Filtered by vendor Apache Subscriptions
Total 2588 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2006-4110 1 Apache 1 Http Server 2025-04-03 N/A
Apache 2.2.2, when running on Windows, allows remote attackers to read source code of CGI programs via a request that contains uppercase (or alternate case) characters that bypass the case-sensitive ScriptAlias directive, but allow access to the file on case-insensitive file systems.
CVE-2001-0729 1 Apache 1 Http Server 2025-04-03 N/A
Apache 1.3.20 on Windows servers allows remote attackers to bypass the default index page and list directory contents via a URL with a large number of / (slash) characters.
CVE-2004-1834 2 Apache, Redhat 2 Http Server, Enterprise Linux 2025-04-03 N/A
mod_disk_cache in Apache 2.0 through 2.0.49 stores client headers, including authentication information, on the hard disk, which could allow local users to gain sensitive information.
CVE-2002-1567 1 Apache 1 Tomcat 2025-04-03 N/A
Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1 allows remote attackers to execute arbitrary web script and steal cookies via a URL with encoded newlines followed by a request to a .jsp file whose name contains the script.
CVE-2002-0654 1 Apache 1 Http Server 2025-04-03 N/A
Apache 2.0 through 2.0.39 on Windows, OS2, and Netware allows remote attackers to determine the full pathname of the server via (1) a request for a .var file, which leaks the pathname in the resulting error message, or (2) via an error message that occurs when a script (child process) cannot be invoked.
CVE-2001-1342 1 Apache 1 Http Server 2025-04-03 N/A
Apache before 1.3.20 on Windows and OS/2 systems allows remote attackers to cause a denial of service (GPF) via an HTTP request for a URI that contains a large number of / (slash) or other characters, which causes certain functions to dereference a null pointer.
CVE-2001-0925 2 Apache, Debian 2 Http Server, Debian Linux 2025-04-03 N/A
The default installation of Apache before 1.3.19 allows remote attackers to list directories instead of the multiview index.html file via an HTTP request for a path that contains many / (slash) characters, which causes the path to be mishandled by (1) mod_negotiation, (2) mod_dir, or (3) mod_autoindex.
CVE-2001-0766 2 Apache, Apple 2 Http Server, Mac Os X 2025-04-03 9.8 Critical
Apache on MacOS X Client 10.0.3 with the HFS+ file system allows remote attackers to bypass access restrictions via a URL that contains some characters whose case is not matched by Apache's filters.
CVE-2000-1210 1 Apache 1 Tomcat 2025-04-03 N/A
Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp.
CVE-2000-0760 1 Apache 1 Tomcat 2025-04-03 N/A
The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.
CVE-1999-1237 1 Apache 1 Http Server 2025-04-03 N/A
Multiple buffer overflows in smbvalid/smbval SMB authentication library, as used in Apache::AuthenSmb and possibly other modules, allows remote attackers to execute arbitrary commands via (1) a long username, (2) a long password, and (3) other unspecified methods.
CVE-2005-0508 1 Apache 1 Batik 2025-04-03 N/A
Unknown vulnerability in Squiggle for Batik before 1.5.1 allows attackers to bypass certain access controls via certain features of the Rhino scripting engine due to a "script security issue."
CVE-2006-3835 2 Apache, Redhat 4 Tomcat, Certificate System, Network Satellite and 1 more 2025-04-03 N/A
Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index.jsp and /;help.do.
CVE-2004-1575 1 Apache 1 Xerces-c\+\+ 2025-04-03 N/A
The XML parser in Xerces-C++ 2.5.0 allows remote attackers to cause a denial of service (CPU consumption) via XML attributes in a crafted XML document.
CVE-2004-0747 2 Apache, Redhat 2 Http Server, Enterprise Linux 2025-04-03 7.8 High
Buffer overflow in Apache 2.0.50 and earlier allows local users to gain apache privileges via a .htaccess file that causes the overflow during expansion of environment variables.
CVE-2002-0061 1 Apache 1 Http Server 2025-04-03 N/A
Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell metacharacters (a | pipe character) provided as arguments to batch (.bat) or .cmd scripts, which are sent unfiltered to the shell interpreter, typically cmd.exe.
CVE-2005-4838 2 Apache, Redhat 3 Tomcat, Network Satellite, Rhel Application Server 2025-04-03 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
CVE-2004-0263 2 Apache, Ibm 2 Http Server, Http Server 2025-04-03 N/A
PHP 4.3.4 and earlier in Apache 1.x and 2.x (mod_php) can leak global variables between virtual hosts that are handled by the same Apache child process but have different settings, which could allow remote attackers to obtain sensitive information.
CVE-2001-0829 1 Apache 1 Tomcat 2025-04-03 N/A
A cross-site scripting vulnerability in Apache Tomcat 3.2.1 allows a malicious webmaster to embed Javascript in a request for a .JSP file, which causes the Javascript to be inserted into an error message.
CVE-2000-1205 1 Apache 1 Http Server 2025-04-03 N/A
Cross site scripting vulnerabilities in Apache 1.3.0 through 1.3.11 allow remote attackers to execute script as other web site visitors via (1) the printenv CGI (printenv.pl), which does not encode its output, (2) pages generated by the ap_send_error_response function such as a default 404, which does not add an explicit charset, or (3) various messages that are generated by certain Apache modules or core code. NOTE: the printenv issue might still exist for web browsers that can render text/plain content types as HTML, such as Internet Explorer, but CVE regards this as a design limitation of those browsers, not Apache. The printenv.pl/acuparam vector, discloser on 20070724, is one such variant.