The Rapid7 Vulnerability Database is a list of 70,000 vulnerabilities for security analyst and researchers to identify and address known security issues through vulnerability management solutions. Each vulnerability has links to relevant groups like Mitre and other CVE Numbering Authorities as well as additional technical documentation. These vulnerabilities are utilized by our vulnerability management tool Nexpose and provided here for additional visibility.
Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw()...
The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_mime. Review your web server configuration for validation. mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. A patch for 2.2.32 is available at https://www.apache.org/di...
The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_ssl. Review your web server configuration for validation. mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. A patch for 2.2.32 is availab...
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value....
The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_http2. Review your web server configuration for validation. A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process.
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directl...
Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b...
Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
From SUSE_CVE-2017-2587:
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur...
Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
From SUSE_CVE-2017-2586:
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur...
Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
From SUSE_CVE-2017-2624:
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur...
