External Attack Surface Management Report
vulnweb.com
Comprehensive analysis of the external attack surface, structured to highlight priority exposure, supporting evidence, and the assets that merit the earliest analyst review.
177
100
3
3
Critical3High0Medium0
2
Critical0High1Medium1
1
Critical0High1
1. Executive Summary
The external reconnaissance scope for vulnweb.com identified 177 discovered assets, of which 100 were prioritized for deeper analysis based on exposure, service composition, and observed risk indicators.
Overall exposure is assessed as CRITICAL. The most relevant findings are concentrated in exposed web services, vulnerable internet-facing hosts, and a small set of infrastructure entries requiring analyst review first.
Observed Infrastructure Vulnerabilities
Key vulnerabilities identified via host intelligence across the discovered infrastructure.
| CVE ID | Score | Affected Host | Vulnerability Summary | Host Risk |
|---|---|---|---|---|
| CVE-2017-7679 | 9.8 | rest.vulnweb.com | In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. | CRITICAL |
| CVE-2017-3169 | 9.8 | rest.vulnweb.com | In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. | CRITICAL |
| CVE-2024-3566 | 9.8 | rest.vulnweb.com | A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. | CRITICAL |
| CVE-2024-38476 | 9.8 | rest.vulnweb.com | Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue. | CRITICAL |
| CVE-2019-9641 | 9.8 | rest.vulnweb.com | An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF. | CRITICAL |
| CVE-2017-3167 | 9.8 | rest.vulnweb.com | In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. | CRITICAL |
| CVE-2021-44790 | 9.8 | rest.vulnweb.com | A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. | CRITICAL |
| CVE-2017-8923 | 9.8 | rest.vulnweb.com | The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string. | CRITICAL |
| CVE-2022-31813 | 9.8 | rest.vulnweb.com | Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. | CRITICAL |
| CVE-2019-13224 | 9.8 | rest.vulnweb.com | A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust. | CRITICAL |
| CVE-2021-26691 | 9.8 | rest.vulnweb.com | In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow | CRITICAL |
| CVE-2021-39275 | 9.8 | rest.vulnweb.com | ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. | CRITICAL |
| CVE-2018-1312 | 9.8 | rest.vulnweb.com | In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. | CRITICAL |
| CVE-2022-22720 | 9.8 | rest.vulnweb.com | Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling | CRITICAL |
| CVE-2022-23943 | 9.8 | rest.vulnweb.com | Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions. | CRITICAL |
| CVE-2023-25690 | 9.8 | rest.vulnweb.com | Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server. | CRITICAL |
| CVE-2024-38474 | 9.8 | rest.vulnweb.com | Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. | CRITICAL |
| CVE-2024-38475 | 9.1 | rest.vulnweb.com | Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. | CRITICAL |
| CVE-2022-22721 | 9.1 | rest.vulnweb.com | If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier. | CRITICAL |
| CVE-2019-10082 | 9.1 | rest.vulnweb.com | In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. | CRITICAL |
2. Key Metrics
High-level summary for quick triage and prioritization.
177
100
3
3
Critical3High0Medium0
2
Critical0High1Medium1
1
Critical0High1
3. Priority Findings
Automated templates matched against discovered web entrypoints. Findings are ordered by severity to highlight items that deserve immediate validation.
| Severity | Template | Finding Name | Matched Target |
|---|---|---|---|
| MEDIUM | mysql-dump | MySQL - Dump Files | http://rest.vulnweb.com/db.sql |
| HIGH | wordpress-db-exposure | WordPress Database Backup File - Exposure | http://rest.vulnweb.com/db.sql |
Nuclei Severity Breakdown
0
1
1
2
4. Top Exposed Assets
The most relevant hosts are presented first based on risk score, severity, and exposure characteristics.
Top Exposure Target
rest.vulnweb.com
shodan_dns_current, shodan_dns_history, subfinder
CRITICAL 182
18.215.71.186
Ashburn
http://rest.vulnweb.com
ec2-18-215-71-186.compute-1.amazonaws.com
amazonaws.com
Open Ports
80
Known Vulnerabilities
CVE-2006-20001CVE-2007-3205CVE-2007-4723CVE-2009-0796CVE-2009-2299CVE-2011-1176CVE-2011-2688CVE-2012-3526CVE-2012-4001CVE-2012-4360CVE-2013-0941CVE-2013-0942
Risk Factors
- Open ports on 18.215.71.186: [80]
- Vulnerabilities found on 18.215.71.186
- Open ports on 18.215.71.186: [80]
- Vulnerabilities found on 18.215.71.186
- Open ports on 18.215.71.186: [80]
Apache/2.4.25 (Debian)
TLS 1.3 / AES_256_GCM / secure
Apache HTTP Server, Debian, PHP
Top Exposure Target
testasp.vulnweb.com
shodan_dns_current, shodan_dns_history, subfinder
CRITICAL 182
44.238.29.244
Boardman
http://testasp.vulnweb.com
ec2-44-238-29-244.us-west-2.compute.amazonaws.com
amazonaws.com
Open Ports
80
Known Vulnerabilities
CVE-2014-4078
Risk Factors
- Open ports on 44.238.29.244: [80]
- Vulnerabilities found on 44.238.29.244
- Open ports on 44.238.29.244: [80]
- Vulnerabilities found on 44.238.29.244
- Open ports on 44.238.29.244: [80]
Top Exposure Target
testaspnet.vulnweb.com
shodan_dns_current, shodan_dns_history, subfinder
CRITICAL 182
44.238.29.244
Boardman
http://testaspnet.vulnweb.com
ec2-44-238-29-244.us-west-2.compute.amazonaws.com
amazonaws.com
Open Ports
80
Known Vulnerabilities
CVE-2014-4078
Risk Factors
- Open ports on 44.238.29.244: [80]
- Vulnerabilities found on 44.238.29.244
- Open ports on 44.238.29.244: [80]
- Vulnerabilities found on 44.238.29.244
- Open ports on 44.238.29.244: [80]
Top Exposure Target
0-30.ap-northeast-1.compute.vulnweb.com
subfinder
LOW 0
n/a
n/a
n/a
n/a
Open Ports
No port data recorded.
Known Vulnerabilities
No CVEs recorded for this host.
Risk Factors
- Baseline exposure observed.
Top Exposure Target
0.ca-central-1.compute.vulnweb.com
subfinder
LOW 0
n/a
n/a
n/a
n/a
Open Ports
No port data recorded.
Known Vulnerabilities
No CVEs recorded for this host.
Risk Factors
- Baseline exposure observed.
Top Exposure Target
111-181.ap-northeast-2.compute.vulnweb.com
subfinder
LOW 0
n/a
n/a
n/a
n/a
Open Ports
No port data recorded.
Known Vulnerabilities
No CVEs recorded for this host.
Risk Factors
- Baseline exposure observed.
Additional Priority Assets
Top Exposure Target
129.eu-west-1.compute.vulnweb.com
subfinder
LOW 0
n/a
n/a
n/a
n/a
Open Ports
No port data recorded.
Known Vulnerabilities
No CVEs recorded for this host.
Risk Factors
- Baseline exposure observed.
Top Exposure Target
252fwww.vulnweb.com
subfinder
LOW 0
n/a
n/a
n/a
n/a
Open Ports
No port data recorded.
Known Vulnerabilities
No CVEs recorded for this host.
Risk Factors
- Baseline exposure observed.
Top Exposure Target
29cd17f3faa.elb.us-east-1.vulnweb.com
subfinder
LOW 0
n/a
n/a
n/a
n/a
Open Ports
No port data recorded.
Known Vulnerabilities
No CVEs recorded for this host.
Risk Factors
- Baseline exposure observed.
Top Exposure Target
3-3-69.us-east-2.compute.vulnweb.com
subfinder
LOW 0
n/a
n/a
n/a
n/a
Open Ports
No port data recorded.
Known Vulnerabilities
No CVEs recorded for this host.
Risk Factors
- Baseline exposure observed.
Top Exposure Target
3dtestasp.vulnweb.com
subfinder
LOW 0
n/a
n/a
n/a
n/a
Open Ports
No port data recorded.
Known Vulnerabilities
No CVEs recorded for this host.
Risk Factors
- Baseline exposure observed.
Top Exposure Target
3testphp.vulnweb.com
subfinder
LOW 0
n/a
n/a
n/a
n/a
Open Ports
No port data recorded.
Known Vulnerabilities
No CVEs recorded for this host.
Risk Factors
- Baseline exposure observed.
5. Supporting Intelligence
Edge metadata, takeover candidates, and DNS observations used to support triage and deeper validation.
Cloudflare Intelligence
| Target Host | Server | TLS | Security | Tech Stack | Edge IP |
|---|---|---|---|---|---|
| rest.vulnweb.com | Apache/2.4.25 (Debian) | TLS 1.3 / AES_256_GCM | secure | Apache HTTP Server, Debian, PHP | 18.215.71.186 (United States) |
DNS / Takeover Intelligence
No Takeover Signals
Current heuristics indicate stable infrastructure.
No TXT Signals
No interesting DNS evidence collected.
6. Infrastructure Inventory
Condensed view of discovered IP infrastructure and network groupings.
| IP Address | Network | Hostnames | Ports | Products | Organization |
|---|---|---|---|---|---|
| 18.215.71.186 | 18.215.71.0/24 | ec2-18-215-71-186.compute-1.amazonaws.com | 80 | Apache httpd | Amazon Technologies Inc. |
| 44.238.29.244 | 44.238.29.0/24 | ec2-44-238-29-244.us-west-2.compute.amazonaws.com | 80 | Microsoft IIS httpd | Amazon.com, Inc. |