Web Server Vulnerabilities

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Vendor

Apache265
Microsoft193
Not Defined139
Oracle111
Nginx44

Identifying all affected vendors is a good starting point for an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Product

Apache HTTP Server263
Microsoft IIS189
Oracle HTTP Server95
lighttpd33
nginx33

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Remediation

Official Fix805
Temporary Fix0
Workaround83
Unavailable36
Not Defined430

Vendors and researchers are eager to find countermeasures to mitigate security vulnerabilities. These can be distinguished between multiple forms and levels of remediation which influence risks differently.

Exploitability

High76
Functional5
Proof-of-Concept340
Unproven48
Not Defined885

Researcher and attacker which are looking for security vulnerabilities try to exploit them for academic purposes or personal gain. The level and quality of exploitability can be distinguished to determine simplicity and strength of attacks.

Access Vector

Not Defined0
Physical0
Local126
Adjacent43
Network1185

The approach a vulnerability it becomes important to use the expected access vector. This is typically via the network, local, or physically even.

Authentication

Not Defined0
High3
Low180
None1171

To exploit a vulnerability a certail level of authentication might be required. Vulnerabilities without such a requirement are much more popular.

User Interaction

Not Defined0
Required137
None1217

Some attack scenarios require some user interaction by a victim. This is typical for phishing, social engineering and cross site scripting attacks.

C3BM Index

Our unique C3BM Index (CVSSv3 Base Meta Index) cumulates the CVSSv3 Meta Base Scores of all entries over time. Comparing this index to the amount of disclosed vulnerabilities helps to pinpoint the most important events.

CVSSv3 Base

≤10
≤20
≤34
≤466
≤5112
≤6579
≤7166
≤8290
≤961
≤1076

The Common Vulnerability Scoring System (CVSS) is an industry standard to define the characteristics and impacts of security vulnerabilities. The base score represents the intrinsic aspects that are constant over time and across user environments. Our unique meta score merges all available scores from different sources to aggregate to the most reliable result.

CVSSv3 Temp

≤10
≤20
≤39
≤483
≤5252
≤6476
≤7283
≤8132
≤956
≤1063

The Common Vulnerability Scoring System (CVSS) uses temp scores to reflect the characteristics of a vulnerability that may change over time but not across user environments. This includes reporting confidence, exploitability and remediation levels. We do also provide our unique meta score for temp scores, even though other sources rarely publish them.

VulDB

≤10
≤20
≤34
≤479
≤5118
≤6621
≤7105
≤8325
≤924
≤1078

The moderation team is always defining the base vector and base score for an entry. These and all other available scores are used to generate the meta score.

NVD

≤10
≤20
≤30
≤42
≤56
≤625
≤720
≤881
≤918
≤1057

The National Vulnerability Database (NVD) is also defining CVSS vectors and scores. These are usually not complete and might differ from VulDB scores.

CNA

≤10
≤20
≤30
≤41
≤50
≤62
≤76
≤86
≤92
≤101

A CVE Numbering Authority (CNA) is responsible for assigning new CVE entries. They might also include a CVSS score. These are usually not complete and might differ from VulDB scores.

Vendor

≤10
≤20
≤30
≤41
≤50
≤66
≤73
≤86
≤91
≤102

Some vendors are willing to publish their own CVSS vectors and scores for vulnerabilities in their products. The coverage varies from vendor to vendor.

Research

≤10
≤20
≤30
≤40
≤50
≤60
≤70
≤80
≤90
≤100

There are sometimes also security researcher which provide their own CVSS vectors and scores for vulnerabilities they have found and published.

Exploit 0-day

<1k66
<2k291
<5k363
<10k104
<25k297
<50k200
<100k28
≥100k5

The moderation team is working with the threat intelligence team to determine prices for exploits. Our unique algorithm is used to identify the 0-day prices for an exploit, before it got distributed or became public. Calculated prices are aligned to prices disclosed by vulnerability broker and compared to prices we see on exploit markets.

Exploit Today

<1k1153
<2k44
<5k63
<10k39
<25k45
<50k10
<100k0
≥100k0

The 0-day prices do not consider time-relevant factors. The today price does reflect price impacts like disclosure of vulnerability details, alternative exploits, availability of countermeasures. These dynamic aspects might decrease the exploit prices over time. Under certain circumstances this happens very fast.

Exploit Market Volume

Our unique calculation of exploit prices makes it possible to forecast the expected exploit market volume. The calculated prices for all possible 0-day expoits are cumulated for this task. Comparing the volume to the amount of disclosed vulnerabilities helps to pinpoint the most important events.

🔴 CTI Activities

Our unique Cyber Threat Intelligence aims to determine the ongoing research of actors to anticipiate their acitivities. Observing exploit markets on the Darknet, discussions of vulnerabilities on mailinglists, and exchanges on social media makes it possible to identify planned attacks. Monitored actors and activities are classified whether they are offensive or defensive. They are also weighted as some actors are well-known for certain products and technologies. And some of their disclosures might contain more or less details about technical aspects and personal context. The world map highlights active actors in real-time.

Affected Products (352): 3S-Smart CODESYS Web Server, 24Link Web Server, A1 HTTP Server, Accoria Rock Web Server, ACI 4D Webserver, Acme httpd, ACME Micro Httpd, Acme Mini HTTPd, Acme mini_httpd, Acme thttpd, Acme Labs Mini HTTPd, Acme Labs thttpd, ActiveXperts ActiveWebserver, AGG Web Server, AIDeX Mini-WebServer, Aldo Vargas Aldos Web Server, Allegro RomPager Embedded Web Server, Amcrest Web Server, AN-HTTPd, AN AN-HTTPd, Apache httpd, Apache HTTP Server, Apache Thrift Node.js Static Web Server, Apache Tomcat, Aprelium Abyss Web Server, Aprelium Technologies Abyss Web Server, Arihiro Kurta Kantan WEB Server, Ashleys Web Server, Ashley Brown iWeb Server, Baby Web Server, Bajie Java HTTP Server, Bbshareware.com Phusion Webserver, Beck IPC IPC@CHIP Embedded-Webserver, Biba Software SeleniumServer Web Server, Biblioscape Biblioweb Server, BlueFace Falcon Web Server, Boa Boa Webserver, Boa Webserver, Boa Webserver, Borland Web Server For Corel Paradox, BugHunter HTTP SERVER, Bughunter HTTP Server, Canary Labs Trend Web Server, Cellinx NVT Web Server, Cesanta MongooseOS, Cesanta Mongoose Embedded Web Server Library, Charles Steinkuehler sh-httpd, Cherokee httpd, Cherokee HTTPD, Cherokee Web Server, Citrix Nfuse Webserver, CODESYS V2 Web Server, CODESYS Web Server, Comscripts Web Server Creator, Comscripts Web Server Creator Web Portal, CSM Alibaba Web Server, Cupidsystems CIS WebServer, Cyberstop Web Server, darkhttpd, David Yuan Forum Web Server, Debian HTTP Server, Debut Embedded httpd, Debut Embedded http Server, Deep Forest Software Quik-Serv Webserver, Dell OpenManage Web Server, Desiderata Software Blazix Web Server, dhttpd, DiGi Web Server, Doug Neal DNHTTPD, Dune Web Server, Easy File Sharing Web Server, EFS Easy Address Book Web Server, EFS Easy File Sharing Web Server, EFS Web Server, Efssoft Easy File Sharing Web Server, Efs Software Efs Web Server, Eitsop My Web Server, EmbedThis GoAhead Webserver, EMotion MediaPartner Web Server, eMotion MediaPartner Web Server, ER Mapper Image Web Server Ecw Jpeg 2000 Plug-in, Essen Essentia Web Server, Eterna bozohttpd, Exemys Telemetry Web Server, F5 NGINX Ingress Controller, F5 NGINX Instance Manager, F5 NGINX Service Mesh, Falcon Falcon Web Server, Fastream FUR HTTP Server, Fastream NETFile FTP, Fastream Netfile Ftp Web Server, FaSTream Netfile Ftp Web Server, Fastream Web Server, fhttpd, Fizmez Web Server, Free Java Web Server, Funsoft Dinos Webserver, Gamecheats Advanced Web Server Professional, GazTek ghttpd, GCDWebServer, Glimpse Web Server, GNOME Dwarf HTTP Server, GNU libmicrohttpd, Goahead Webserver, GoAhead WebServer, GoAhead Webserver, Goahead Web Server, Goahead Software Webserver, Grigoriadis Mini Web server, groonga-httpd, Guido Frassetto SEDUM HTTP Server, Gummy Bear FTP Drive + HTTP Server, Gweb HTTP Server, Hasbani Web Server, Hitachi Web Server, Honeywell Notifier Web Server, HP Embedded Web Server, HP HTTP Server, HP Secure Web Server For Tru64, httpdx HTTP Server, Http explorer Http Explorer Web Server, HTTP Server, Hughes Technologies LibHTTPD, IBM HTTP Server, Icecast Web Server, Imatix Xitami Web Server, IniNet embeddedWebServer, IniNet Webserver, Inso dwhttpd, Intel Rapid Web Server, InterVations NaviCOPA Web Server, InterVations Navicopa Web Server, Iplanet iPlanet Web Server, iPlanet Web Server, Iplanet Web Server, Jan Kneschke lighttpd, Javascript Xerver HTTP Server, JavaWebServer, Jeremy Arnold Worm Webserver, Jetty httpd, Jetty HTTP Server, Jetty Http Server, Jeuce Jeuce Personal Web Server, Jim Rees palmhttpd, Jo Webserver, Joel Christner IpMatcher, Joel Christner WatsonWebserver, KarjaSoft HTTP Server, Karjasoft Sami HTTP Server, Kerio WebServer, keycloak-httpd-client-install, Key Focus KF Web Server, Kurinton sHTTPd, lighttpd, Lighttpd, LightTPD, Light HTTPd, Litespeedtech LiteSpeed Web Server, Litespeed Technologies LiteSpeed Web Server, Lonerunner Zeroo HTTP Server, Lysias Lidik Webserver, Max Feoktistov Small HTTP Server, Mbedthis AppWeb HTTP Server, McAfee myCIO HTTP Server, MCPWS Personal Webserver, McWebserver, MDG 4D Webserver, MDG Web Server 4d, Mephistoles httpd, Michael Lamont Savant Webserver, Michael Lamont Savant WebServer, Michael Lamont Savant Web Server, Micheal Lamont Savant Webserver, Microsoft Frontpage, Microsoft IIS, Microsoft iis, Microsoft Internet Information Server, Microsoft Personal Web Server, Minihttpserver.net Forum Web Server, Minishare Minimal HTTP Server, MiniWeb HTTP Server, MiniWeb HTTP Server, MiniWeb Http Server, mini_httpd, Moby Netsuite Web Server, Mongoose Web Server, Monit Web Server, Monkey HTTP Daemon, Monoxide0184 Oxide WebServer, muhttpd, Munica Web Server, MyWebServer, Nakata An Httpd, NanoHTTPD, NCSA httpd, NCSA Webserver, nessus Web Server plugin, Netcruiser Web Server, Netdave Webster Http Server, Netscape Enterprise Server, Netscape Enterprise Web Server, Netscape iPlanet Web Server, NetServe Web Server, NetworkActiv NetworkActiv Web Server, NetworkActiv Web Server, Newmad Technologies PicoWebServer, Nginx, nginx, Nginx Controller, Nginx Ingress Controller, Nginx NJS, Nginx njs, Nginx Open Source, Nginx Open Source Subscription, Nginx Plus, Nginx Unit, Nickolas Grigoriadis Mini Web server, Nombas Scriptease Webserver, Nombas ScriptEase Webserver, Northern Xeneo Web Server, Northern Solutions Xeneo Web Server, Norz zawhttpd, Nostromo nhttpd, Notifier Web Server, Novell Web Server, Novus HTTP Server, Nulllogic Null HTTP Server, Ohio State University Osu Httpd, OkCupid OK Web Server, Omnicron OmniHTTPD, OpenPLC Webserver, Opentext HTTP Daemon, Oracle Administration Web Server, Oracle HTTP Server, Oracle iPlanet Web Server, Oracle One-Hour Install Web Server, Oracle Oracle9iAS Web Server, Oracle Oracle iPlanet Web Server, Oracle Webserver, Oracle Web Server, Orange Web Server, Orenosv HTTP Server, Oxide WebServer, Pablo Quick 'n Easy Web Server, Pablo Software Solutions Baby ASP Web Server, Pegasi Web Server, Perl-HTTPd, Peter Sandvik Simple Web Server, Pi3Web Web Server, Plain Old Webserver, Plug And Play Web Server, Plug And Play Web Server Proxy, PMSoftware Simple Web Server, PWebServer Web Server, pWins Webserver, Quick 'n Easy Web Server, Radiobird Web Server 4 Everyone, Radiobird Software Webserver 4 All, Radiobird Software Webserver 4 Everyone, RaidenHTTPD, raidenhttpd, Raiden Professional Servers raidenhttpd, rc-httpd, Real Time Logic Barracudadrive Web Server Home Server, Red Hat JBoss Web Server, Red Hat TUX HTTP Server, Reptile Web Server, Roxen Challenger Webserver, Roxen Webserver, Roxen Web Server, Salvo Tomaselli Weborf HTTP Server, Sambar Web Server, Sami HTTP Server, Savant Savant Webserver, Savant Webserver, savant web server, Savant Web Server, SCADA Webserver, Sergey Lyubka HTTPD, Sergey Lyubka Simple HTTPD, Sharing-file Easy File Sharing Web Server, shttpd, Siemens Synco OZW Web Server, Silver-forge Neptune Web Server, SiteScope Administration Web Server, SiteScope Management Web Server, Small HTTP Server, Snowblind Web Server, Soft3304 04WebServer, Soft3304 04webserver, Software602 Web Server, Solido Systems Ravenous Web Server, SourceForge Monkey httpd, Spencer Christensen Perl Web Server, Sphinx-soft Mobile Web Server, SpiderControl SCADA Web Server, Static HTTP Server, sthttpd, strong-nginx-controller, Summit Computer Networks Lil HTTP Server, Sun Cobalt Administration Web Server, Sun Cobalt HTTP Server, Sun iPlanet Web Server, Sun Java System Web Server, Sun Java System Web Server Plugin, Sun ONE, Sun One Web Server, Sun ONE web server, Sun ONE Web Server, Surfboard httpd, SWS Simple Web Server, SWS Sws Simple Web Server, T. Hauck Jana Web Server, Telcondex Simplewebserver, Telcondex SimpleWebServer, thttpd, thttpd HTTP Server, Timo Gaik Webby Webserver, TinyHTTPD, TinyWeb Web Server, Treck HTTP Server, TTiny Java Web Server and Servlet Container, Twilight Webserver, Twilight Utilities Web Server, ULTRAPOP i-HTTPD, Undertow HTTP Server, Undertow Web Server, Vector Ultra Mini HTTPD, VeryNginx, Vizer Web Server, vWebServer, W3C CERN httpd, WASD HTTP Server, WebLog Expert Web Server Enterprise, Web Server, West Street LocalWEB HTTP Server, West Wind Web Server, Wserve HTTP Server, Xeneo Web Server, Xerver Web Server, XiongMai uc-httpd, Xitami HTTP Server, Xitami Web Server, Yann Ramin ATPhttpd, Yaws Webserver, Yaws Web Server, ZEROF Web Server, Zeroo HTTP Server, Zeus Webserver, Zeus Web Server, Zeus Zeus Web Server, Zeus Technologies Zeus Web Server

PublishedBaseTempVulnerabilityProductExpRemCTICVE
10/29/20225.55.3Nginx NJS njs_json.c njs_json_parse_iterator_call use after freeNJSNot DefinedOfficial Fix0.03CVE-2022-43286
10/29/20226.56.5Nginx NJS njs_promise_reaction_job memory corruptionNJSNot DefinedNot Defined0.03CVE-2022-43285
10/29/20226.56.5Nginx NJS njs_scope.h njs_scope_valid_value memory corruptionNJSNot DefinedNot Defined0.03CVE-2022-43284
10/20/20227.97.7Nginx Plus ngx_http_hls_module out-of-bounds writePlusNot DefinedOfficial Fix0.06CVE-2022-41743
10/20/20227.47.3Nginx Open Source/Open Source Subscription/Plus ngx_http_mp4_module out-of-bounds writeOpen Source/Open Source Subscription/PlusNot DefinedOfficial Fix0.03CVE-2022-41741
10/20/20226.76.5Nginx Open Source/Open Source Subscription/Plus ngx_http_mp4_module out-of-bounds writeOpen Source/Open Source Subscription/PlusNot DefinedOfficial Fix0.00CVE-2022-41742
10/19/20225.35.2Oracle HTTP Server SSL Module denial of serviceHTTP ServerNot DefinedOfficial Fix0.03CVE-2020-14155
10/19/20225.95.8Oracle HTTP Server SSL Module denial of serviceHTTP ServerNot DefinedOfficial Fix0.13CVE-2021-3537
10/19/20226.56.3Oracle HTTP Server Web Listener out-of-boundsHTTP ServerNot DefinedOfficial Fix0.61CVE-2020-24977
10/19/20227.16.9Oracle HTTP Server OHS Config MBeans unknown vulnerabilityHTTP ServerNot DefinedOfficial Fix0.03CVE-2022-21593
10/19/20229.89.6Oracle HTTP Server SSL Module out-of-bounds writeHTTP ServerNot DefinedOfficial Fix0.04CVE-2022-23943
10/06/20226.46.3lighttpd TCP gw_backend.c denial of servicelighttpdNot DefinedOfficial Fix0.00CVE-2022-41556
09/21/20226.46.3McWebserver HTTP Request path traversalMcWebserverNot DefinedOfficial Fix0.04CVE-2022-39221
09/15/20225.55.5Nginx NJS njs_utf8.h njs_utf8_next memory corruptionNJSNot DefinedNot Defined0.05CVE-2022-38890
09/13/20225.55.5lighttpd HTTP Request mod_wstunnel null pointer dereferencelighttpdNot DefinedNot Defined0.03CVE-2022-37797
08/18/20226.56.4Nginx NJS Code Generation memory corruptionNJSNot DefinedOfficial Fix0.04CVE-2022-35173
08/09/20226.46.4EmbedThis GoAhead Webserver Nonce websda.c entropyGoAhead WebserverNot DefinedNot Defined0.03CVE-2021-41615
08/05/20224.34.1muhttpd URL request.c do_request information disclosuremuhttpdNot DefinedOfficial Fix0.08CVE-2022-31793
08/05/20225.45.3F5 NGINX Ingress Controller Ingress Object information disclosureNGINX Ingress ControllerNot DefinedOfficial Fix0.06CVE-2022-30535
08/05/20226.56.3F5 NGINX Instance Manager API resource consumptionNGINX Instance ManagerNot DefinedOfficial Fix0.00CVE-2022-35241
07/19/20225.35.2Oracle HTTP Server Web Listener information disclosureHTTP ServerNot DefinedOfficial Fix0.05CVE-2019-0220
07/19/20226.15.9Oracle HTTP Server SSL Module redirectHTTP ServerNot DefinedOfficial Fix0.04CVE-2020-1927
07/19/20227.16.9Oracle HTTP Server SSL Module out-of-boundsHTTP ServerNot DefinedOfficial Fix0.10CVE-2021-35940
07/19/20229.39.2Oracle HTTP Server SSL Module input validationHTTP ServerNot DefinedOfficial Fix0.03CVE-2020-35169
07/19/20229.18.9Oracle HTTP Server SSL Module use after freeHTTP ServerNot DefinedOfficial Fix0.03CVE-2019-10082
07/19/20226.56.5Nginx NJS njs_value.c njs_value_own_enumerate memory corruptionNJSNot DefinedNot Defined0.00CVE-2022-34032
07/19/20226.56.5Nginx NJS njs_value_conversion.h njs_value_to_number memory corruptionNJSNot DefinedNot Defined0.04CVE-2022-34031
07/19/20226.56.5Nginx NJS njs_djb_hash.c njs_djb_hash memory corruptionNJSNot DefinedNot Defined0.00CVE-2022-34030
07/19/20226.36.3Nginx NJS njs_scope.h njs_scope_value out-of-boundsNJSNot DefinedNot Defined0.00CVE-2022-34029
07/19/20226.56.5Nginx NJS njs_utf8.h njs_utf8_next memory corruptionNJSNot DefinedNot Defined0.03CVE-2022-34028
07/19/20226.56.5Nginx NJS njs_value.c njs_value_property memory corruptionNJSNot DefinedNot Defined0.03CVE-2022-34027
06/21/20225.55.3Nginx NJS njs_vmcode.c njs_vmcode_interpreter Privilege EscalationNJSNot DefinedOfficial Fix0.00CVE-2022-32414
06/21/20225.55.3Nginx NJS njs_string.c njs_string_offset Privilege EscalationNJSNot DefinedOfficial Fix0.05CVE-2022-31307
06/21/20225.55.3Nginx NJS njs_array.c njs_array_convert_to_slow_array Privilege EscalationNJSNot DefinedOfficial Fix0.07CVE-2022-31306
06/12/20225.35.3Lighttpd Header connections.c connection_read_header_more resource consumptionLighttpdNot DefinedNot Defined0.09CVE-2022-30780
06/09/20227.37.0Apache HTTP Server Connection Header access controlHTTP ServerNot DefinedOfficial Fix0.14CVE-2022-31813
06/09/20225.35.1Apache HTTP Server r:wsread information disclosureHTTP ServerNot DefinedOfficial Fix0.03CVE-2022-30556
06/09/20225.35.1Apache HTTP Server mod_sed memory allocationHTTP ServerNot DefinedOfficial Fix0.03CVE-2022-30522
06/09/20225.35.1Apache HTTP Server ap_rputs integer overflowHTTP ServerNot DefinedOfficial Fix0.09CVE-2022-28614
06/09/20227.37.0Apache HTTP Server mod_isapi out-of-boundsHTTP ServerNot DefinedOfficial Fix0.03CVE-2022-28330
06/09/20227.37.0Apache HTTP Server mod_proxy_ajp request smugglingHTTP ServerNot DefinedOfficial Fix0.14CVE-2022-26377
06/09/20225.35.1Apache HTTP Server Lua Script r:parsebody allocation of resourcesHTTP ServerNot DefinedOfficial Fix0.06CVE-2022-29404
06/09/20227.37.0Apache HTTP Server ap_strcmp_match integer overflowHTTP ServerNot DefinedOfficial Fix0.06CVE-2022-28615
06/03/20225.55.3Nginx NJS njs_value.h njs_set_number memory corruptionNJSNot DefinedOfficial Fix0.03CVE-2022-30503
06/03/20225.55.3Nginx NJS njs_array.c njs_array_prototype_sort memory corruptionNJSNot DefinedOfficial Fix0.03CVE-2022-29780
06/03/20225.55.3Nginx NJS njs_value.c njs_value_own_enumerate memory corruptionNJSNot DefinedOfficial Fix0.04CVE-2022-29779
05/25/20225.55.3Nginx NJS njs_module.c njs_default_module_loader stack-based overflowNJSNot DefinedOfficial Fix0.04CVE-2022-29379
05/25/20226.96.8AGG Web Server path traversalWeb ServerNot DefinedNot Defined0.15CVE-2021-32964
05/25/20226.26.2AGG Web Server cross site scriptingWeb ServerNot DefinedNot Defined0.07CVE-2021-32962
05/17/20225.55.3Joel Christner WatsonWebserver/IpMatcher IP Address input validationWatsonWebserver/IpMatcherNot DefinedOfficial Fix0.02CVE-2021-33318

1304 more entries are not shown

🔒 Login Required

You need to signup and login to see more of the remaining 1,304 results.

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!