ALT-PU-2026-7158-3

BDU:2026-06305

HIGH8.8

Уязвимость реализации протокола HTTP/2 веб-сервера Apache HTTP Server, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании

Published: 2026-05-05Modified: 2026-05-06

CVSS 3.xHIGH 8.8

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.0

CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C

References

CVE-2026-23918

BDU:2026-06308

MEDIUM4.8

Уязвимость модуля mod_auth_digest веб-сервера Apache HTTP Server, позволяющая нарушителю обойти ограничения безопасности

Published: 2026-05-05

CVSS 3.xMEDIUM 4.8

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:N

References

CVE-2026-33006

BDU:2026-06309

HIGH7.5

Уязвимость модуля mod_dav_lock веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-05-05

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2026-29169

BDU:2026-06310

MEDIUM6.5

Уязвимость веб-сервера Apache HTTP Server, связанная с разделением HTTP-запросов, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации

Published: 2026-05-05

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS 2.0MEDIUM 6.4

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N

References

CVE-2026-33523

BDU:2026-06311

MEDIUM5.3

Уязвимость модуля mod_authn_socache веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-05-06

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

References

CVE-2026-33007

BDU:2026-06349

MEDIUM5.3

Уязвимость функции ajp_msg_get_string() веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-05-06

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

References

CVE-2026-34032

BDU:2026-06352

MEDIUM5.3

Уязвимость функции mod_proxy_ajp() веб-сервера Apache HTTP Server, позволяющая нарушителю раскрыть конфиденциальную информацию

Published: 2026-05-06

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

References

CVE-2026-33857

BDU:2026-06354

HIGH8.8

Уязвимость веб-сервера Apache HTTP Server, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить свои привилегии

Published: 2026-05-06

CVSS 3.xHIGH 8.8

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.0

CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C

References

CVE-2026-24072

CVE-2026-23918

HIGH8.8

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Published: 2026-05-04Modified: 2026-05-04

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

CVE-2026-24072

HIGH8.8

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Published: 2026-05-04Modified: 2026-05-04

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

CVE-2026-28780

NONE

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Published: 2026-05-05Modified: 2026-05-05

References

CVE-2026-29168

HIGH7.3

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Published: 2026-05-05Modified: 2026-05-05

CVSS 3.xHIGH 7.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

CVE-2026-29169

HIGH7.5

A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.

Published: 2026-05-04Modified: 2026-05-05

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2026-33006

MEDIUM4.8

A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Published: 2026-05-04Modified: 2026-05-04

CVSS 3.xMEDIUM 4.8

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References

CVE-2026-33007

MEDIUM5.3

A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Published: 2026-05-04Modified: 2026-05-04

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

CVE-2026-33523

MEDIUM6.5

HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Published: 2026-05-04Modified: 2026-05-04

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

CVE-2026-33857

MEDIUM5.3

Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Published: 2026-05-04Modified: 2026-05-04

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

CVE-2026-34032

MEDIUM5.3

Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Published: 2026-05-04Modified: 2026-05-04

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

CVE-2026-34059

HIGH7.5

Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Published: 2026-05-04Modified: 2026-05-04

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Package update apache2 in branch c10f2

Closed issues (19)

Уязвимость реализации протокола HTTP/2 веб-сервера Apache HTTP Server, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании

Уязвимость модуля mod_auth_digest веб-сервера Apache HTTP Server, позволяющая нарушителю обойти ограничения безопасности

Уязвимость модуля mod_dav_lock веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость модуля mod_authn_socache веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость функции ajp_msg_get_string() веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость функции mod_proxy_ajp() веб-сервера Apache HTTP Server, позволяющая нарушителю раскрыть конфиденциальную информацию

Уязвимость веб-сервера Apache HTTP Server, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить свои привилегии

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.