Recent updates to this article
| Date |
Update |
| July 18, 2023 |
Added the "Apache CVEs Assigned in 2023" section. |
This article provides a list of CVEs for Apache starting in 2019. The article covers whether these CVEs impact ePO. Most Apache CVEs
don't apply to ePO because ePO doesn't use an affected version or doesn't load the affected module.
The CVEs are listed in the table below in descending order of the CVE number. The CVE number might not correlate to the date on which they were published. We link to the CVE definition at
mitre.org below. You can find more details about Apache vulnerabilities on this page from the
Apache HTTP Server Project.
| Apache CVEs Assigned in 2023 |
| CVE |
Affected Apache Versions |
Affected Module |
Article |
Affects ePO |
Reason ePO isn't Affected |
| CVE-2023-25690 |
2.4.0– 2.4.55 |
mod_proxy |
KB82555 |
No |
ePO doesn't load the affected module for Apache. |
| Apache CVEs Assigned in 2022 |
| CVE |
Affected Apache Versions |
Affected Module |
Article |
Affects ePO |
Reason ePO isn't Affected |
| CVE-2022-31813 |
2.4.53 and earlier |
mod_proxy |
KB82555 |
No |
ePO doesn't load the affected module for Apache. |
| CVE-2022-30556 |
mod_lua |
| CVE-2022-30522 |
2.4.53 only |
mod_sed |
| CVE-2022-29404 |
2.4.53 and earlier |
mod_lua |
| CVE-2022-28615 |
n/a |
SB10387 |
Yes |
Apache updated to 2.4.54 in ePO 5.10 Update 14. |
| CVE-2022-28614 |
| CVE-2022-28330 |
mod_isapi |
KB82555 |
No |
ePO doesn't load the affected module for Apache. |
| CVE-2022-26377 |
mod_proxy_ajp |
| CVE-2022-23943 |
2.4.52 and earlier |
mod_sed |
| CVE-2022-22721 |
2.4.52 and earlier |
n/a |
KB96056 |
The ePO Engineering team has reviewed this CVE and determined that it isn't applicable to ePO. ePO doesn't explicitly use and set this directive LimitXMLRequestBody; so, the default applies, which isn't affected by this issue. Hence, ePO isn't vulnerable. |
| CVE-2022-22720 |
2.4.52 and earlier |
n/a |
SB10387 |
Yes |
n/a |
| CVE-2022-22719 |
mod_lua |
KB82555 |
No |
ePO doesn't load the affected module for Apache. |
|
Apache CVEs Assigned in 2021
|
| CVE |
Affected Apache Versions |
Affected Module |
Article |
Affects ePO |
Reason ePO isn't Affected |
| CVE-2021-44224 |
2.4.7–2.4.51 |
mod_proxy |
KB82555 |
No |
ePO doesn't load the affected module for Apache. |
| CVE-2021-44790 |
2.4.51 and earlier |
mod_lua |
| CVE-2021-42013 |
2.4.49 and 2.4.50 |
n/a |
KB94967 |
ePO doesn't consume an affected version. |
| CVE-2021-41773 |
| CVE-2021-41524 |
2.4.49 |
| CVE-2021-40438 |
2.4.48 and earlier |
mod_proxy |
KB82555 |
ePO doesn't load the affected module for Apache. |
| CVE-2021-39275 |
n/a |
n/a |
ePO doesn't use any third-party modules and mostly uses the Apache default modules that aren't affected. ePO has some custom modules and handlers implemented that are specific to ePO. But, they don't pass untrusted data directly to the vulnerable function.
NOTE: Apache is upgraded to version 2.4.51 in ePO 5.10 Update 13. |
| CVE-2021-36160 |
2.4.30–2.4.48 |
mod_proxy_uwsgi |
KB82555 |
ePO doesn't load the affected module for Apache. |
| CVE-2021-34798 |
2.4.48 and earlier |
n/a |
SB10379 |
Yes |
n/a |
| CVE-2021-33193 |
2.4.17–2.4.48 |
mod_proxy |
KB82555 |
No |
ePO doesn't load the affected module for Apache. |
| CVE-2021-31618 |
2.4.39–2.4.46 |
mod_http2 |
n/a |
ePO doesn't consume an affected version, or load the affected module. |
| CVE-2021-30641 |
2.4.39–2.4.46 |
n/a |
n/a |
ePO doesn't consume an affected version. |
| CVE-2021-26691 |
2.4.0– 2.4.46 |
mod_session |
KB95046 |
ePO doesn't consume an affected version, or load the affected module. |
| CVE-2021-26690 |
2.4.0– 2.4.46 |
mod_session |
| Apache CVEs Assigned in 2020 |
| CVE |
Affected Apache Versions |
Affected Module |
Article
|
Affects ePO |
Reason ePO isn't Affected |
| CVE-2020-35452 |
2.4.0–2.4.46 |
mod_auth_digest |
KB82555 |
No |
ePO doesn't load the affected module for Apache. |
| CVE-2020-13950 |
2.4.41–2.4.46 |
mod_proxy_http |
No |
ePO doesn't consume an affected version or load the affected module. |
| CVE-2020-13938 |
2.4.0–2.4.46 |
n/a |
SB10379 |
Yes |
n/a |
| CVE-2020-11993 |
2.4.20–2.4.43 |
mod_http2 |
KB82555 |
No |
ePO doesn't load the affected module for Apache. |
| CVE-2020-11984 |
mod_proxy_uwsgi |
| CVE-2020-9490 |
mod_http2 |
| CVE-2020-1934 |
2.4.0–2.4.41 |
mod_proxy_ftp |
| CVE-2020-1927 |
mod_rewrite |
| Apache CVEs Assigned in 2019 |
| CVE |
Affected Apache Versions |
Affected Module |
Article
|
Affects ePO |
Reason ePO isn't Affected |
| CVE-2019-17567 |
2.4.6– 2.4.46 |
mod_proxy_wstunnel |
KB82555 |
No |
ePO doesn't load the affected module for Apache. |
| CVE-2019-10098 |
2.4.0– 2.4.39 |
mod_rewrite |
| CVE-2019-10097 |
2.4.33–2.4.38 |
mod_remoteip |
| CVE-2019-10092 |
2.4.0–2.4.39 |
mod_proxy |
| CVE-2019-10082 |
2.4.18–2.4.39 |
mod_http2 |
| CVE-2019-10081 |
2.4.20–2.4.39 |
| CVE-2019-9517 |
SB10296 |
The security bulletin indicates that ePO isn't vulnerable, because ePO doesn't load the affected module for Apache. |
| CVE-2019-0220 |
2.4.0–2.4.38 |
n/a |
KB91440 |
ePO isn't affected. |
| CVE-2019-0217 |
2.4.0–2.4.38 |
mod_auth_digest |
ePO doesn't load the affected module for Apache. |
| CVE-2019-0215 |
2.4.37–2.4.38 |
mod_ssl |
ePO Apache doesn't support TLS1.3 yet. |
| CVE-2019-0211 |
2.4.17– 2.4.38 |
n/a |
ePO is Windows only and this CVE only affects UNIX systems. |
| CVE-2019-0197 |
2.4.34–2.4.38 |
mod_http2 |
ePO doesn't load the affected module for Apache. |
| CVE-2019-0196 |
2.4.17–2.4.38 |
n/a = not applicable
If you have concerns about an Apache CVE that isn't listed in this article, perform the steps below:
- Collect the information below:
- Open a Service Request.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields. Your password and instructions are emailed to you.
