pkg:Bitnami/apache

82 total CVEsCRITICAL19HIGH42MEDIUM21

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2021-42013⚠ KEVPath Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
    >= 2.4.49, < 2.4.50, >= 2.4.50, < 2.4.51
  • CRITICAL9.8CVE-2021-41773⚠ KEVPath traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
    >= 2.4.49, < 2.4.50
  • CRITICAL9.1CVE-2024-38475⚠ KEVApache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path.
    >= 2.4.0, < 2.4.60
  • CRITICAL9.0CVE-2021-40438⚠ KEVmod_proxy SSRF
    from 0, < 2.4.49
  • CRITICAL9.8CVE-2026-28780Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header()
    from 0, < 2.4.67
  • CRITICAL9.8CVE-2024-38476Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
    >= 2.4.0, < 2.4.60
  • CRITICAL9.8CVE-2024-38474Apache HTTP Server weakness with encoded question marks in backreferences
    >= 2.4.0, < 2.4.60
  • CRITICAL9.8CVE-2023-25690Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy
    >= 2.4.0, < 2.4.56
  • CRITICAL9.8CVE-2022-31813mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism
    from 0, < 2.4.54
  • CRITICAL9.8CVE-2022-23943mod_sed: Read/write beyond bounds
    from 0, < 2.4.53
  • CRITICAL9.8CVE-2022-22720HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier
    from 0, < 2.4.53
  • CRITICAL9.8CVE-2021-44790Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier
    from 0, < 2.4.52
  • CRITICAL9.8CVE-2021-39275ap_escape_quotes buffer overflow
    from 0, < 2.4.49
  • CRITICAL9.8CVE-2021-26691Apache HTTP Server mod_session response handling heap overflow
    >= 2.4.0, < 2.4.47
  • CRITICAL9.8CVE-2020-11984apache2 - security update
    >= 2.4.32, < 2.4.44
  • CRITICAL9.1CVE-2025-23048Apache HTTP Server: mod_ssl access control bypass with session resumption
    >= 2.4.35, < 2.4.64
  • CRITICAL9.1CVE-2022-28615Read beyond bounds in ap_strcmp_match()
    from 0, < 2.4.54
  • CRITICAL9.1CVE-2022-22721core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
    from 0, < 2.4.53
  • CRITICAL9.0CVE-2022-36760Apache HTTP Server: mod_proxy_ajp Possible request smuggling
    >= 2.4.0, < 2.4.55
  • HIGH8.8CVE-2026-23918Apache HTTP Server: http2: double free and possible RCE on early reset
    >= 2.4.66, < 2.4.67
  • HIGH8.8CVE-2026-24072Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr
    from 0, < 2.4.67
  • HIGH8.3CVE-2025-58098Apache HTTP Server: Server Side Includes adds query string to #exec cmd=...
    from 0, < 2.4.66
  • HIGH8.2CVE-2021-44224Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier
    >= 2.4.7, < 2.4.52
  • HIGH8.1CVE-2024-38473Apache HTTP Server proxy encoding problem
    >= 2.4.0, < 2.4.60
  • HIGH7.5CVE-2026-29169Apache HTTP Server: mod_dav_lock indirect lock crash
    from 0, < 2.4.67
  • HIGH7.5CVE-2026-34059Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data()
    from 0, < 2.4.67
  • HIGH7.5CVE-2025-59775Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF
    >= 2.4.0, < 2.4.66
  • HIGH7.5CVE-2025-55753Apache HTTP Server: mod_md (ACME), unintended retry intervals
    >= 2.4.30, < 2.4.66
  • HIGH7.5CVE-2025-53020Apache HTTP Server: HTTP/2 DoS by Memory Increase
    >= 2.4.17, < 2.4.64
  • HIGH7.5CVE-2025-49630Apache HTTP Server: mod_proxy_http2 denial of service
    >= 2.4.26, < 2.4.64
  • HIGH7.5CVE-2024-47252Apache HTTP Server: mod_ssl error log variable escaping
    >= 2.4.0, < 2.4.64
  • HIGH7.5CVE-2024-43394Apache HTTP Server: SSRF on Windows due to UNC paths
    >= 2.4.0, < 2.4.64
  • HIGH7.5CVE-2024-43204Apache HTTP Server: SSRF with mod_headers setting Content-Type header
    >= 2.4.0, < 2.4.64
  • HIGH7.5CVE-2024-42516Apache HTTP Server: HTTP response splitting
    >= 2.4.0, < 2.4.64
  • HIGH7.5CVE-2025-3891libapache2-mod-auth-openidc - security update
  • HIGH7.5CVE-2024-40898Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows
    >= 2.4.0, < 2.4.62
  • HIGH7.5CVE-2024-39573Apache HTTP Server: mod_rewrite proxy handler substitution
    >= 2.4.0, < 2.4.60
  • HIGH7.5CVE-2024-38477Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request
    >= 2.4.0, < 2.4.60
  • HIGH7.5CVE-2024-38472SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or conte…
    >= 2.4.0, < 2.4.60
  • HIGH7.5CVE-2024-27316Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames
    >= 2.4.17, < 2.4.59
  • HIGH7.5CVE-2023-43622Apache HTTP Server: DoS in HTTP/2 with initial windows size 0
    >= 2.4.55, < 2.4.58
  • HIGH7.5CVE-2023-31122Apache HTTP Server: mod_macro buffer over-read
    from 0, < 2.4.58
  • HIGH7.5CVE-2023-27522Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting
    >= 2.4.30, < 2.4.56
  • HIGH7.5CVE-2022-30556Information Disclosure in mod_lua with websockets
    from 0, < 2.4.54
  • HIGH7.5CVE-2022-30522mod_sed denial of service
    >= 2.4.53, < 2.4.54
  • HIGH7.5CVE-2022-29404Denial of service in mod_lua r:parsebody
    from 0, < 2.4.54
  • HIGH7.5CVE-2022-26377mod_proxy_ajp: Possible request smuggling
    from 0, < 2.4.54
  • HIGH7.5CVE-2022-22719mod_lua Use of uninitialized value of in r:parsebody
    from 0, < 2.4.53
  • HIGH7.5CVE-2021-41524null pointer dereference in h2 fuzzing
    >= 2.4.49, < 2.4.50
  • HIGH7.5CVE-2021-36160mod_proxy_uwsgi out of bound read
    >= 2.4.30, < 2.4.49
  • HIGH7.5CVE-2021-34798NULL pointer dereference in httpd core
    from 0, < 2.4.49
  • HIGH7.5CVE-2021-33193Request splitting via HTTP/2 method injection and mod_proxy
    >= 2.4.17, < 2.4.49
  • HIGH7.5CVE-2021-31618NULL pointer dereference on specially crafted HTTP/2 request
    >= 1.15.17, < 1.15.18, >= 2.4.47, < 2.4.48
  • HIGH7.5CVE-2021-26690mod_session NULL pointer dereference
    >= 2.4.0, < 2.4.47
  • HIGH7.5CVE-2020-13950mod_proxy_http NULL pointer dereference
    >= 2.4.41, < 2.4.47
  • HIGH7.5CVE-2020-9490Apache HTTP Server versions 2.4.20 to 2.4.43.
    >= 2.4.20, < 2.4.46
  • HIGH7.5CVE-2020-11993Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, loggi…
    >= 2.4.20, < 2.4.44
  • HIGH7.4CVE-2025-49812Apache HTTP Server: mod_ssl TLS upgrade attack
    from 0, < 2.4.64
  • HIGH7.3CVE-2026-29168Apache HTTP Server: mod_md unrestricted OCSP response
    >= 2.4.30, < 2.4.67
  • HIGH7.3CVE-2023-38709Apache HTTP Server: HTTP response splitting
    from 0, < 2.4.59
  • HIGH7.3CVE-2020-35452mod_auth_digest possible stack overflow by one nul byte
    >= 2.4.0, < 2.4.47
  • MEDIUM6.5CVE-2026-33523Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line
    >= 2.4.0, < 2.4.67
  • MEDIUM6.5CVE-2025-65082Apache HTTP Server: CGI environment variable override
    >= 2.4.0, < 2.4.66
  • MEDIUM6.3CVE-2025-54090Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64
    >= 2.4.64, < 2.4.65
  • MEDIUM6.3CVE-2024-24795Apache HTTP Server: HTTP Response Splitting in multiple modules
    >= 2.4.0, < 2.4.59
  • MEDIUM6.2CVE-2024-39884Apache HTTP Server: source code disclosure with handlers configured via AddType
    >= 2.4.60, < 2.4.61
  • MEDIUM6.1CVE-2020-1927apache2 - security update
    >= 2.4.0, < 2.4.42
  • MEDIUM5.9CVE-2023-45802Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST
    >= 2.4.17, < 2.4.58
  • MEDIUM5.5CVE-2020-13938Improper Handling of Insufficient Privileges
    >= 2.4.0, < 2.4.47
  • MEDIUM5.4CVE-2025-66200Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo
    >= 2.4.7, < 2.4.66
  • MEDIUM5.4CVE-2024-36387Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2
    >= 2.4.55, < 2.4.60
  • MEDIUM5.3CVE-2026-33007Apache HTTP Server: mod_authn_socache crash
    >= 2.4.0, < 2.4.67
  • MEDIUM5.3CVE-2026-34032Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)
    from 0, < 2.4.67
  • MEDIUM5.3CVE-2026-33857Apache HTTP Server: Off-by-one OOB reads in AJP getter functions
    from 0, < 2.4.67
  • MEDIUM5.3CVE-2024-40725Apache HTTP Server: source code disclosure with handlers configured via AddType
    >= 2.4.60, < 2.4.62
  • MEDIUM5.3CVE-2022-37436Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting
    from 0, < 2.4.55
  • MEDIUM5.3CVE-2022-28614read beyond bounds via ap_rwrite()
    from 0, < 2.4.54
  • MEDIUM5.3CVE-2022-28330read beyond bounds in mod_isapi
    from 0, < 2.4.54
  • MEDIUM5.3CVE-2021-30641Unexpected URL matching with 'MergeSlashes OFF'
    >= 2.4.39, < 2.4.47
  • MEDIUM5.3CVE-2020-11985IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_re…
    >= 2.4.1, < 2.4.24
  • MEDIUM5.3CVE-2020-1934In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.
    >= 2.4.0, < 2.4.42
  • MEDIUM4.8CVE-2026-33006Apache HTTP Server: mod_auth_digest timing attack
    from 0, < 2.4.67