This is an automated email from the ASF dual-hosted git repository.
covener pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/httpd-site.git
The following commit(s) were added to refs/heads/main by this push:
new ba65eb6 publishing release httpd-2.4.59
ba65eb6 is described below
commit ba65eb6fbb4a08b0d696ac39877b62a849fffbe2
Author: Eric Covener <ecovener@us.ibm.com>
AuthorDate: Thu Apr 4 09:52:55 2024 -0400
publishing release httpd-2.4.59
---
content/doap.rdf | 4 +-
content/download.md | 24 +++----
content/index.md | 6 +-
content/security/json/CVE-2023-38709.json | 101 ++++++++++++++++++++++++++++++
content/security/json/CVE-2024-24795.json | 96 ++++++++++++++++++++++++++++
content/security/json/CVE-2024-27316.json | 93 +++++++++++++++++++++++++++
6 files changed, 307 insertions(+), 17 deletions(-)
diff --git a/content/doap.rdf b/content/doap.rdf
index abbd202..d477be0 100644
--- a/content/doap.rdf
+++ b/content/doap.rdf
@@ -38,8 +38,8 @@
<release>
<Version>
<name>Recommended current 2.4 release</name>
- <created>2023-10-19</created>
- <revision>2.4.58</revision>
+ <created>2024-04-04</created>
+ <revision>2.4.59</revision>
</Version>
</release>
diff --git a/content/download.md b/content/download.md
index 8464f89..268173d 100644
--- a/content/download.md
+++ b/content/download.md
@@ -19,16 +19,16 @@ Apache httpd for Microsoft Windows is available from
Stable Release - Latest Version:
-- [2.4.58](#apache24) (released 2023-10-19)
+- [2.4.59](#apache24) (released 2024-04-04)
If you are downloading the Win32 distribution, please read these [important
notes]([preferred]httpd/binaries/win32/README.html).
-# Apache HTTP Server 2.4.58 (httpd): 2.4.58 is the latest available version <span>2023-10-19</span> {#apache24}
+# Apache HTTP Server 2.4.59 (httpd): 2.4.59 is the latest available version <span>2024-04-04</span> {#apache24}
The Apache HTTP Server Project is pleased to
[announce](//downloads.apache.org/httpd/Announcement2.4.txt) the
-release of version 2.4.58 of the Apache HTTP Server ("Apache" and "httpd").
+release of version 2.4.59 of the Apache HTTP Server ("Apache" and "httpd").
This version of Apache is our latest GA release of the new generation 2.4.x
branch of Apache HTTPD and represents fifteen years of innovation by the
project, and is recommended over all previous releases!
@@ -36,17 +36,17 @@ project, and is recommended over all previous releases!
For details, see the [Official
Announcement](//downloads.apache.org/httpd/Announcement2.4.html) and
the [CHANGES_2.4]([preferred]httpd/CHANGES_2.4) and
-[CHANGES_2.4.58]([preferred]httpd/CHANGES_2.4.58) lists.
+[CHANGES_2.4.59]([preferred]httpd/CHANGES_2.4.59) lists.
-- Source: [httpd-2.4.58.tar.bz2]([preferred]httpd/httpd-2.4.58.tar.bz2)
-[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.58.tar.bz2.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.58.tar.bz2.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.58.tar.bz2.sha512) ]
+- Source: [httpd-2.4.59.tar.bz2]([preferred]httpd/httpd-2.4.59.tar.bz2)
+[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.59.tar.bz2.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.59.tar.bz2.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.59.tar.bz2.sha512) ]
-- Source: [httpd-2.4.58.tar.gz]([preferred]httpd/httpd-2.4.58.tar.gz) [
-[PGP](https://downloads.apache.org/httpd/httpd-2.4.58.tar.gz.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.58.tar.gz.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.58.tar.gz.sha512) ]
+- Source: [httpd-2.4.59.tar.gz]([preferred]httpd/httpd-2.4.59.tar.gz) [
+[PGP](https://downloads.apache.org/httpd/httpd-2.4.59.tar.gz.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.59.tar.gz.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.59.tar.gz.sha512) ]
- [Security and official patches]([preferred]httpd/patches/)
diff --git a/content/index.md b/content/index.md
index e75449b..7c16e54 100644
--- a/content/index.md
+++ b/content/index.md
@@ -14,11 +14,11 @@ April 1996. It has celebrated its 25th birthday as a project in February 2020.
The Apache HTTP Server is a project of [The Apache Software
Foundation](http://www.apache.org/).
-# Apache httpd 2.4.58 Released <span>2023-10-19</span>
+# Apache httpd 2.4.59 Released <span>2024-04-04</span>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to
[announce](http://downloads.apache.org/httpd/Announcement2.4.html) the
-release of version 2.4.58 of the Apache HTTP Server ("httpd").
+release of version 2.4.59 of the Apache HTTP Server ("httpd").
This latest release from the 2.4.x stable branch represents the best available
version of Apache HTTP Server.
@@ -27,7 +27,7 @@ version of Apache HTTP Server.
Apache HTTP Server version 2.<span>4</span>.43 or newer is required in order to operate a TLS 1.3 web server with OpenSSL 1.1.1.
[Download](download.cgi#apache24) | [ChangeLog for
-2.4.58](http://downloads.apache.org/httpd/CHANGES_2.4.58) | [Complete ChangeLog for
+2.4.59](http://downloads.apache.org/httpd/CHANGES_2.4.59) | [Complete ChangeLog for
2.4](http://downloads.apache.org/httpd/CHANGES_2.4) | [New Features in httpd
2.4](docs/trunk/new_features_2_4.html) {.centered}
diff --git a/content/security/json/CVE-2023-38709.json b/content/security/json/CVE-2023-38709.json
new file mode 100644
index 0000000..81141c3
--- /dev/null
+++ b/content/security/json/CVE-2023-38709.json
@@ -0,0 +1,101 @@
+{
+ "containers": {
+ "cna": {
+ "affected": [.
+ {
+ "defaultStatus": "unaffected",
+ "product": "Apache HTTP Server",
+ "vendor": "Apache Software Foundation",
+ "versions": [.
+ {
+ "lessThanOrEqual": "2.4.58",
+ "status": "affected",
+ "version": "0",
+ "versionType": "semver"
+ }
+ ]
+ }
+ ],
+ "credits": [.
+ {
+ "lang": "en",
+ "type": "finder",
+ "value": "Orange Tsai (@orange_8361) from DEVCORE"
+ }
+ ],
+ "descriptions": [.
+ {
+ "lang": "en",
+ "supportingMedia": [.
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.<br><br>This issue affects Apache HTTP Server: through 2.4.58.<br>"
+ }
+ ],
+ "value": "Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.\n\nThis issue affects Apache HTTP Server: through 2.4.58.\n"
+ }
+ ],
+ "metrics": [.
+ {
+ "cvssV3_1": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 6.8,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
+ "version": "3.1"
+ },
+ "format": "CVSS",
+ "scenarios": [.
+ {
+ "lang": "en",
+ "value": "GENERAL"
+ }
+ ]
+ }
+ ],
+ "problemTypes": [.
+ {
+ "descriptions": [.
+ {
+ "description": "HTTP response splitting",
+ "lang": "en"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "source": {
+ "discovery": "EXTERNAL"
+ },
+ "title": "Apache HTTP Server: HTTP response splitting",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "timeline": [.
+ {
+ "lang": "eng",
+ "time": "2024-04-04",
+ "value": "2.4.59 released"
+ }
+ ]
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "cveId": "CVE-2023-38709",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
diff --git a/content/security/json/CVE-2024-24795.json b/content/security/json/CVE-2024-24795.json
new file mode 100644
index 0000000..d8c8ce6
--- /dev/null
+++ b/content/security/json/CVE-2024-24795.json
@@ -0,0 +1,96 @@
+{
+ "containers": {
+ "cna": {
+ "affected": [.
+ {
+ "defaultStatus": "unaffected",
+ "product": "Apache HTTP Server",
+ "vendor": "Apache Software Foundation",
+ "versions": [.
+ {
+ "lessThanOrEqual": "2.4.58",
+ "status": "affected",
+ "version": "2.4.0",
+ "versionType": "semver"
+ }
+ ]
+ }
+ ],
+ "credits": [.
+ {
+ "lang": "en",
+ "type": "finder",
+ "value": "Keran Mu, Tsinghua University and Zhongguancun Laboratory."
+ },
+ {
+ "lang": "en",
+ "type": "finder",
+ "value": "Jianjun Chen, Tsinghua University and Zhongguancun Laboratory."
+ }
+ ],
+ "descriptions": [.
+ {
+ "lang": "en",
+ "supportingMedia": [.
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.<br><br>Users are recommended to upgrade to version 2.4.59, which fixes this issue."
+ }
+ ],
+ "value": "HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.\n\nUsers are recommended to upgrade to version 2.4.59, which fixes this issue."
+ }
+ ],
+ "metrics": [.
+ {
+ "other": {
+ "content": {
+ "text": "low"
+ },
+ "type": "Textual description of severity"
+ }
+ }
+ ],
+ "problemTypes": [.
+ {
+ "descriptions": [.
+ {
+ "description": "HTTP response splitting",
+ "lang": "en"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [.
+ {
+ "lang": "en",
+ "time": "2023-09-06T11:37:00.000Z",
+ "value": "Reported to security team"
+ },
+ {
+ "lang": "eng",
+ "time": "2024-04-04",
+ "value": "2.4.59 released"
+ }
+ ],
+ "title": "Apache HTTP Server: HTTP Response Splitting in multiple modules",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "cveId": "CVE-2024-24795",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
diff --git a/content/security/json/CVE-2024-27316.json b/content/security/json/CVE-2024-27316.json
new file mode 100644
index 0000000..b618442
--- /dev/null
+++ b/content/security/json/CVE-2024-27316.json
@@ -0,0 +1,93 @@
+{
+ "containers": {
+ "cna": {
+ "affected": [.
+ {
+ "defaultStatus": "unaffected",
+ "product": "Apache HTTP Server",
+ "vendor": "Apache Software Foundation",
+ "versions": [.
+ {
+ "lessThanOrEqual": "2.4.58",
+ "status": "affected",
+ "version": "2.4.17",
+ "versionType": "semver"
+ }
+ ]
+ }
+ ],
+ "credits": [.
+ {
+ "lang": "en",
+ "type": "finder",
+ "value": "Bartek Nowotarski (https://nowotarski.info/) "
+ }
+ ],
+ "descriptions": [.
+ {
+ "lang": "en",
+ "supportingMedia": [.
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion."
+ }
+ ],
+ "value": "HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion."
+ }
+ ],
+ "metrics": [.
+ {
+ "other": {
+ "content": {
+ "text": "moderate"
+ },
+ "type": "Textual description of severity"
+ }
+ }
+ ],
+ "problemTypes": [.
+ {
+ "descriptions": [.
+ {
+ "cweId": "CWE-400",
+ "description": "CWE-400 Uncontrolled Resource Consumption",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "source": {
+ "discovery": "EXTERNAL"
+ },
+ "timeline": [.
+ {
+ "lang": "en",
+ "time": "2024-02-22T15:29:00.000Z",
+ "value": "Reported to security team"
+ },
+ {
+ "lang": "eng",
+ "time": "2024-04-04",
+ "value": "2.4.59 released"
+ }
+ ],
+ "title": "Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "cveId": "CVE-2024-27316",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
covener pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/httpd-site.git
The following commit(s) were added to refs/heads/main by this push:
new ba65eb6 publishing release httpd-2.4.59
ba65eb6 is described below
commit ba65eb6fbb4a08b0d696ac39877b62a849fffbe2
Author: Eric Covener <ecovener@us.ibm.com>
AuthorDate: Thu Apr 4 09:52:55 2024 -0400
publishing release httpd-2.4.59
---
content/doap.rdf | 4 +-
content/download.md | 24 +++----
content/index.md | 6 +-
content/security/json/CVE-2023-38709.json | 101 ++++++++++++++++++++++++++++++
content/security/json/CVE-2024-24795.json | 96 ++++++++++++++++++++++++++++
content/security/json/CVE-2024-27316.json | 93 +++++++++++++++++++++++++++
6 files changed, 307 insertions(+), 17 deletions(-)
diff --git a/content/doap.rdf b/content/doap.rdf
index abbd202..d477be0 100644
--- a/content/doap.rdf
+++ b/content/doap.rdf
@@ -38,8 +38,8 @@
<release>
<Version>
<name>Recommended current 2.4 release</name>
- <created>2023-10-19</created>
- <revision>2.4.58</revision>
+ <created>2024-04-04</created>
+ <revision>2.4.59</revision>
</Version>
</release>
diff --git a/content/download.md b/content/download.md
index 8464f89..268173d 100644
--- a/content/download.md
+++ b/content/download.md
@@ -19,16 +19,16 @@ Apache httpd for Microsoft Windows is available from
Stable Release - Latest Version:
-- [2.4.58](#apache24) (released 2023-10-19)
+- [2.4.59](#apache24) (released 2024-04-04)
If you are downloading the Win32 distribution, please read these [important
notes]([preferred]httpd/binaries/win32/README.html).
-# Apache HTTP Server 2.4.58 (httpd): 2.4.58 is the latest available version <span>2023-10-19</span> {#apache24}
+# Apache HTTP Server 2.4.59 (httpd): 2.4.59 is the latest available version <span>2024-04-04</span> {#apache24}
The Apache HTTP Server Project is pleased to
[announce](//downloads.apache.org/httpd/Announcement2.4.txt) the
-release of version 2.4.58 of the Apache HTTP Server ("Apache" and "httpd").
+release of version 2.4.59 of the Apache HTTP Server ("Apache" and "httpd").
This version of Apache is our latest GA release of the new generation 2.4.x
branch of Apache HTTPD and represents fifteen years of innovation by the
project, and is recommended over all previous releases!
@@ -36,17 +36,17 @@ project, and is recommended over all previous releases!
For details, see the [Official
Announcement](//downloads.apache.org/httpd/Announcement2.4.html) and
the [CHANGES_2.4]([preferred]httpd/CHANGES_2.4) and
-[CHANGES_2.4.58]([preferred]httpd/CHANGES_2.4.58) lists.
+[CHANGES_2.4.59]([preferred]httpd/CHANGES_2.4.59) lists.
-- Source: [httpd-2.4.58.tar.bz2]([preferred]httpd/httpd-2.4.58.tar.bz2)
-[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.58.tar.bz2.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.58.tar.bz2.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.58.tar.bz2.sha512) ]
+- Source: [httpd-2.4.59.tar.bz2]([preferred]httpd/httpd-2.4.59.tar.bz2)
+[ [PGP](https://downloads.apache.org/httpd/httpd-2.4.59.tar.bz2.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.59.tar.bz2.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.59.tar.bz2.sha512) ]
-- Source: [httpd-2.4.58.tar.gz]([preferred]httpd/httpd-2.4.58.tar.gz) [
-[PGP](https://downloads.apache.org/httpd/httpd-2.4.58.tar.gz.asc) ] [
-[SHA256](https://downloads.apache.org/httpd/httpd-2.4.58.tar.gz.sha256) ] [
-[SHA512](https://downloads.apache.org/httpd/httpd-2.4.58.tar.gz.sha512) ]
+- Source: [httpd-2.4.59.tar.gz]([preferred]httpd/httpd-2.4.59.tar.gz) [
+[PGP](https://downloads.apache.org/httpd/httpd-2.4.59.tar.gz.asc) ] [
+[SHA256](https://downloads.apache.org/httpd/httpd-2.4.59.tar.gz.sha256) ] [
+[SHA512](https://downloads.apache.org/httpd/httpd-2.4.59.tar.gz.sha512) ]
- [Security and official patches]([preferred]httpd/patches/)
diff --git a/content/index.md b/content/index.md
index e75449b..7c16e54 100644
--- a/content/index.md
+++ b/content/index.md
@@ -14,11 +14,11 @@ April 1996. It has celebrated its 25th birthday as a project in February 2020.
The Apache HTTP Server is a project of [The Apache Software
Foundation](http://www.apache.org/).
-# Apache httpd 2.4.58 Released <span>2023-10-19</span>
+# Apache httpd 2.4.59 Released <span>2024-04-04</span>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to
[announce](http://downloads.apache.org/httpd/Announcement2.4.html) the
-release of version 2.4.58 of the Apache HTTP Server ("httpd").
+release of version 2.4.59 of the Apache HTTP Server ("httpd").
This latest release from the 2.4.x stable branch represents the best available
version of Apache HTTP Server.
@@ -27,7 +27,7 @@ version of Apache HTTP Server.
Apache HTTP Server version 2.<span>4</span>.43 or newer is required in order to operate a TLS 1.3 web server with OpenSSL 1.1.1.
[Download](download.cgi#apache24) | [ChangeLog for
-2.4.58](http://downloads.apache.org/httpd/CHANGES_2.4.58) | [Complete ChangeLog for
+2.4.59](http://downloads.apache.org/httpd/CHANGES_2.4.59) | [Complete ChangeLog for
2.4](http://downloads.apache.org/httpd/CHANGES_2.4) | [New Features in httpd
2.4](docs/trunk/new_features_2_4.html) {.centered}
diff --git a/content/security/json/CVE-2023-38709.json b/content/security/json/CVE-2023-38709.json
new file mode 100644
index 0000000..81141c3
--- /dev/null
+++ b/content/security/json/CVE-2023-38709.json
@@ -0,0 +1,101 @@
+{
+ "containers": {
+ "cna": {
+ "affected": [.
+ {
+ "defaultStatus": "unaffected",
+ "product": "Apache HTTP Server",
+ "vendor": "Apache Software Foundation",
+ "versions": [.
+ {
+ "lessThanOrEqual": "2.4.58",
+ "status": "affected",
+ "version": "0",
+ "versionType": "semver"
+ }
+ ]
+ }
+ ],
+ "credits": [.
+ {
+ "lang": "en",
+ "type": "finder",
+ "value": "Orange Tsai (@orange_8361) from DEVCORE"
+ }
+ ],
+ "descriptions": [.
+ {
+ "lang": "en",
+ "supportingMedia": [.
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.<br><br>This issue affects Apache HTTP Server: through 2.4.58.<br>"
+ }
+ ],
+ "value": "Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.\n\nThis issue affects Apache HTTP Server: through 2.4.58.\n"
+ }
+ ],
+ "metrics": [.
+ {
+ "cvssV3_1": {
+ "attackComplexity": "HIGH",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "NONE",
+ "baseScore": 6.8,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
+ "version": "3.1"
+ },
+ "format": "CVSS",
+ "scenarios": [.
+ {
+ "lang": "en",
+ "value": "GENERAL"
+ }
+ ]
+ }
+ ],
+ "problemTypes": [.
+ {
+ "descriptions": [.
+ {
+ "description": "HTTP response splitting",
+ "lang": "en"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "source": {
+ "discovery": "EXTERNAL"
+ },
+ "title": "Apache HTTP Server: HTTP response splitting",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "timeline": [.
+ {
+ "lang": "eng",
+ "time": "2024-04-04",
+ "value": "2.4.59 released"
+ }
+ ]
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "cveId": "CVE-2023-38709",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
diff --git a/content/security/json/CVE-2024-24795.json b/content/security/json/CVE-2024-24795.json
new file mode 100644
index 0000000..d8c8ce6
--- /dev/null
+++ b/content/security/json/CVE-2024-24795.json
@@ -0,0 +1,96 @@
+{
+ "containers": {
+ "cna": {
+ "affected": [.
+ {
+ "defaultStatus": "unaffected",
+ "product": "Apache HTTP Server",
+ "vendor": "Apache Software Foundation",
+ "versions": [.
+ {
+ "lessThanOrEqual": "2.4.58",
+ "status": "affected",
+ "version": "2.4.0",
+ "versionType": "semver"
+ }
+ ]
+ }
+ ],
+ "credits": [.
+ {
+ "lang": "en",
+ "type": "finder",
+ "value": "Keran Mu, Tsinghua University and Zhongguancun Laboratory."
+ },
+ {
+ "lang": "en",
+ "type": "finder",
+ "value": "Jianjun Chen, Tsinghua University and Zhongguancun Laboratory."
+ }
+ ],
+ "descriptions": [.
+ {
+ "lang": "en",
+ "supportingMedia": [.
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.<br><br>Users are recommended to upgrade to version 2.4.59, which fixes this issue."
+ }
+ ],
+ "value": "HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.\n\nUsers are recommended to upgrade to version 2.4.59, which fixes this issue."
+ }
+ ],
+ "metrics": [.
+ {
+ "other": {
+ "content": {
+ "text": "low"
+ },
+ "type": "Textual description of severity"
+ }
+ }
+ ],
+ "problemTypes": [.
+ {
+ "descriptions": [.
+ {
+ "description": "HTTP response splitting",
+ "lang": "en"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [.
+ {
+ "lang": "en",
+ "time": "2023-09-06T11:37:00.000Z",
+ "value": "Reported to security team"
+ },
+ {
+ "lang": "eng",
+ "time": "2024-04-04",
+ "value": "2.4.59 released"
+ }
+ ],
+ "title": "Apache HTTP Server: HTTP Response Splitting in multiple modules",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "cveId": "CVE-2024-24795",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}
diff --git a/content/security/json/CVE-2024-27316.json b/content/security/json/CVE-2024-27316.json
new file mode 100644
index 0000000..b618442
--- /dev/null
+++ b/content/security/json/CVE-2024-27316.json
@@ -0,0 +1,93 @@
+{
+ "containers": {
+ "cna": {
+ "affected": [.
+ {
+ "defaultStatus": "unaffected",
+ "product": "Apache HTTP Server",
+ "vendor": "Apache Software Foundation",
+ "versions": [.
+ {
+ "lessThanOrEqual": "2.4.58",
+ "status": "affected",
+ "version": "2.4.17",
+ "versionType": "semver"
+ }
+ ]
+ }
+ ],
+ "credits": [.
+ {
+ "lang": "en",
+ "type": "finder",
+ "value": "Bartek Nowotarski (https://nowotarski.info/) "
+ }
+ ],
+ "descriptions": [.
+ {
+ "lang": "en",
+ "supportingMedia": [.
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion."
+ }
+ ],
+ "value": "HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion."
+ }
+ ],
+ "metrics": [.
+ {
+ "other": {
+ "content": {
+ "text": "moderate"
+ },
+ "type": "Textual description of severity"
+ }
+ }
+ ],
+ "problemTypes": [.
+ {
+ "descriptions": [.
+ {
+ "cweId": "CWE-400",
+ "description": "CWE-400 Uncontrolled Resource Consumption",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "source": {
+ "discovery": "EXTERNAL"
+ },
+ "timeline": [.
+ {
+ "lang": "en",
+ "time": "2024-02-22T15:29:00.000Z",
+ "value": "Reported to security team"
+ },
+ {
+ "lang": "eng",
+ "time": "2024-04-04",
+ "value": "2.4.59 released"
+ }
+ ],
+ "title": "Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "cveId": "CVE-2024-27316",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0"
+}