This page lists publicly disclosed CVE vulnerabilities affecting oracle http_server (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2022-22719 | A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier. | [email protected] | 7.5 | 69.80% | 2022-03-14 | 2024-11-21 |
| CVE-2022-21716 | Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds. | [email protected] | 7.5 | 3.61% | 2022-03-03 | 2024-11-25 |
| CVE-2022-25315 | In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. | [email protected] | 9.8 | 4.78% | 2022-02-18 | 2025-05-05 |
| CVE-2022-25314 | In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. | [email protected] | 7.5 | 4.65% | 2022-02-18 | 2025-05-05 |
| CVE-2022-25313 | In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. | [email protected] | 6.5 | 3.27% | 2022-02-18 | 2025-05-30 |
| CVE-2022-25236 | xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. | [email protected] | 9.8 | 33.94% | 2022-02-16 | 2025-05-05 |
| CVE-2022-25235 | xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. | [email protected] | 9.8 | 4.92% | 2022-02-16 | 2025-05-05 |
| CVE-2022-0391 | A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14. | [email protected] | 7.5 | 8.33% | 2022-02-09 | 2025-12-17 |
| CVE-2021-4034 KEV | A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When | [email protected] | 7.8 | 94.92% | 2022-01-28 | 2025-11-06 |
| CVE-2022-21375 | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 5.5 (Availability impacts). CVSS Vect | [email protected] | 5.5 | 0.26% | 2022-01-19 | 2024-11-21 |
| CVE-2022-21271 | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized abil | [email protected] | 5.3 | 2.79% | 2022-01-19 | 2024-11-21 |
| CVE-2021-4185 | Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file | [email protected] | 7.5 | 3.88% | 2021-12-30 | 2025-11-03 |
| CVE-2021-4184 | Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file | [email protected] | 7.5 | 3.88% | 2021-12-30 | 2025-11-03 |
| CVE-2021-4183 | Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of service via crafted capture file | [email protected] | 5.5 | 1.43% | 2021-12-30 | 2024-11-21 |
| CVE-2021-4182 | Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file | [email protected] | 7.5 | 3.30% | 2021-12-30 | 2025-11-03 |
| CVE-2021-4181 | Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file | [email protected] | 7.5 | 3.77% | 2021-12-30 | 2025-11-03 |
| CVE-2021-44790 | A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. | [email protected] | 9.8 | 97.11% | 2021-12-20 | 2025-05-01 |
| CVE-2021-44224 | A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). | [email protected] | 8.2 | 82.30% | 2021-12-20 | 2024-11-21 |
| CVE-2021-43818 | lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available. | [email protected] | 8.2 | 2.46% | 2021-12-13 | 2024-11-21 |
| CVE-2021-42717 | ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4. | [email protected] | 7.5 | 3.21% | 2021-12-07 | 2025-07-03 |