(7 votes, average: 5.00 out of 5)
Loading...
The Apache Software Foundation has made public several critical vulnerabilities in the Apache HTTP Server that could have a devastating impact, leaving millions of websites vulnerable to hacking attempts.
Apache HTTP Server web server – A popular choice for millions of websites worldwide. The risks caused by these vulnerabilities are considerable since Apache HTTP Server is widely used in various businesses, including e-commerce, banking, and government.
Different versions of the Apache HTTP Server are impacted by these vulnerabilities, which can be identified by their Common Vulnerabilities and Exposures (CVE) numbers. They could lead to severe outcomes such as denial of service (DoS), exposure of source code, and server-side request forgery (SSRF).
Moreover, these security flaws are particularly concerning as they could expose numerous websites to ransomware, service outages, data leaks, unauthorized access to confidential data, and other cyberattacks.
Summary: Using mod_rewrite in the server/vhost context, Apache HTTP Server on Windows has a Server-Side Request Forgery (SSRF) vulnerability.
Effect: Could send NTLM hashes to a malicious server through manipulated requests and SSRF attacks.
Summary: An Apache HTTP Server 2.4.60 regression ignored specific applications of outdated content-type-based handler configurations.0
Effect: If files are indirectly requested, this can result in the disclosure of local source code.
Summary: In Apache HTTP Server 2.4.61, a partial solution for CVE-2024-39884 disregarded specific applications of outdated content-type-based handler configurations.
Effect: Configurations such as “AddType” might result in disclosing local source code when files are accessed indirectly in specific scenarios.
Summary: Windows computers are vulnerable to Server-Side Request Forgery (SSRF).
Effect: Sensitive NTLM hashes could be exposed.
Summary: Using HTTP/2 to serve WebSocket protocol improvements.
Effect: A Null Pointer dereference could come from this, which would crash the service and reduce performance.
Summary: A bug related to substitution encoding in mod_rewrite for Apache HTTP Server versions 2.4.59 and earlier.
Effect: Enables scripts intended for CGI execution to be disclosed.
Summary: In Apache HTTP Server version 2.4.59, mod_proxy contains a null pointer dereference.
Effect: Permits the server to be crashed by an attacker using a malicious request.
Summary: Apache HTTP Server’s HTTP Response splitting among several modules
Effect: This allows for the potential for HTTP desynchronization attacks by allowing attackers to insert malicious response headers into backend apps.
Summary: Some configurations of mod_proxy on Apache HTTP Server 2.4.0 through 2.4.55 cause HTTP Request Splitting.
Effect: Cache poisoning and access control bypass are possible because of this HTTP Request Smuggling attack.
Summary: A malicious request to a lua script that calls r:parsebody(0) in Apache HTTP Server 2.4.53 and earlier.
Effect: this may result in a denial of service since there is no default restriction on the input size that can be sent.
Summary: An HTTP Request Smuggling Vulnerability in Apache HTTP Server’s mod_proxy_ajp
Effect: Permits requests to be smuggled to the AJP server to which it sends requests.
These vulnerabilities are even worse because the Apache HTTP Server is widely used. Numerous websites and applications, from small companies to major corporations, depend on this software to fuel their online presence.
There is a considerable possibility for exploitation, and there could potentially be significant consequences. Cybercriminals might use these security vulnerabilities to hack into networks, gain confidential information, alter websites, or even instigate ransomware operations.
It is highly recommended by the Apache Software Foundation that all users update to version 2.4.62 right away. This update fixes vulnerabilities and offers a crucial defense against intrusions. Avoiding the update might open web servers to hazardous vulnerabilities in security.
Prevent your website, applications, and software from critical vulnerabilities and cyber-attacks with Our Professional Cyber Security Services.