Filtered by vendor Apache Subscriptions
Total 2321 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-23945 1 Apache 1 Shenyu 2024-08-03 7.5 High
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
CVE-2022-23944 1 Apache 1 Shenyu 2024-08-03 9.1 Critical
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
CVE-2022-23974 1 Apache 1 Pinot 2024-08-03 7.5 High
In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service. Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0
CVE-2022-23943 5 Apache, Debian, Fedoraproject and 2 more 8 Http Server, Debian Linux, Fedora and 5 more 2024-08-03 9.8 Critical
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.
CVE-2022-23913 3 Apache, Netapp, Redhat 8 Activemq Artemis, Active Iq Unified Manager, Oncommand Workflow Automation and 5 more 2024-08-03 7.5 High
In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.
CVE-2022-23437 4 Apache, Netapp, Oracle and 1 more 31 Xerces-j, Active Iq Unified Manager, Agile Engineering Data Management and 28 more 2024-08-03 6.5 Medium
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
CVE-2022-23305 6 Apache, Broadcom, Netapp and 3 more 46 Log4j, Brocade Sannav, Snapmanager and 43 more 2024-08-03 9.8 Critical
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVE-2022-23307 4 Apache, Oracle, Qos and 1 more 44 Chainsaw, Log4j, Advanced Supply Chain Planning and 41 more 2024-08-03 8.8 High
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVE-2022-23302 6 Apache, Broadcom, Netapp and 3 more 44 Log4j, Brocade Sannav, Snapmanager and 41 more 2024-08-03 8.8 High
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVE-2022-23223 1 Apache 1 Shenyu 2024-08-03 7.5 High
On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.
CVE-2022-23206 1 Apache 1 Traffic Control 2024-08-03 7.5 High
In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.
CVE-2022-23181 4 Apache, Debian, Oracle and 1 more 10 Tomcat, Debian Linux, Agile Engineering Data Management and 7 more 2024-08-03 7.0 High
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
CVE-2022-22932 2 Apache, Redhat 2 Karaf, Jboss Fuse 2024-08-03 5.3 Medium
Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326
CVE-2022-22931 1 Apache 1 James 2024-08-03 4.3 Medium
Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used).
CVE-2022-22719 6 Apache, Apple, Debian and 3 more 9 Http Server, Mac Os X, Macos and 6 more 2024-08-03 7.5 High
A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.
CVE-2022-22733 1 Apache 1 Shardingsphere Elasticjob-ui 2024-08-03 6.5 Medium
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions.
CVE-2022-22728 3 Apache, Debian, Fedoraproject 3 Libapreq2, Debian Linux, Fedora 2024-08-03 7.5 High
A flaw in Apache libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.
CVE-2022-22720 6 Apache, Apple, Debian and 3 more 16 Http Server, Mac Os X, Macos and 13 more 2024-08-03 9.8 Critical
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling
CVE-2022-22721 6 Apache, Apple, Debian and 3 more 11 Http Server, Mac Os X, Macos and 8 more 2024-08-03 9.1 Critical
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
CVE-2023-51441 1 Apache 1 Axis 2024-08-02 7.2 High
** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF This issue affects Apache Axis: through 1.3. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.