Apache HTTP Server
Moderate fix1 remedy
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 2.4.66
Apache HTTP Server Buffer Over-Read Vulnerability in AJP Module
Vulnerability
Patched
A buffer over-read vulnerability has been identified in the Apache HTTP Server's AJP (Apache JServ Protocol) module, specifically in versions through 2.4.66. This vulnerability allows for out-of-bounds reads, which can potentially lead to memory disclosure. The issue arises in the 'mod_proxy_ajp' module when it interacts with a malicious AJP server that sends crafted AJP messages, causing the server to read beyond the allocated buffer.
Impact
Exploitation of this vulnerability leads to a heap-based buffer over-read, causing memory disclosure.
Reproduction
The vulnerability can be reproduced by configuring Apache HTTP Server to use 'mod_proxy_ajp' as a forward proxy. When 'mod_proxy_ajp' connects to a malicious AJP server, the server can send a crafted AJP message that exploits the buffer over-read vulnerability. This can be done by injecting a specific payload into the AJP message that mod_proxy_ajp will process, causing it to read past the end of a heap buffer.
Remediation
Users are advised to upgrade to Apache HTTP Server version 2.4.67, which addresses this vulnerability.
Added: May 4, 2026, 1:18 PM
Updated: May 4, 2026, 1:18 PM
Vulnerability Rating
Custom Algorithm
spread
9.4impact
0.6exploitability
5.8remediation
7.7relevance
7.4threat
1.6urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.