Yann Ylavic

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server version 2.4.12 **Description** The issue is related to the read request line function in the server/protocol.c component of the Apache HTTP Server, which does not properly initialize a protocol structure member. This can be exploited by remote attackers to cause a denial of service, resulting in a process crash, by sending a request without a method to an installation that has the INCLUDES filter enabled and an ErrorDocument 400 directive specifying a local URI. The exploitation of this issue can lead to a NULL pointer dereference. **Recommendations** For Apache HTTP Server version 2.4.12, consider disabling the INCLUDES filter or removing the ErrorDocument 400 directive specifying a local URI as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.