Filtered by vendor Apache
Subscriptions
Total
2322 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-3165 | 1 Apache | 1 Brooklyn | 2024-09-16 | N/A |
| In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability. | ||||
| CVE-2012-2380 | 1 Apache | 1 Roller | 2024-09-16 | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the admin/editor console in Apache Roller before 5.0.1 allow remote attackers to hijack the authentication of admins or editors by leveraging the HTTP POST functionality. | ||||
| CVE-2018-1306 | 1 Apache | 1 Pluto | 2024-09-16 | N/A |
| The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto version 3.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information. | ||||
| CVE-2017-12636 | 1 Apache | 1 Couchdb | 2024-09-16 | N/A |
| CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet. | ||||
| CVE-2018-11781 | 4 Apache, Canonical, Debian and 1 more | 8 Spamassassin, Ubuntu Linux, Debian Linux and 5 more | 2024-09-16 | N/A |
| Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax. | ||||
| CVE-2017-12626 | 2 Apache, Redhat | 3 Poi, Jboss Amq, Jboss Fuse | 2024-09-16 | N/A |
| Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295). | ||||
| CVE-2018-8015 | 1 Apache | 1 Orc | 2024-09-16 | N/A |
| In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an endlessly recursive function call in the C++ or Java parser. The impact of this bug is most likely denial-of-service against software that uses the ORC file parser. With the C++ parser, the stack overflow might possibly corrupt the stack. | ||||
| CVE-2023-46104 | 1 Apache | 1 Superset | 2024-09-16 | 6.5 Medium |
| Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1. | ||||
| CVE-2017-12634 | 2 Apache, Redhat | 3 Camel, Jboss Amq, Jboss Fuse | 2024-09-16 | N/A |
| The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. | ||||
| CVE-2018-11761 | 2 Apache, Oracle | 2 Tika, Business Process Management Suite | 2024-09-16 | N/A |
| In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack. | ||||
| CVE-2017-7666 | 1 Apache | 1 Openmeetings | 2024-09-16 | N/A |
| Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks. | ||||
| CVE-2017-3163 | 2 Apache, Redhat | 2 Solr, Jboss Enterprise Application Platform | 2024-09-16 | N/A |
| When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access. | ||||
| CVE-2017-7681 | 1 Apache | 1 Openmeetings | 2024-09-16 | N/A |
| Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end. | ||||
| CVE-2016-5018 | 6 Apache, Canonical, Debian and 3 more | 16 Tomcat, Ubuntu Linux, Debian Linux and 13 more | 2024-09-16 | 9.1 Critical |
| In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. | ||||
| CVE-2018-1284 | 1 Apache | 1 Hive | 2024-09-16 | N/A |
| In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false. | ||||
| CVE-2012-4446 | 2 Apache, Redhat | 2 Qpid, Enterprise Mrg | 2024-09-16 | N/A |
| The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers to bypass authentication and have other unspecified impact via an AMQP request. | ||||
| CVE-2018-8016 | 1 Apache | 1 Cassandra | 2024-09-16 | N/A |
| The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. This issue is a regression of CVE-2015-0225. The regression was introduced in https://issues.apache.org/jira/browse/CASSANDRA-12109. The fix for the regression is implemented in https://issues.apache.org/jira/browse/CASSANDRA-14173. This fix is contained in the 3.11.2 release of Apache Cassandra. | ||||
| CVE-2009-3821 | 2 Apache, Typo3 | 2 Solr, Typo3 | 2024-09-16 | N/A |
| Cross-site scripting (XSS) vulnerability in the Apache Solr Search (solr) extension 1.0.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2017-7683 | 1 Apache | 1 Openmeetings | 2024-09-16 | N/A |
| Apache OpenMeetings 1.0.0 displays Tomcat version and detailed error stack trace, which is not secure. | ||||
| CVE-2018-8004 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2024-09-16 | N/A |
| There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions. | ||||