usn-8338-1
Vulnerability from osv_ubuntu
Published
2026-05-28 14:51
Modified
2026-05-28 14:51
Summary
apache2 vulnerabilities
Details

It was discovered that Apache HTTP Server incorrectly handled certain response headers. An attacker could possibly use this issue to perform HTTP response splitting attacks. This issue only affected Ubuntu 14.04 LTS. (CVE-2023-38709)

Will Dormann and David Warren discovered that Apache HTTP Server's HTTP/2 implementation did not properly reclaim memory when streams were reset by clients. A remote attacker could possibly use this issue to cause Apache HTTP Server to consume resources, leading to a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2023-45802)

Keran Mu and Jianjun Chen discovered that Apache HTTP Server incorrectly handled certain response headers. An attacker could possibly use this issue to perform HTTP response splitting attacks. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-24795)

Orange Tsai discovered that Apache HTTP Server mod_proxy incorrectly handled URL encoding. A remote attacker could possibly use this issue to bypass authentication via crafted requests. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-38473)

Orange Tsai discovered that Apache HTTP Server could be caused to perform server-side request forgery (SSRF) via malicious backend response headers. A remote attacker could possibly use this issue to conduct SSRF attacks or disclose sensitive information. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-38476)

Orange Tsai discovered that Apache HTTP Server mod_proxy did not properly handle certain null pointer conditions. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-38477)

Orange Tsai discovered that Apache HTTP Server mod_rewrite could be made to perform server-side request forgery (SSRF) via unsafe RewriteRules. A remote attacker could possibly use this issue to conduct SSRF attacks. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-39573)

It was discovered that Apache HTTP Server incorrectly handled certain response headers. An attacker could possibly use this issue to perform HTTP response splitting attacks. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-42516)

It was discovered that Apache HTTP Server could be caused to perform server-side request forgery (SSRF) via mod_headers modifying Content-Type headers. A remote attacker could possibly use this issue to conduct SSRF attacks. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-43204)

John Runyon discovered that Apache HTTP Server mod_ssl did not properly escape user-supplied data before writing log entries. A remote attacker could possibly use this issue to insert escape sequences into log files. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-47252)

Robert Merget discovered that Apache HTTP Server with SSLEngine optional was vulnerable to HTTP desynchronisation attacks. An attacker in a privileged network position could possibly use this issue to hijack HTTP sessions. This issue only affected Ubuntu 14.04 LTS. (CVE-2025-49812)

It was discovered that Apache HTTP Server mod_md had an integer overflow in the ACME certificate renewal backoff timer. An attacker could possibly use this issue to cause excessive certificate renewal requests. This issue only affected Ubuntu 20.04 LTS. (CVE-2025-55753)

Anthony Parfenov discovered that Apache HTTP Server with SSI enabled and mod_cgid passed shell-escaped query strings to #exec cmd directives. A remote attacker could possibly use this issue to perform command injection. (CVE-2025-58098)

Mattias Åsander discovered that Apache HTTP Server incorrectly gave precedence to environment variables from HTTP headers over server-calculated CGI variables. A remote attacker could possibly use this issue to influence the environment of CGI programs. (CVE-2025-65082)

Mattias Åsander discovered that Apache HTTP Server mod_userdir with suexec could be caused to run CGI scripts under an unexpected user ID via RequestHeader directives in .htaccess files. An attacker with .htaccess write access could possibly use this issue to bypass suexec user restrictions. (CVE-2025-66200)


{
  "affected": [
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2023-38709",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2024-24795",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2024-38476",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2024-38477",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2024-39573",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2024-42516",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2024-43204",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2024-47252",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-49812",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-58098",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-65082",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "low",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-66200",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:14.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "apache2",
            "binary_version": "2.4.7-1ubuntu4.22+esm12"
          },
          {
            "binary_name": "apache2-bin",
            "binary_version": "2.4.7-1ubuntu4.22+esm12"
          },
          {
            "binary_name": "apache2-data",
            "binary_version": "2.4.7-1ubuntu4.22+esm12"
          },
          {
            "binary_name": "apache2-mpm-event",
            "binary_version": "2.4.7-1ubuntu4.22+esm12"
          },
          {
            "binary_name": "apache2-mpm-itk",
            "binary_version": "2.4.7-1ubuntu4.22+esm12"
          },
          {
            "binary_name": "apache2-mpm-prefork",
            "binary_version": "2.4.7-1ubuntu4.22+esm12"
          },
          {
            "binary_name": "apache2-mpm-worker",
            "binary_version": "2.4.7-1ubuntu4.22+esm12"
          },
          {
            "binary_name": "apache2-suexec",
            "binary_version": "2.4.7-1ubuntu4.22+esm12"
          },
          {
            "binary_name": "apache2-suexec-custom",
            "binary_version": "2.4.7-1ubuntu4.22+esm12"
          },
          {
            "binary_name": "apache2-suexec-pristine",
            "binary_version": "2.4.7-1ubuntu4.22+esm12"
          },
          {
            "binary_name": "apache2-utils",
            "binary_version": "2.4.7-1ubuntu4.22+esm12"
          },
          {
            "binary_name": "apache2.2-bin",
            "binary_version": "2.4.7-1ubuntu4.22+esm12"
          },
          {
            "binary_name": "libapache2-mod-macro",
            "binary_version": "1:2.4.7-1ubuntu4.22+esm12"
          },
          {
            "binary_name": "libapache2-mod-proxy-html",
            "binary_version": "1:2.4.7-1ubuntu4.22+esm12"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:14.04:LTS",
        "name": "apache2",
        "purl": "pkg:deb/ubuntu/apache2@2.4.7-1ubuntu4.22+esm12?arch=source\u0026distro=esm-infra-legacy/trusty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.7-1ubuntu4.22+esm12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.4.6-2ubuntu2",
        "2.4.6-2ubuntu3",
        "2.4.6-2ubuntu4",
        "2.4.7-1ubuntu1",
        "2.4.7-1ubuntu2",
        "2.4.7-1ubuntu3",
        "2.4.7-1ubuntu4",
        "2.4.7-1ubuntu4.1",
        "2.4.7-1ubuntu4.4",
        "2.4.7-1ubuntu4.5",
        "2.4.7-1ubuntu4.6",
        "2.4.7-1ubuntu4.7",
        "2.4.7-1ubuntu4.8",
        "2.4.7-1ubuntu4.9",
        "2.4.7-1ubuntu4.10",
        "2.4.7-1ubuntu4.11",
        "2.4.7-1ubuntu4.13",
        "2.4.7-1ubuntu4.15",
        "2.4.7-1ubuntu4.16",
        "2.4.7-1ubuntu4.17",
        "2.4.7-1ubuntu4.18",
        "2.4.7-1ubuntu4.19",
        "2.4.7-1ubuntu4.20",
        "2.4.7-1ubuntu4.21",
        "2.4.7-1ubuntu4.22",
        "2.4.7-1ubuntu4.22+esm1",
        "2.4.7-1ubuntu4.22+esm2",
        "2.4.7-1ubuntu4.22+esm3",
        "2.4.7-1ubuntu4.22+esm4",
        "2.4.7-1ubuntu4.22+esm5",
        "2.4.7-1ubuntu4.22+esm6",
        "2.4.7-1ubuntu4.22+esm8",
        "2.4.7-1ubuntu4.22+esm9",
        "2.4.7-1ubuntu4.22+esm10"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2024-38473",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2024-39573",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-58098",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-65082",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "low",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-66200",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:16.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "apache2",
            "binary_version": "2.4.18-2ubuntu3.17+esm17"
          },
          {
            "binary_name": "apache2-bin",
            "binary_version": "2.4.18-2ubuntu3.17+esm17"
          },
          {
            "binary_name": "apache2-data",
            "binary_version": "2.4.18-2ubuntu3.17+esm17"
          },
          {
            "binary_name": "apache2-suexec-custom",
            "binary_version": "2.4.18-2ubuntu3.17+esm17"
          },
          {
            "binary_name": "apache2-suexec-pristine",
            "binary_version": "2.4.18-2ubuntu3.17+esm17"
          },
          {
            "binary_name": "apache2-utils",
            "binary_version": "2.4.18-2ubuntu3.17+esm17"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:16.04:LTS",
        "name": "apache2",
        "purl": "pkg:deb/ubuntu/apache2@2.4.18-2ubuntu3.17+esm17?arch=source\u0026distro=esm-infra-legacy/xenial"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.18-2ubuntu3.17+esm17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.4.12-2ubuntu2",
        "2.4.17-1ubuntu1",
        "2.4.17-2ubuntu1",
        "2.4.17-3ubuntu1",
        "2.4.18-1ubuntu1",
        "2.4.18-2ubuntu1",
        "2.4.18-2ubuntu2",
        "2.4.18-2ubuntu3",
        "2.4.18-2ubuntu3.1",
        "2.4.18-2ubuntu3.2",
        "2.4.18-2ubuntu3.3",
        "2.4.18-2ubuntu3.4",
        "2.4.18-2ubuntu3.5",
        "2.4.18-2ubuntu3.7",
        "2.4.18-2ubuntu3.8",
        "2.4.18-2ubuntu3.9",
        "2.4.18-2ubuntu3.10",
        "2.4.18-2ubuntu3.12",
        "2.4.18-2ubuntu3.13",
        "2.4.18-2ubuntu3.14",
        "2.4.18-2ubuntu3.15",
        "2.4.18-2ubuntu3.17",
        "2.4.18-2ubuntu3.17+esm1",
        "2.4.18-2ubuntu3.17+esm2",
        "2.4.18-2ubuntu3.17+esm3",
        "2.4.18-2ubuntu3.17+esm4",
        "2.4.18-2ubuntu3.17+esm5",
        "2.4.18-2ubuntu3.17+esm6",
        "2.4.18-2ubuntu3.17+esm7",
        "2.4.18-2ubuntu3.17+esm8",
        "2.4.18-2ubuntu3.17+esm9",
        "2.4.18-2ubuntu3.17+esm10",
        "2.4.18-2ubuntu3.17+esm11",
        "2.4.18-2ubuntu3.17+esm12",
        "2.4.18-2ubuntu3.17+esm13",
        "2.4.18-2ubuntu3.17+esm14",
        "2.4.18-2ubuntu3.17+esm16"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2023-45802",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2024-38473",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2024-39573",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-58098",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-65082",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "low",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-66200",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:18.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "apache2",
            "binary_version": "2.4.29-1ubuntu4.27+esm7"
          },
          {
            "binary_name": "apache2-bin",
            "binary_version": "2.4.29-1ubuntu4.27+esm7"
          },
          {
            "binary_name": "apache2-data",
            "binary_version": "2.4.29-1ubuntu4.27+esm7"
          },
          {
            "binary_name": "apache2-suexec-custom",
            "binary_version": "2.4.29-1ubuntu4.27+esm7"
          },
          {
            "binary_name": "apache2-suexec-pristine",
            "binary_version": "2.4.29-1ubuntu4.27+esm7"
          },
          {
            "binary_name": "apache2-utils",
            "binary_version": "2.4.29-1ubuntu4.27+esm7"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:18.04:LTS",
        "name": "apache2",
        "purl": "pkg:deb/ubuntu/apache2@2.4.29-1ubuntu4.27+esm7?arch=source\u0026distro=esm-infra/bionic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.29-1ubuntu4.27+esm7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.4.27-2ubuntu3",
        "2.4.29-1ubuntu1",
        "2.4.29-1ubuntu2",
        "2.4.29-1ubuntu3",
        "2.4.29-1ubuntu4",
        "2.4.29-1ubuntu4.1",
        "2.4.29-1ubuntu4.2",
        "2.4.29-1ubuntu4.3",
        "2.4.29-1ubuntu4.4",
        "2.4.29-1ubuntu4.5",
        "2.4.29-1ubuntu4.6",
        "2.4.29-1ubuntu4.7",
        "2.4.29-1ubuntu4.8",
        "2.4.29-1ubuntu4.10",
        "2.4.29-1ubuntu4.11",
        "2.4.29-1ubuntu4.12",
        "2.4.29-1ubuntu4.13",
        "2.4.29-1ubuntu4.14",
        "2.4.29-1ubuntu4.16",
        "2.4.29-1ubuntu4.17",
        "2.4.29-1ubuntu4.18",
        "2.4.29-1ubuntu4.19",
        "2.4.29-1ubuntu4.20",
        "2.4.29-1ubuntu4.21",
        "2.4.29-1ubuntu4.22",
        "2.4.29-1ubuntu4.23",
        "2.4.29-1ubuntu4.24",
        "2.4.29-1ubuntu4.25",
        "2.4.29-1ubuntu4.26",
        "2.4.29-1ubuntu4.27",
        "2.4.29-1ubuntu4.27+esm1",
        "2.4.29-1ubuntu4.27+esm2",
        "2.4.29-1ubuntu4.27+esm3",
        "2.4.29-1ubuntu4.27+esm4",
        "2.4.29-1ubuntu4.27+esm6"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2025-55753",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "low",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-58098",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-65082",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "low",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-66200",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:20.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "apache2",
            "binary_version": "2.4.41-4ubuntu3.23+esm3"
          },
          {
            "binary_name": "apache2-bin",
            "binary_version": "2.4.41-4ubuntu3.23+esm3"
          },
          {
            "binary_name": "apache2-data",
            "binary_version": "2.4.41-4ubuntu3.23+esm3"
          },
          {
            "binary_name": "apache2-suexec-custom",
            "binary_version": "2.4.41-4ubuntu3.23+esm3"
          },
          {
            "binary_name": "apache2-suexec-pristine",
            "binary_version": "2.4.41-4ubuntu3.23+esm3"
          },
          {
            "binary_name": "apache2-utils",
            "binary_version": "2.4.41-4ubuntu3.23+esm3"
          },
          {
            "binary_name": "libapache2-mod-md",
            "binary_version": "2.4.41-4ubuntu3.23+esm3"
          },
          {
            "binary_name": "libapache2-mod-proxy-uwsgi",
            "binary_version": "2.4.41-4ubuntu3.23+esm3"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:20.04:LTS",
        "name": "apache2",
        "purl": "pkg:deb/ubuntu/apache2@2.4.41-4ubuntu3.23+esm3?arch=source\u0026distro=esm-infra/focal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.41-4ubuntu3.23+esm3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.4.41-1ubuntu1",
        "2.4.41-4ubuntu1",
        "2.4.41-4ubuntu2",
        "2.4.41-4ubuntu3",
        "2.4.41-4ubuntu3.1",
        "2.4.41-4ubuntu3.3",
        "2.4.41-4ubuntu3.4",
        "2.4.41-4ubuntu3.5",
        "2.4.41-4ubuntu3.6",
        "2.4.41-4ubuntu3.7",
        "2.4.41-4ubuntu3.8",
        "2.4.41-4ubuntu3.9",
        "2.4.41-4ubuntu3.10",
        "2.4.41-4ubuntu3.11",
        "2.4.41-4ubuntu3.12",
        "2.4.41-4ubuntu3.13",
        "2.4.41-4ubuntu3.14",
        "2.4.41-4ubuntu3.15",
        "2.4.41-4ubuntu3.16",
        "2.4.41-4ubuntu3.17",
        "2.4.41-4ubuntu3.19",
        "2.4.41-4ubuntu3.20",
        "2.4.41-4ubuntu3.21",
        "2.4.41-4ubuntu3.23",
        "2.4.41-4ubuntu3.23+esm2"
      ]
    }
  ],
  "aliases": [],
  "details": "It was discovered that Apache HTTP Server incorrectly handled certain\nresponse headers. An attacker could possibly use this issue to perform\nHTTP response splitting attacks. This issue only affected Ubuntu 14.04\nLTS. (CVE-2023-38709)\n\nWill Dormann and David Warren discovered that Apache HTTP Server\u0027s HTTP/2\nimplementation did not properly reclaim memory when streams were reset by\nclients. A remote attacker could possibly use this issue to cause Apache\nHTTP Server to consume resources, leading to a denial of service. This\nissue only affected Ubuntu 18.04 LTS. (CVE-2023-45802)\n\nKeran Mu and Jianjun Chen discovered that Apache HTTP Server incorrectly\nhandled certain response headers. An attacker could possibly use this issue\nto perform HTTP response splitting attacks. This issue only affected Ubuntu\n14.04 LTS. (CVE-2024-24795)\n\nOrange Tsai discovered that Apache HTTP Server mod_proxy incorrectly\nhandled URL encoding. A remote attacker could possibly use this issue to\nbypass authentication via crafted requests. This issue only affected\nUbuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-38473)\n\nOrange Tsai discovered that Apache HTTP Server could be caused to perform\nserver-side request forgery (SSRF) via malicious backend response headers.\nA remote attacker could possibly use this issue to conduct SSRF attacks or\ndisclose sensitive information. This issue only affected Ubuntu 14.04 LTS.\n(CVE-2024-38476)\n\nOrange Tsai discovered that Apache HTTP Server mod_proxy did not properly\nhandle certain null pointer conditions. A remote attacker could possibly use this\nissue to cause Apache HTTP Server to crash, resulting in a denial of\nservice. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-38477)\n\nOrange Tsai discovered that Apache HTTP Server mod_rewrite could be made\nto perform server-side request forgery (SSRF) via unsafe RewriteRules. A\nremote attacker could possibly use this issue to conduct SSRF attacks. This\nissue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-39573)\n\nIt was discovered that Apache HTTP Server incorrectly handled certain\nresponse headers. An attacker could possibly use this issue to perform\nHTTP response splitting attacks. This issue only affected Ubuntu 14.04 LTS.\n(CVE-2024-42516)\n\nIt was discovered that Apache HTTP Server could be caused to perform\nserver-side request forgery (SSRF) via mod_headers modifying Content-Type\nheaders. A remote attacker could possibly use this issue to conduct SSRF\nattacks. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-43204)\n\nJohn Runyon discovered that Apache HTTP Server mod_ssl did not properly\nescape user-supplied data before writing log entries. A remote attacker\ncould possibly use this issue to insert escape sequences into log files.\nThis issue only affected Ubuntu 14.04 LTS. (CVE-2024-47252)\n\nRobert Merget discovered that Apache HTTP Server with SSLEngine optional was\nvulnerable to HTTP desynchronisation attacks. An attacker in a privileged\nnetwork position could possibly use this issue to hijack HTTP sessions. This issue\nonly affected Ubuntu 14.04 LTS. (CVE-2025-49812)\n\nIt was discovered that Apache HTTP Server mod_md had an integer overflow in\nthe ACME certificate renewal backoff timer. An attacker could possibly use\nthis issue to cause excessive certificate renewal requests. This issue only\naffected Ubuntu 20.04 LTS. (CVE-2025-55753)\n\nAnthony Parfenov discovered that Apache HTTP Server with SSI enabled and\nmod_cgid passed shell-escaped query strings to #exec cmd directives. A\nremote attacker could possibly use this issue to perform command injection.\n(CVE-2025-58098)\n\nMattias \u00c5sander discovered that Apache HTTP Server incorrectly gave\nprecedence to environment variables from HTTP headers over server-calculated\nCGI variables. A remote attacker could possibly use this issue to influence\nthe environment of CGI programs. (CVE-2025-65082)\n\nMattias \u00c5sander discovered that Apache HTTP Server mod_userdir with suexec\ncould be caused to run CGI scripts under an unexpected user ID via\nRequestHeader directives in .htaccess files. An attacker with .htaccess\nwrite access could possibly use this issue to bypass suexec user restrictions.\n(CVE-2025-66200)",
  "id": "USN-8338-1",
  "modified": "2026-05-28T14:51:58Z",
  "published": "2026-05-28T14:51:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-8338-1"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2023-38709"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2023-45802"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-24795"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-38473"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-38476"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-38477"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-39573"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-42516"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-43204"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-47252"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2025-49812"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2025-55753"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2025-58098"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2025-65082"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2025-66200"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "summary": "apache2 vulnerabilities",
  "upstream": [
    "UBUNTU-CVE-2023-38709",
    "UBUNTU-CVE-2023-45802",
    "UBUNTU-CVE-2024-24795",
    "UBUNTU-CVE-2024-38473",
    "UBUNTU-CVE-2024-38476",
    "UBUNTU-CVE-2024-38477",
    "UBUNTU-CVE-2024-39573",
    "UBUNTU-CVE-2024-42516",
    "UBUNTU-CVE-2024-43204",
    "UBUNTU-CVE-2024-47252",
    "UBUNTU-CVE-2025-49812",
    "UBUNTU-CVE-2025-55753",
    "UBUNTU-CVE-2025-58098",
    "UBUNTU-CVE-2025-65082",
    "UBUNTU-CVE-2025-66200"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…