Filtered by vendor Apache Subscriptions
Total 2321 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-30973 2 Apache, Redhat 2 Tika, Integration 2024-08-03 5.5 Medium
We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3.
CVE-2022-30556 4 Apache, Fedoraproject, Netapp and 1 more 5 Http Server, Fedora, Clustered Data Ontap and 2 more 2024-08-03 7.5 High
Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.
CVE-2022-30522 4 Apache, Fedoraproject, Netapp and 1 more 6 Http Server, Fedora, Clustered Data Ontap and 3 more 2024-08-03 7.5 High
If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.
CVE-2022-30126 3 Apache, Oracle, Redhat 3 Tika, Primavera Unifier, Jboss Fuse 2024-08-03 5.5 Medium
In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0
CVE-2022-29885 3 Apache, Debian, Oracle 3 Tomcat, Debian Linux, Hospitality Cruise Shipboard Property Management System 2024-08-03 7.5 High
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
CVE-2022-29599 3 Apache, Debian, Redhat 8 Maven Shared Utils, Debian Linux, Enterprise Linux and 5 more 2024-08-03 9.8 Critical
In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.
CVE-2022-29404 4 Apache, Fedoraproject, Netapp and 1 more 5 Http Server, Fedora, Clustered Data Ontap and 2 more 2024-08-03 7.5 High
In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.
CVE-2022-29405 1 Apache 1 Archiva 2024-08-03 6.5 Medium
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
CVE-2022-29266 1 Apache 1 Apisix 2024-08-03 7.5 High
In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.
CVE-2022-29265 1 Apache 1 Nifi 2024-08-03 7.5 High
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.
CVE-2022-29158 1 Apache 1 Ofbiz 2024-08-03 7.5 High
Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599
CVE-2022-29063 1 Apache 1 Ofbiz 2024-08-03 9.8 Critical
The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. In version 18.12.05 and earlier, by hosting a malicious RMI server on localhost, an attacker may exploit this behavior, at server start-up or on a server restart, in order to run arbitrary code. Upgrade to at least 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12646.
CVE-2022-28890 1 Apache 1 Jena 2024-08-03 9.8 Critical
A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.
CVE-2022-28889 1 Apache 1 Druid 2024-08-03 4.3 Medium
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.
CVE-2022-28731 1 Apache 1 Jspwiki 2024-08-03 6.5 Medium
A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page.
CVE-2022-28732 1 Apache 1 Jspwiki 2024-08-03 6.1 Medium
A carefully crafted request on WeblogPlugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.3 or later.
CVE-2022-28730 1 Apache 1 Jspwiki 2024-08-03 6.1 Medium
A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later.
CVE-2022-28615 4 Apache, Fedoraproject, Netapp and 1 more 6 Http Server, Fedora, Clustered Data Ontap and 3 more 2024-08-03 9.1 Critical
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.
CVE-2022-28614 4 Apache, Fedoraproject, Netapp and 1 more 6 Http Server, Fedora, Clustered Data Ontap and 3 more 2024-08-03 5.3 Medium
The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue.
CVE-2022-28331 3 Apache, Microsoft, Redhat 4 Portable Runtime, Windows, Jboss Core Services and 1 more 2024-08-03 9.8 Critical
On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow.