Web Server Vulnerabilities

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Vendor

Apache253
Microsoft193
Not Defined131
Oracle96
Sun38

Identifying all affected vendors is a good starting point for an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Product

Apache HTTP Server251
Microsoft IIS189
Oracle HTTP Server80
nginx33
lighttpd31

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Remediation

Official Fix734
Temporary Fix0
Workaround84
Unavailable0
Not Defined464

Vendors and researchers are eager to find countermeasures to mitigate security vulnerabilities. These can be distinguished between multiple forms and levels of remediation which influence risks differently.

Exploitability

High76
Functional5
Proof-of-Concept334
Unproven52
Not Defined815

Researcher and attacker which are looking for security vulnerabilities try to exploit them for academic purposes or personal gain. The level and quality of exploitability can be distinguished to determine simplicity and strength of attacks.

Access Vector

Not Defined0
Physical0
Local125
Adjacent17
Network1140

The approach a vulnerability it becomes important to use the expected access vector. This is typically via the network, local, or physically even.

Authentication

Not Defined0
High3
Low143
None1136

To exploit a vulnerability a certail level of authentication might be required. Vulnerabilities without such a requirement are much more popular.

User Interaction

Not Defined0
Required132
None1150

Some attack scenarios require some user interaction by a victim. This is typical for phishing, social engineering and cross site scripting attacks.

C3BM Index

Our unique C3BM Index (CVSSv3 Base Meta Index) cumulates the CVSSv3 Meta Base Scores of all entries over time. Comparing this index to the amount of disclosed vulnerabilities helps to pinpoint the most important events.

CVSSv3 Base

≤10
≤20
≤34
≤464
≤5107
≤6555
≤7144
≤8277
≤959
≤1072

The Common Vulnerability Scoring System (CVSS) is an industry standard to define the characteristics and impacts of security vulnerabilities. The base score represents the intrinsic aspects that are constant over time and across user environments. Our unique meta score merges all available scores from different sources to aggregate to the most reliable result.

CVSSv3 Temp

≤10
≤20
≤39
≤481
≤5248
≤6453
≤7251
≤8126
≤954
≤1060

The Common Vulnerability Scoring System (CVSS) uses temp scores to reflect the characteristics of a vulnerability that may change over time but not across user environments. This includes reporting confidence, exploitability and remediation levels. We do also provide our unique meta score for temp scores, even though other sources rarely publish them.

VulDB

≤10
≤20
≤34
≤474
≤5111
≤6589
≤796
≤8313
≤921
≤1074

The moderation team is always defining the base vector and base score for an entry. These and all other available scores are used to generate the meta score.

NVD

≤10
≤20
≤30
≤42
≤56
≤622
≤717
≤868
≤915
≤1051

The National Vulnerability Database (NVD) is also defining CVSS vectors and scores. These are usually not complete and might differ from VulDB scores.

CNA

≤10
≤20
≤30
≤41
≤50
≤61
≤70
≤83
≤91
≤100

A CVE Numbering Authority (CNA) is responsible for assigning new CVE entries. They might also include a CVSS score. These are usually not complete and might differ from VulDB scores.

Vendor

≤10
≤20
≤30
≤41
≤50
≤66
≤73
≤86
≤91
≤102

Some vendors are willing to publish their own CVSS vectors and scores for vulnerabilities in their products. The coverage varies from vendor to vendor.

Research

≤10
≤20
≤30
≤40
≤50
≤60
≤70
≤80
≤90
≤100

There are sometimes also security researcher which provide their own CVSS vectors and scores for vulnerabilities they have found and published.

Exploit 0-day

<1k51
<2k288
<5k336
<10k96
<25k290
<50k188
<100k30
≥100k3

The moderation team is working with the threat intelligence team to determine prices for exploits. Our unique algorithm is used to identify the 0-day prices for an exploit, before it got distributed or became public. Calculated prices are aligned to prices disclosed by vulnerability broker and compared to prices we see on exploit markets.

Exploit Today

<1k1091
<2k42
<5k62
<10k37
<25k37
<50k13
<100k0
≥100k0

The 0-day prices do not consider time-relevant factors. The today price does reflect price impacts like disclosure of vulnerability details, alternative exploits, availability of countermeasures. These dynamic aspects might decrease the exploit prices over time. Under certain circumstances this happens very fast.

Exploit Market Volume

Our unique calculation of exploit prices makes it possible to forecast the expected exploit market volume. The calculated prices for all possible 0-day expoits are cumulated for this task. Comparing the volume to the amount of disclosed vulnerabilities helps to pinpoint the most important events.

🔴 CTI Activities

Our unique Cyber Threat Intelligence aims to determine the ongoing research of actors to anticipiate their acitivities. Observing exploit markets on the Darknet, discussions of vulnerabilities on mailinglists, and exchanges on social media makes it possible to identify planned attacks. Monitored actors and activities are classified whether they are offensive or defensive. They are also weighted as some actors are well-known for certain products and technologies. And some of their disclosures might contain more or less details about technical aspects and personal context. The world map highlights active actors in real-time.

Affected Products (339): 3S-Smart CODESYS Web Server, 24Link Web Server, A1 HTTP Server, Accoria Rock Web Server, ACI 4D Webserver, Acme httpd, ACME Micro Httpd, Acme Mini HTTPd, Acme mini_httpd, Acme thttpd, Acme Labs Mini HTTPd, Acme Labs thttpd, ActiveXperts ActiveWebserver, AIDeX Mini-WebServer, Aldo Vargas Aldos Web Server, Allegro RomPager Embedded Web Server, Amcrest Web Server, AN-HTTPd, AN AN-HTTPd, Apache httpd, Apache HTTP Server, Apache Thrift Node.js Static Web Server, Apache Tomcat, Aprelium Abyss Web Server, Aprelium Technologies Abyss Web Server, Arihiro Kurta Kantan WEB Server, Ashleys Web Server, Ashley Brown iWeb Server, Baby Web Server, Bajie Java HTTP Server, Bbshareware.com Phusion Webserver, Beck IPC IPC@CHIP Embedded-Webserver, Biba Software SeleniumServer Web Server, Biblioscape Biblioweb Server, BlueFace Falcon Web Server, Boa Boa Webserver, Boa Webserver, Boa Webserver, Borland Web Server For Corel Paradox, BugHunter HTTP SERVER, Bughunter HTTP Server, Canary Labs Trend Web Server, Cellinx NVT Web Server, Cesanta MongooseOS, Cesanta Mongoose Embedded Web Server Library, Charles Steinkuehler sh-httpd, Cherokee HTTPD, Cherokee httpd, Cherokee Web Server, Citrix Nfuse Webserver, CODESYS V2 Web Server, CODESYS Web Server, Comscripts Web Server Creator, Comscripts Web Server Creator Web Portal, CSM Alibaba Web Server, Cupidsystems CIS WebServer, Cyberstop Web Server, David Yuan Forum Web Server, Debian HTTP Server, Debut Embedded httpd, Debut Embedded http Server, Deep Forest Software Quik-Serv Webserver, Dell OpenManage Web Server, Desiderata Software Blazix Web Server, dhttpd, DiGi Web Server, Doug Neal DNHTTPD, Dune Web Server, Easy File Sharing Web Server, EFS Easy Address Book Web Server, EFS Easy File Sharing Web Server, EFS Web Server, Efssoft Easy File Sharing Web Server, Efs Software Efs Web Server, Eitsop My Web Server, EmbedThis GoAhead Webserver, EMotion MediaPartner Web Server, eMotion MediaPartner Web Server, ER Mapper Image Web Server Ecw Jpeg 2000 Plug-in, Essen Essentia Web Server, Eterna bozohttpd, Exemys Telemetry Web Server, Falcon Falcon Web Server, Fastream FUR HTTP Server, Fastream NETFile FTP, FaSTream Netfile Ftp Web Server, Fastream Netfile Ftp Web Server, Fastream Web Server, fhttpd, Fizmez Web Server, Free Java Web Server, Funsoft Dinos Webserver, Gamecheats Advanced Web Server Professional, GazTek ghttpd, GCDWebServer, Glimpse Web Server, GNOME Dwarf HTTP Server, GNU libmicrohttpd, Goahead Webserver, GoAhead Webserver, GoAhead WebServer, Goahead Web Server, Goahead Software Webserver, Grigoriadis Mini Web server, groonga-httpd, Guido Frassetto SEDUM HTTP Server, Gummy Bear FTP Drive + HTTP Server, Gweb HTTP Server, Hasbani Web Server, Hitachi Web Server, Honeywell Notifier Web Server, HP Embedded Web Server, HP HTTP Server, HP Secure Web Server For Tru64, httpdx HTTP Server, Http explorer Http Explorer Web Server, HTTP Server, Hughes Technologies LibHTTPD, IBM HTTP Server, Icecast Web Server, Imatix Xitami Web Server, IniNet embeddedWebServer, IniNet Webserver, Inso dwhttpd, Intel Rapid Web Server, InterVations NaviCOPA Web Server, InterVations Navicopa Web Server, Iplanet iPlanet Web Server, Iplanet Web Server, iPlanet Web Server, Jan Kneschke lighttpd, Javascript Xerver HTTP Server, JavaWebServer, Jeremy Arnold Worm Webserver, Jetty httpd, Jetty HTTP Server, Jetty Http Server, Jeuce Jeuce Personal Web Server, Jim Rees palmhttpd, Jo Webserver, KarjaSoft HTTP Server, Karjasoft Sami HTTP Server, Kerio WebServer, keycloak-httpd-client-install, Key Focus KF Web Server, Kurinton sHTTPd, Lighttpd, LightTPD, lighttpd, Light HTTPd, Litespeedtech LiteSpeed Web Server, Litespeed Technologies LiteSpeed Web Server, Lonerunner Zeroo HTTP Server, Lysias Lidik Webserver, Max Feoktistov Small HTTP Server, Mbedthis AppWeb HTTP Server, McAfee myCIO HTTP Server, MCPWS Personal Webserver, MDG 4D Webserver, MDG Web Server 4d, Mephistoles httpd, Michael Lamont Savant WebServer, Michael Lamont Savant Webserver, Michael Lamont Savant Web Server, Micheal Lamont Savant Webserver, Microsoft Frontpage, Microsoft iis, Microsoft IIS, Microsoft Internet Information Server, Microsoft Personal Web Server, Minihttpserver.net Forum Web Server, Minishare Minimal HTTP Server, MiniWeb HTTP Server, MiniWeb HTTP Server, MiniWeb Http Server, mini_httpd, Moby Netsuite Web Server, Mongoose Web Server, Monit Web Server, Monkey HTTP Daemon, Monoxide0184 Oxide WebServer, Munica Web Server, MyWebServer, Nakata An Httpd, NanoHTTPD, NCSA httpd, NCSA Webserver, nessus Web Server plugin, Netcruiser Web Server, Netdave Webster Http Server, Netscape Enterprise Server, Netscape Enterprise Web Server, Netscape iPlanet Web Server, NetServe Web Server, NetworkActiv NetworkActiv Web Server, NetworkActiv Web Server, Newmad Technologies PicoWebServer, nginx, Nginx, Nginx Controller, Nginx Ingress Controller, Nginx Open Source, Nginx Plus, Nginx Unit, Nickolas Grigoriadis Mini Web server, Nombas ScriptEase Webserver, Nombas Scriptease Webserver, Northern Xeneo Web Server, Northern Solutions Xeneo Web Server, Norz zawhttpd, Nostromo nhttpd, Notifier Web Server, Novell Web Server, Novus HTTP Server, Nulllogic Null HTTP Server, Ohio State University Osu Httpd, OkCupid OK Web Server, Omnicron OmniHTTPD, OpenPLC Webserver, Opentext HTTP Daemon, Oracle Administration Web Server, Oracle HTTP Server, Oracle iPlanet Web Server, Oracle One-Hour Install Web Server, Oracle Oracle9iAS Web Server, Oracle Oracle iPlanet Web Server, Oracle Webserver, Oracle Web Server, Orange Web Server, Orenosv HTTP Server, Oxide WebServer, Pablo Quick 'n Easy Web Server, Pablo Software Solutions Baby ASP Web Server, Pegasi Web Server, Perl-HTTPd, Peter Sandvik Simple Web Server, Pi3Web Web Server, Plain Old Webserver, Plug And Play Web Server, Plug And Play Web Server Proxy, PMSoftware Simple Web Server, PWebServer Web Server, pWins Webserver, Quick 'n Easy Web Server, Radiobird Web Server 4 Everyone, Radiobird Software Webserver 4 All, Radiobird Software Webserver 4 Everyone, RaidenHTTPD, raidenhttpd, Raiden Professional Servers raidenhttpd, Real Time Logic Barracudadrive Web Server Home Server, Red Hat JBoss Web Server, Red Hat TUX HTTP Server, Reptile Web Server, Roxen Challenger Webserver, Roxen Webserver, Roxen Web Server, Salvo Tomaselli Weborf HTTP Server, Sambar Web Server, Sami HTTP Server, Savant Savant Webserver, Savant Webserver, savant web server, Savant Web Server, SCADA Webserver, Sergey Lyubka HTTPD, Sergey Lyubka Simple HTTPD, Sharing-file Easy File Sharing Web Server, shttpd, Siemens Synco OZW Web Server, Silver-forge Neptune Web Server, SiteScope Administration Web Server, SiteScope Management Web Server, Small HTTP Server, Snowblind Web Server, Soft3304 04webserver, Soft3304 04WebServer, Software602 Web Server, Solido Systems Ravenous Web Server, SourceForge Monkey httpd, Spencer Christensen Perl Web Server, Sphinx-soft Mobile Web Server, SpiderControl SCADA Web Server, Static HTTP Server, sthttpd, strong-nginx-controller, Summit Computer Networks Lil HTTP Server, Sun Cobalt Administration Web Server, Sun Cobalt HTTP Server, Sun iPlanet Web Server, Sun Java System Web Server, Sun Java System Web Server Plugin, Sun ONE, Sun ONE Web Server, Sun ONE web server, Sun One Web Server, Surfboard httpd, SWS Simple Web Server, SWS Sws Simple Web Server, T. Hauck Jana Web Server, Telcondex Simplewebserver, Telcondex SimpleWebServer, thttpd, thttpd HTTP Server, Timo Gaik Webby Webserver, TinyHTTPD, TinyWeb Web Server, Treck HTTP Server, TTiny Java Web Server and Servlet Container, Twilight Webserver, Twilight Utilities Web Server, ULTRAPOP i-HTTPD, Undertow HTTP Server, Undertow Web Server, Vector Ultra Mini HTTPD, VeryNginx, Vizer Web Server, vWebServer, W3C CERN httpd, WASD HTTP Server, WebLog Expert Web Server Enterprise, Web Server, West Street LocalWEB HTTP Server, West Wind Web Server, Wserve HTTP Server, Xeneo Web Server, Xerver Web Server, XiongMai uc-httpd, Xitami HTTP Server, Xitami Web Server, Yann Ramin ATPhttpd, Yaws Webserver, Yaws Web Server, ZEROF Web Server, Zeroo HTTP Server, Zeus Webserver, Zeus Web Server, Zeus Zeus Web Server, Zeus Technologies Zeus Web Server

PublishedBaseTempVulnerabilityProdExpRemCTICVE
01/06/20226.36.3lighttpd mod_extforward Plugin mod_extforward_Forwarded stack-based overflowlighttpdNot DefinedNot Defined0.05CVE-2022-22707
12/20/20216.76.6Apache HTTP Server Proxy null pointer dereferenceHTTP ServerNot DefinedOfficial Fix0.38CVE-2021-44224
12/20/20218.58.4Apache HTTP Server mod_lua Multipart Parser r:parsebody out-of-bounds writeHTTP ServerNot DefinedOfficial Fix1.89CVE-2021-44790
10/26/20216.46.3CODESYS V2 Web Server Web Request null pointer dereferenceV2 Web ServerNot DefinedOfficial Fix0.00CVE-2021-34586
10/26/20216.46.3CODESYS V2 Web Server Web Request unusual conditionV2 Web ServerNot DefinedOfficial Fix0.10CVE-2021-34585
10/26/20217.57.5CODESYS V2 Web Server Web Request stack-based overflowV2 Web ServerNot DefinedOfficial Fix0.00CVE-2021-34584
10/26/20216.46.3CODESYS V2 Web Server Web Request heap-based overflowV2 Web ServerNot DefinedOfficial Fix0.05CVE-2021-34583
10/19/20213.73.6Oracle HTTP Server Web Listener unknown vulnerabilityHTTP ServerNot DefinedOfficial Fix0.00CVE-2021-2480
10/19/20215.95.8Oracle HTTP Server OpenSSL denial of serviceHTTP ServerNot DefinedOfficial Fix0.05CVE-2020-1971
10/19/20215.95.8Oracle HTTP Server OSSL Module information disclosureHTTP ServerNot DefinedOfficial Fix0.06CVE-2021-35666
10/07/20217.37.0Apache HTTP Server Incomplete Fix CVE-2021-41773 path traversalHTTP ServerNot DefinedOfficial Fix0.32CVE-2021-42013
10/05/20215.35.1Apache HTTP Server HTTP2 Request null pointer dereferenceHTTP ServerNot DefinedOfficial Fix0.06CVE-2021-41524
10/05/20217.36.8Apache HTTP Server Path Normalization path traversalHTTP ServerFunctionalOfficial Fix0.05CVE-2021-41773
09/16/20215.65.6Apache HTTP Server ap_escape_quotes buffer overflowHTTP ServerNot DefinedNot Defined1.08CVE-2021-39275
09/16/20215.35.3Apache HTTP Server mod_proxy_uwsgi out-of-bounds readHTTP ServerNot DefinedNot Defined0.00CVE-2021-36160
09/16/20215.35.3Apache HTTP Server null pointer dereferenceHTTP ServerNot DefinedNot Defined0.59CVE-2021-34798
09/16/20217.37.3Apache HTTP Server mod_proxy server-side request forgeryHTTP ServerNot DefinedNot Defined0.70CVE-2021-40438
08/16/20217.37.0Apache HTTP Server mod_proxy access controlHTTP ServerNot DefinedOfficial Fix0.05CVE-2021-33193
08/10/20213.53.5TTiny Java Web Server and Servlet Container 404 Error Page cross site scriptingJava Web Server and Servlet ContainerNot DefinedNot Defined0.07CVE-2021-37573
08/04/20215.55.3CODESYS Web Server access controlWeb ServerNot DefinedOfficial Fix0.05CVE-2021-36763
08/04/20216.36.1OpenPLC Webserver Hardware Layer Code Box hardware command injectionWebserverNot DefinedNot Defined0.04CVE-2021-31630
07/20/20215.35.1Novus HTTP Server HTTP GET Request pathname traversalHTTP ServerNot DefinedNot Defined0.10CVE-2021-34820
06/15/20215.35.1Apache HTTP Server mod_http2 null pointer dereferenceHTTP ServerNot DefinedOfficial Fix0.00CVE-2021-31618
06/10/20214.34.1Apache HTTP Server denial of serviceHTTP ServerNot DefinedOfficial Fix0.05CVE-2020-13938
06/10/20215.65.4Apache HTTP Server MergeSlashes Remote Code ExecutionHTTP ServerNot DefinedOfficial Fix0.06CVE-2021-30641
06/10/20217.37.0Apache HTTP Server mod_session heap-based overflowHTTP ServerNot DefinedOfficial Fix0.32CVE-2021-26691
06/10/20215.35.1Apache HTTP Server mod_session null pointer dereferenceHTTP ServerNot DefinedOfficial Fix0.05CVE-2021-26690
06/10/20215.35.1Apache HTTP Server mod_proxy_http null pointer dereferenceHTTP ServerNot DefinedOfficial Fix0.21CVE-2020-13950
06/10/20217.37.0Apache HTTP Server mod_proxy_wstunnel improper authenticationHTTP ServerNot DefinedOfficial Fix0.11CVE-2019-17567
06/10/20215.65.4Apache HTTP Server mod_auth_digest stack-based overflowHTTP ServerNot DefinedOfficial Fix0.11CVE-2020-35452
06/07/20215.55.3Nginx Autoindex Module integer overflowNginxNot DefinedOfficial Fix0.11CVE-2017-20005
06/01/20216.36.0Nginx Controller Agent Configuration File agent.conf permissionControllerNot DefinedOfficial Fix0.05CVE-2021-23021
06/01/20212.62.5Nginx Controller NAAS API Key Generation random valuesControllerNot DefinedOfficial Fix0.05CVE-2021-23020
06/01/20213.53.4Nginx Controller systemd.txt insertion of sensitive information into sent dataControllerNot DefinedOfficial Fix0.05CVE-2021-23019
06/01/20213.13.0Nginx Controller Intra-Cluster Communication cleartext transmissionControllerNot DefinedOfficial Fix0.05CVE-2021-23018
06/01/20215.55.5Nginx Open Source/Plus/Ingress Controller Resolver off-by-oneOpen Source/Plus/Ingress ControllerNot DefinedNot Defined0.21CVE-2021-23017
04/21/20215.45.2Oracle HTTP Server Web Listener unknown vulnerabilityHTTP ServerNot DefinedOfficial Fix0.04CVE-2021-2315
04/21/20217.57.2Oracle HTTP Server SSL Module denial of serviceHTTP ServerNot DefinedOfficial Fix0.06CVE-2020-5360
04/13/20218.08.0ZEROF Web Server Login Page HandleEvent sql injectionWeb ServerNot DefinedNot Defined0.28CVE-2021-30175
04/09/20215.35.2Aprelium Abyss Web Server HTTP Request out-of-bounds readAbyss Web ServerNot DefinedWorkaround0.05CVE-2021-3328
03/26/20218.07.7GNU libmicrohttpd post_process_urlencoded buffer overflowlibmicrohttpdNot DefinedOfficial Fix0.06CVE-2021-3466
02/23/20214.84.8NanoHTTPD HTTP GET RouterNanoHTTPD.java GeneralHandler cross site scriptingNanoHTTPDNot DefinedNot Defined0.05CVE-2020-13697
02/08/20216.46.4sthttpd HTTP GET Request de_dotdot denial of servicesthttpdNot DefinedNot Defined0.03CVE-2021-26843
12/23/20207.37.0Treck HTTP Server heap-based overflowHTTP ServerNot DefinedOfficial Fix0.19CVE-2020-25066
12/22/20205.35.0MiniWeb HTTP Server POST Request denial of serviceHTTP ServerProof-of-ConceptNot Defined0.00CVE-2020-29596
11/06/20208.58.5Cellinx NVT Web Server SetFileContent.cgi improper authenticationNVT Web ServerNot DefinedNot Defined0.05CVE-2020-28250
10/20/20207.26.9Oracle HTTP Server null pointer dereferenceHTTP ServerNot DefinedOfficial Fix0.06CVE-2019-10097
10/20/20207.57.2Oracle HTTP Server SSL Module denial of serviceHTTP ServerNot DefinedOfficial Fix0.04CVE-2020-1967
10/20/20209.89.4Oracle HTTP Server Web Listener buffer overflowHTTP ServerNot DefinedOfficial Fix0.06CVE-2019-5482
09/09/20208.58.5Yaws Web Server CGI os command injectionWeb ServerNot DefinedNot Defined0.06CVE-2020-24916

1232 more entries are not shown

Do you know our Splunk app?

Download it now for free!