://downloads.apache.org/httpd/Announcement2.4.html) the > > -release of version 2.4.63 of the Apache HTTP Server ("httpd"). > > +release of version 2.4.64 of the Apache HTTP Server ("httpd"). > > > > This latest release from the 2.4.x stable branch represents the best > > available > > version of Apache HTTP Server. > > @@ -27,7 +27,7 @@ version of Apache HTTP Server. > > Apache HTTP Server version 2.<span>4</span>.43 or newer is required in > > order to operate a TLS 1.3 web server with OpenSSL 1.1.1. > > > > [Download](download.cgi#apache24) | [ChangeLog for > > -2.4.63](https://downloads.apache.org/httpd/CHANGES_2.4.63) | [Complete > > ChangeLog for > > +2.4.64](https://downloads.apache.org/httpd/CHANGES_2.4.64) | [Complete > > ChangeLog for > > 2.4](https://downloads.apache.org/httpd/CHANGES_2.4) | [New Features in > > httpd > > 2.4](docs/trunk/new_features_2_4.html) {.centered} > > > > diff --git a/content/security/json/CVE-2024-42516.json > > b/content/security/json/CVE-2024-42516.json > > new file mode 100644 > > index 0000000..e776c52 > > --- /dev/null > > +++ b/content/security/json/CVE-2024-42516.json > > @@ -0,0 +1,94 @@ > > +{ > > + "containers": { > > + "cna": { > > + "affected": [ > > + { > > + "defaultStatus": "unaffected", > > + "product": "Apache HTTP Server", > > + "vendor": "Apache Software Foundation", > > + "versions": [ > > + { > > + "lessThanOrEqual": "2.4.63", > > + "status": "affected", > > + "version": "2.4.0", > > + "versionType": "semver" > > + } > > + ] > > + } > > + ], > > + "descriptions": [ > > + { > > + "lang": "en", > > + "supportingMedia": [ > > + { > > + "base64": false, > > + "type": "text/html", > > + "value": "HTTP response splitting in the core of Apache HTTP > > Server allows an attacker who can manipulate the Content-Type response > > headers of applications hosted or proxied by the server can split the HTTP > > response.<br><br>This vulnerability was described as CVE-2023-38709 but the > > patch included in Apache HTTP Server 2.4.59 did not address the > > issue.<br><br>Users are recommended to upgrade to version 2.4.64, which > > fixes this issue." > > + } > > + ], > > + "value": "HTTP response splitting in the core of Apache HTTP > > Server allows an attacker who can manipulate the Content-Type response > > headers of applications hosted or proxied by the server can split the HTTP > > response.\n\nThis vulnerability was described as CVE-2023-38709 but the > > patch included in Apache HTTP Server 2.4.59 did not address the > > issue.\n\nUsers are recommended to upgrade to version 2.4.64, which fixes > > this issue." > > + } > > + ], > > + "metrics": [ > > + { > > + "other": { > > + "content": { > > + "text": "moderate" > > + }, > > + "type": "Textual description of severity" > > + } > > + } > > + ], > > + "problemTypes": [ > > + { > > + "descriptions": [ > > + { > > + "cweId": "CWE-20", > > + "description": "CWE-20 Improper Input Validation", > > + "lang": "en", > > + "type": "CWE" > > + } > > + ] > > + } > > + ], > > + "providerMetadata": { > > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > > + }, > > + "references": [ > > + { > > + "tags": [ > > + "vendor-advisory" > > + ], > > + "url": > > "https://httpd.apache.org/security/vulnerabilities_24.html"; > > + } > > + ], > > + "source": { > > + "discovery": "INTERNAL" > > + }, > > + "timeline": [ > > + { > > + "lang": "en", > > + "time": "2024-07-18T12:00:00.000Z", > > + "value": "reported" > > + }, > > + { > > + "lang": "eng", > > + "time": "2025-07-10", > > + "value": "2.4.64 released" > > + } > > + ], > > + "title": "Apache HTTP Server: HTTP response splitting", > > + "x_generator": { > > + "engine": "Vulnogram 0.1.0-dev" > > + } > > + } > > + }, > > + "cveMetadata": { > > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > > + "cveId": "CVE-2024-42516", > > + "serial": 1, > > + "state": "PUBLISHED" > > + }, > > + "dataType": "CVE_RECORD", > > + "dataVersion": "5.1" > > +} > > diff --git a/content/security/json/CVE-2024-43204.json > > b/content/security/json/CVE-2024-43204.json > > new file mode 100644 > > index 0000000..ef8e740 > > --- /dev/null > > +++ b/content/security/json/CVE-2024-43204.json > > @@ -0,0 +1,86 @@ > > +{ > > + "containers": { > > + "cna": { > > + "affected": [ > > + { > > + "defaultStatus": "unaffected", > > + "product": "Apache HTTP Server", > > + "vendor": "Apache Software Foundation", > > + "versions": [ > > + { > > + "lessThanOrEqual": "2.4.63", > > + "status": "affected", > > + "version": "2.4.0", > > + "versionType": "semver" > > + } > > + ] > > + } > > + ], > > + "descriptions": [ > > + { > > + "lang": "en", > > + "supportingMedia": [ > > + { > > + "base64": false, > > + "type": "text/html", > > + "value": "SSRF in Apache HTTP Server with mod_proxy loaded > > allows an attacker to send outbound proxy requests to a URL controlled by > > the attacker. Requires an unlikely configuration where mod_headers is > > configured to modify the Content-Type request or response header with a > > value provided in the HTTP request.<br><br>Users are recommended to upgrade > > to version 2.4.64 which fixes this issue. " > > + } > > + ], > > + "value": "SSRF in Apache HTTP Server with mod_proxy loaded > > allows an attacker to send outbound proxy requests to a URL controlled by > > the attacker. Requires an unlikely configuration where mod_headers is > > configured to modify the Content-Type request or response header with a > > value provided in the HTTP request.\n\nUsers are recommended to upgrade to > > version 2.4.64 which fixes this issue. " > > + } > > + ], > > + "metrics": [ > > + { > > + "other": { > > + "content": { > > + "text": "low" > > + }, > > + "type": "Textual description of severity" > > + } > > + } > > + ], > > + "problemTypes": [ > > + { > > + "descriptions": [ > > + { > > + "cweId": "CWE-918", > > + "description": "CWE-918 Server-Side Request Forgery (SSRF)", > > + "lang": "en", > > + "type": "CWE" > > + } > > + ] > > + } > > + ], > > + "providerMetadata": { > > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > > + }, > > + "source": { > > + "discovery": "UNKNOWN" > > + }, > > + "timeline": [ > > + { > > + "lang": "en", > > + "time": "2024-08-07T09:00:00.000Z", > > + "value": "reported" > > + }, > > + { > > + "lang": "eng", > > + "time": "2025-07-10", > > + "value": "2.4.64 released" > > + } > > + ], > > + "title": "Apache HTTP Server: SSRF with mod_headers setting > > Content-Type header", > > + "x_generator": { > > + "engine": "Vulnogram 0.1.0-dev" > > + } > > + } > > + }, > > + "cveMetadata": { > > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > > + "cveId": "CVE-2024-43204", > > + "serial": 1, > > + "state": "PUBLISHED" > > + }, > > + "dataType": "CVE_RECORD", > > + "dataVersion": "5.0" > > +} > > diff --git a/content/security/json/CVE-2024-43394.json > > b/content/security/json/CVE-2024-43394.json > > new file mode 100644 > > index 0000000..3e6feec > > --- /dev/null > > +++ b/content/security/json/CVE-2024-43394.json > > @@ -0,0 +1,93 @@ > > +{ > > + "containers": { > > + "cna": { > > + "affected": [ > > + { > > + "defaultStatus": "unaffected", > > + "product": "Apache HTTP Server", > > + "vendor": "Apache Software Foundation", > > + "versions": [ > > + { > > + "lessThanOrEqual": "2.4.63", > > + "status": "affected", > > + "version": "2.4.0", > > + "versionType": "semver" > > + } > > + ] > > + } > > + ], > > + "credits": [ > > + { > > + "lang": "en", > > + "type": "finder", > > + "value": "Kainan Zhang (@4xpl0r3r) from Fortinet" > > + } > > + ], > > + "descriptions": [ > > + { > > + "lang": "en", > > + "supportingMedia": [ > > + { > > + "base64": false, > > + "type": "text/html", > > + "value": "<p></p><p>Server-Side Request Forgery > > (SSRF) in Apache HTTP Server on Windows allows to potentially leak > > NTLM hashes to a malicious server via <br>mod_rewrite or apache > > expressions that pass unvalidated request input.</p><p>This issue affects > > Apache HTTP Server: from 2.4.0 through 2.4.63.</p>Note: <span > > style=\"background-color: rgb(255, 255, 255);\"> The Apache HTTP > > Server Project will be setting a higher bar for accepting vulnerability > > reports reg [...] > > + } > > + ], > > + "value": "Server-Side Request Forgery (SSRF) in Apache HTTP > > Server on Windows allows to potentially leak NTLM hashes to a malicious > > server via \nmod_rewrite or apache expressions that pass unvalidated > > request input.\n\nThis issue affects Apache HTTP Server: from 2.4.0 through > > 2.4.63.\n\nNote: The Apache HTTP Server Project will be setting a higher > > bar for accepting vulnerability reports regarding SSRF via UNC paths. > > \n\nThe server offers limited protection against administrato [...] > > + } > > + ], > > + "metrics": [ > > + { > > + "other": { > > + "content": { > > + "text": "moderate" > > + }, > > + "type": "Textual description of severity" > > + } > > + } > > + ], > > + "problemTypes": [ > > + { > > + "descriptions": [ > > + { > > + "cweId": "CWE-918", > > + "description": "CWE-918 Server-Side Request Forgery (SSRF)", > > + "lang": "en", > > + "type": "CWE" > > + } > > + ] > > + } > > + ], > > + "providerMetadata": { > > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > > + }, > > + "source": { > > + "discovery": "UNKNOWN" > > + }, > > + "timeline": [ > > + { > > + "lang": "en", > > + "time": "2024-08-10T00:00:00.000Z", > > + "value": "reported" > > + }, > > + { > > + "lang": "eng", > > + "time": "2025-07-10", > > + "value": "2.4.64 released" > > + } > > + ], > > + "title": "Apache HTTP Server: SSRF on Windows due to UNC paths", > > + "x_generator": { > > + "engine": "Vulnogram 0.1.0-dev" > > + } > > + } > > + }, > > + "cveMetadata": { > > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > > + "cveId": "CVE-2024-43394", > > + "serial": 1, > > + "state": "PUBLISHED" > > + }, > > + "dataType": "CVE_RECORD", > > + "dataVersion": "5.1" > > +} > > diff --git a/content/security/json/CVE-2024-47252.json > > b/content/security/json/CVE-2024-47252.json > > new file mode 100644 > > index 0000000..5e77017 > > --- /dev/null > > +++ b/content/security/json/CVE-2024-47252.json > > @@ -0,0 +1,101 @@ > > +{ > > + "containers": { > > + "cna": { > > + "affected": [ > > + { > > + "defaultStatus": "unaffected", > > + "product": "Apache HTTP Server", > > + "vendor": "Apache Software Foundation", > > + "versions": [ > > + { > > + "lessThanOrEqual": "2.4.63", > > + "status": "affected", > > + "version": "2.4", > > + "versionType": "semver" > > + } > > + ] > > + } > > + ], > > + "credits": [ > > + { > > + "lang": "en", > > + "type": "finder", > > + "value": "John Runyon" > > + } > > + ], > > + "descriptions": [ > > + { > > + "lang": "en", > > + "supportingMedia": [ > > + { > > + "base64": false, > > + "type": "text/html", > > + "value": "Insufficient escaping of user-supplied data in > > mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted > > SSL/TLS client to insert escape characters into log files in some > > configurations.<br><br>In a logging configuration where CustomLog is used > > with \"%{varname}x\" or \"%{varname}c\" to log variables provided by > > mod_ssl such as SSL_TLS_SNI, no escaping is performed by either > > mod_log_config or mod_ssl and unsanitized data provided by the client may > > appea [...] > > + } > > + ], > > + "value": "Insufficient escaping of user-supplied data in mod_ssl > > in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client > > to insert escape characters into log files in some configurations.\n\nIn a > > logging configuration where CustomLog is used with \"%{varname}x\" or > > \"%{varname}c\" to log variables provided by mod_ssl such as SSL_TLS_SNI, > > no escaping is performed by either mod_log_config or mod_ssl and > > unsanitized data provided by the client may appear in log [...] > > + } > > + ], > > + "metrics": [ > > + { > > + "other": { > > + "content": { > > + "text": "low" > > + }, > > + "type": "Textual description of severity" > > + } > > + } > > + ], > > + "problemTypes": [ > > + { > > + "descriptions": [ > > + { > > + "cweId": "CWE-150", > > + "description": "CWE-150 Improper Neutralization of Escape, > > Meta, or Control Sequences", > > + "lang": "en", > > + "type": "CWE" > > + } > > + ] > > + } > > + ], > > + "providerMetadata": { > > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > > + }, > > + "references": [ > > + { > > + "tags": [ > > + "vendor-advisory" > > + ], > > + "url": > > "https://httpd.apache.org/security/vulnerabilities_24.html"; > > + } > > + ], > > + "source": { > > + "discovery": "EXTERNAL" > > + }, > > + "timeline": [ > > + { > > + "lang": "en", > > + "time": "2024-09-18T15:26:00.000Z", > > + "value": "reported" > > + }, > > + { > > + "lang": "eng", > > + "time": "2025-07-10", > > + "value": "2.4.64 released" > > + } > > + ], > > + "title": "Apache HTTP Server: mod_ssl error log variable escaping", > > + "x_generator": { > > + "engine": "Vulnogram 0.2.0" > > + } > > + } > > + }, > > + "cveMetadata": { > > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > > + "cveId": "CVE-2024-47252", > > + "serial": 1, > > + "state": "PUBLISHED" > > + }, > > + "dataType": "CVE_RECORD", > > + "dataVersion": "5.1" > > +} > > diff --git a/content/security/json/CVE-2025-23048.json > > b/content/security/json/CVE-2025-23048.json > > new file mode 100644 > > index 0000000..0f9f3a5 > > --- /dev/null > > +++ b/content/security/json/CVE-2025-23048.json > > @@ -0,0 +1,101 @@ > > +{ > > + "containers": { > > + "cna": { > > + "affected": [ > > + { > > + "defaultStatus": "unaffected", > > + "product": "Apache HTTP Server", > > + "vendor": "Apache Software Foundation", > > + "versions": [ > > + { > > + "lessThanOrEqual": "2.4.63", > > + "status": "affected", > > + "version": "2.4.35", > > + "versionType": "semver" > > + } > > + ] > > + } > > + ], > > + "credits": [ > > + { > > + "lang": "en", > > + "type": "finder", > > + "value": "Sven Hebrok, Felix Cramer, Tim Storm, Maximilian > > Radoy, and Juraj Somorovsky at Paderborn University" > > + } > > + ], > > + "descriptions": [ > > + { > > + "lang": "en", > > + "supportingMedia": [ > > + { > > + "base64": false, > > + "type": "text/html", > > + "value": "In some mod_ssl configurations on Apache HTTP > > Server 2.4.35 through to 2.4.62, an access control bypass by trusted > > clients is possible using TLS 1.3 session resumption.<br><br>Configurations > > are affected when mod_ssl is configured for multiple virtual hosts, with > > each restricted to a different set of trusted client certificates (for > > example with a different SSLCACertificateFile/Path setting). In such a > > case, a client trusted to access one virtual host may be able [...] > > + } > > + ], > > + "value": "In some mod_ssl configurations on Apache HTTP Server > > 2.4.35 through to 2.4.62, an access control bypass by trusted clients is > > possible using TLS 1.3 session resumption.\n\nConfigurations are affected > > when mod_ssl is configured for multiple virtual hosts, with each restricted > > to a different set of trusted client certificates (for example with a > > different SSLCACertificateFile/Path setting). In such a case, a client > > trusted to access one virtual host may be able to acces [...] > > + } > > + ], > > + "metrics": [ > > + { > > + "other": { > > + "content": { > > + "text": "moderate" > > + }, > > + "type": "Textual description of severity" > > + } > > + } > > + ], > > + "problemTypes": [ > > + { > > + "descriptions": [ > > + { > > + "cweId": "CWE-284", > > + "description": "CWE-284 Improper Access Control", > > + "lang": "en", > > + "type": "CWE" > > + } > > + ] > > + } > > + ], > > + "providerMetadata": { > > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > > + }, > > + "references": [ > > + { > > + "tags": [ > > + "vendor-advisory" > > + ], > > + "url": > > "https://httpd.apache.org/security/vulnerabilities_24.html"; > > + } > > + ], > > + "source": { > > + "discovery": "EXTERNAL" > > + }, > > + "timeline": [ > > + { > > + "lang": "en", > > + "time": "2024-11-25T15:01:00.000Z", > > + "value": "reported" > > + }, > > + { > > + "lang": "eng", > > + "time": "2025-07-10", > > + "value": "2.4.64 released" > > + } > > + ], > > + "title": "Apache HTTP Server: mod_ssl access control bypass with > > session resumption", > > + "x_generator": { > > + "engine": "Vulnogram 0.2.0" > > + } > > + } > > + }, > > + "cveMetadata": { > > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > > + "cveId": "CVE-2025-23048", > > + "serial": 1, > > + "state": "PUBLISHED" > > + }, > > + "dataType": "CVE_RECORD", > > + "dataVersion": "5.1" > > +} > > diff --git a/content/security/json/CVE-2025-49630.json > > b/content/security/json/CVE-2025-49630.json > > new file mode 100644 > > index 0000000..eaf2360 > > --- /dev/null > > +++ b/content/security/json/CVE-2025-49630.json > > @@ -0,0 +1,93 @@ > > +{ > > + "containers": { > > + "cna": { > > + "affected": [ > > + { > > + "defaultStatus": "unaffected", > > + "product": "Apache HTTP Server", > > + "vendor": "Apache Software Foundation", > > + "versions": [ > > + { > > + "lessThanOrEqual": "2.4.63", > > + "status": "affected", > > + "version": "2.4.26", > > + "versionType": "semver" > > + } > > + ] > > + } > > + ], > > + "credits": [ > > + { > > + "lang": "en", > > + "type": "finder", > > + "value": "Anthony CORSIEZ" > > + } > > + ], > > + "descriptions": [ > > + { > > + "lang": "en", > > + "supportingMedia": [ > > + { > > + "base64": false, > > + "type": "text/html", > > + "value": "In certain proxy configurations, a denial of > > service attack against Apache HTTP Server versions 2.4.26 through to > > 2.4.63 can be triggered by untrusted clients causing an assertion in > > mod_proxy_http2.<br><br>Configurations affected are a reverse proxy is > > configured for an HTTP/2 backend, with ProxyPreserveHost set to \"on\".<br>" > > + } > > + ], > > + "value": "In certain proxy configurations, a denial of service > > attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be > > triggered by untrusted clients causing an assertion in > > mod_proxy_http2.\n\nConfigurations affected are a reverse proxy is > > configured for an HTTP/2 backend, with ProxyPreserveHost set to \"on\"." > > + } > > + ], > > + "metrics": [ > > + { > > + "other": { > > + "content": { > > + "text": "low" > > + }, > > + "type": "Textual description of severity" > > + } > > + } > > + ], > > + "problemTypes": [ > > + { > > + "descriptions": [ > > + { > > + "cweId": "CWE-617", > > + "description": "CWE-617 Reachable Assertion", > > + "lang": "en", > > + "type": "CWE" > > + } > > + ] > > + } > > + ], > > + "providerMetadata": { > > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > > + }, > > + "source": { > > + "discovery": "EXTERNAL" > > + }, > > + "timeline": [ > > + { > > + "lang": "en", > > + "time": "2025-06-04T14:20:00.000Z", > > + "value": "Report received" > > + }, > > + { > > + "lang": "eng", > > + "time": "2025-07-10", > > + "value": "2.4.64 released" > > + } > > + ], > > + "title": "Apache HTTP Server: mod_proxy_http2 denial of service", > > + "x_generator": { > > + "engine": "Vulnogram 0.2.0" > > + } > > + } > > + }, > > + "cveMetadata": { > > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > > + "cveId": "CVE-2025-49630", > > + "serial": 1, > > + "state": "PUBLISHED" > > + }, > > + "dataType": "CVE_RECORD", > > + "dataVersion": "5.1" > > +} > > diff --git a/content/security/json/CVE-2025-49812.json > > b/content/security/json/CVE-2025-49812.json > > new file mode 100644 > > index 0000000..d101007 > > --- /dev/null > > +++ b/content/security/json/CVE-2025-49812.json > > @@ -0,0 +1,128 @@ > > +{ > > + "containers": { > > + "cna": { > > + "affected": [ > > + { > > + "defaultStatus": "unaffected", > > + "product": "Apache HTTP Server", > > + "vendor": "Apache Software Foundation", > > + "versions": [ > > + { > > + "lessThanOrEqual": "2.4.63", > > + "status": "affected", > > + "version": "0", > > + "versionType": "semver" > > + } > > + ] > > + } > > + ], > > + "credits": [ > > + { > > + "lang": "en", > > + "type": "finder", > > + "value": "Robert Merget (Technology Innovation Institute)" > > + }, > > + { > > + "lang": "en", > > + "type": "finder", > > + "value": "Nurullah Erinola (Ruhr University Bochum)" > > + }, > > + { > > + "lang": "en", > > + "type": "finder", > > + "value": "Marcel Maehren (Ruhr University Bochum)" > > + }, > > + { > > + "lang": "en", > > + "type": "finder", > > + "value": "Lukas Knittel (Ruhr University Bochum)" > > + }, > > + { > > + "lang": "en", > > + "type": "finder", > > + "value": "Sven Hebrok (Paderborn University)" > > + }, > > + { > > + "lang": "en", > > + "type": "finder", > > + "value": "Marcus Brinkmann (Ruhr University Bochum)" > > + }, > > + { > > + "lang": "en", > > + "type": "finder", > > + "value": "Juraj Somorovsky (Paderborn University)" > > + }, > > + { > > + "lang": "en", > > + "type": "finder", > > + "value": "Jörg Schwenk (Ruhr University Bochum)" > > + } > > + ], > > + "descriptions": [ > > + { > > + "lang": "en", > > + "supportingMedia": [ > > + { > > + "base64": false, > > + "type": "text/html", > > + "value": "In some mod_ssl configurations on Apache HTTP > > Server versions through to 2.4.63, an HTTP desynchronisation attack allows > > a man-in-the-middle attacker to hijack an HTTP session via a TLS > > upgrade.<br><br>Only configurations using \"SSLEngine optional\" to enable > > TLS upgrades are affected. Users are recommended to upgrade to version > > 2.4.64, which removes support for TLS upgrade." > > + } > > + ], > > + "value": "In some mod_ssl configurations on Apache HTTP Server > > versions through to 2.4.63, an HTTP desynchronisation attack allows a > > man-in-the-middle attacker to hijack an HTTP session via a TLS > > upgrade.\n\nOnly configurations using \"SSLEngine optional\" to enable TLS > > upgrades are affected. Users are recommended to upgrade to version 2.4.64, > > which removes support for TLS upgrade." > > + } > > + ], > > + "metrics": [ > > + { > > + "other": { > > + "content": { > > + "text": "moderate" > > + }, > > + "type": "Textual description of severity" > > + } > > + } > > + ], > > + "problemTypes": [ > > + { > > + "descriptions": [ > > + { > > + "cweId": "CWE-287", > > + "description": "CWE-287 Improper Authentication", > > + "lang": "en", > > + "type": "CWE" > > + } > > + ] > > + } > > + ], > > + "providerMetadata": { > > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > > + }, > > + "source": { > > + "discovery": "UNKNOWN" > > + }, > > + "timeline": [ > > + { > > + "lang": "en", > > + "time": "2025-04-22T07:26:00.000Z", > > + "value": "Report received" > > + }, > > + { > > + "lang": "eng", > > + "time": "2025-07-10", > > + "value": "2.4.64 released" > > + } > > + ], > > + "title": "Apache HTTP Server: mod_ssl TLS upgrade attack", > > + "x_generator": { > > + "engine": "Vulnogram 0.2.0" > > + } > > + } > > + }, > > + "cveMetadata": { > > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > > + "cveId": "CVE-2025-49812", > > + "serial": 1, > > + "state": "PUBLISHED" > > + }, > > + "dataType": "CVE_RECORD", > > + "dataVersion": "5.1" > > +} > > diff --git a/content/security/json/CVE-2025-53020.json > > b/content/security/json/CVE-2025-53020.json > > new file mode 100644 > > index 0000000..3867285 > > --- /dev/null > > +++ b/content/security/json/CVE-2025-53020.json > > @@ -0,0 +1,98 @@ > > +{ > > + "containers": { > > + "cna": { > > + "affected": [ > > + { > > + "defaultStatus": "unaffected", > > + "product": "Apache HTTP Server", > > + "vendor": "Apache Software Foundation", > > + "versions": [ > > + { > > + "lessThanOrEqual": "2.4.63", > > + "status": "affected", > > + "version": "2.4.17", > > + "versionType": "semver" > > + } > > + ] > > + } > > + ], > > + "credits": [ > > + { > > + "lang": "en", > > + "type": "finder", > > + "value": "Gal Bar Nahum" > > + } > > + ], > > + "descriptions": [ > > + { > > + "lang": "en", > > + "supportingMedia": [ > > + { > > + "base64": false, > > + "type": "text/html", > > + "value": "<p>Late Release of Memory after Effective Lifetime > > vulnerability in Apache HTTP Server.</p><p>This issue affects Apache HTTP > > Server: from 2.4.17 up to 2.4.63.</p><p>Users are recommended to upgrade to > > version 2.4.64, which fixes the issue.</p>" > > + } > > + ], > > + "value": "Late Release of Memory after Effective Lifetime > > vulnerability in Apache HTTP Server.\n\nThis issue affects Apache HTTP > > Server: from 2.4.17 up to 2.4.63.\n\nUsers are recommended to upgrade to > > version 2.4.64, which fixes the issue." > > + } > > + ], > > + "metrics": [ > > + { > > + "other": { > > + "content": { > > + "text": "moderate" > > + }, > > + "type": "Textual description of severity" > > + } > > + } > > + ], > > + "problemTypes": [ > > + { > > + "descriptions": [ > > + { > > + "cweId": "CWE-401", > > + "description": "CWE-401 Missing Release of Memory after > > Effective Lifetime", > > + "lang": "en", > > + "type": "CWE" > > + } > > + ] > > + } > > + ], > > + "providerMetadata": { > > + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" > > + }, > > + "source": { > > + "discovery": "UNKNOWN" > > + }, > > + "timeline": [ > > + { > > + "lang": "en", > > + "time": "2025-06-18T09:19:00.000Z", > > + "value": "reported" > > + }, > > + { > > + "lang": "en", > > + "time": "2025-06-19T09:20:00.000Z", > > + "value": "fix developed" > > + }, > > + { > > + "lang": "eng", > > + "time": "2025-07-10", > > + "value": "2.4.64 released" > > + } > > + ], > > + "title": "Apache HTTP Server: HTTP/2 DoS by Memory Increase", > > + "x_generator": { > > + "engine": "Vulnogram 0.2.0" > > + } > > + } > > + }, > > + "cveMetadata": { > > + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", > > + "cveId": "CVE-2025-53020", > > + "serial": 1, > > + "state": "PUBLISHED" > > + }, > > + "dataType": "CVE_RECORD", > > + "dataVersion": "5.1" > > +} > > > > > -- > Eric Covener > cove...@gmail.com
-- Eric Covener cove...@gmail.com
