Filtered by vendor Apache
Subscriptions
Total
2322 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-17520 | 1 Apache | 1 Pulsar Manager | 2024-08-04 | 6.5 Medium |
| In the Pulsar manager 0.1.0 version, malicious users will be able to bypass pulsar-manager's admin, permission verification mechanism by constructing special URLs, thereby accessing any HTTP API. | ||||
| CVE-2020-17530 | 2 Apache, Oracle | 8 Struts, Business Intelligence, Communications Diameter Intelligence Hub and 5 more | 2024-08-04 | 9.8 Critical |
| Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. | ||||
| CVE-2020-17523 | 1 Apache | 1 Shiro | 2024-08-04 | 9.8 Critical |
| Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. | ||||
| CVE-2020-17531 | 1 Apache | 1 Tapestry | 2024-08-04 | 9.8 Critical |
| A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version. | ||||
| CVE-2020-17532 | 1 Apache | 1 Java Chassis | 2024-08-04 | 8.8 High |
| When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5 | ||||
| CVE-2020-17522 | 1 Apache | 1 Traffic Control | 2024-08-04 | 5.8 Medium |
| When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture. | ||||
| CVE-2020-17529 | 1 Apache | 1 Nuttx | 2024-08-04 | 9.8 Critical |
| Out-of-bounds Write vulnerability in TCP Stack of Apache NuttX (incubating) versions up to and including 9.1.0 and 10.0.0 allows attacker to corrupt memory by supplying and invalid fragmentation offset value specified in the IP header. This is only impacts builds with both CONFIG_EXPERIMENTAL and CONFIG_NET_TCP_REASSEMBLY build flags enabled. | ||||
| CVE-2020-17521 | 4 Apache, Netapp, Oracle and 1 more | 24 Atlas, Groovy, Snapcenter and 21 more | 2024-08-04 | 5.5 Medium |
| Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2. | ||||
| CVE-2020-17518 | 2 Apache, Redhat | 4 Flink, Camel Quarkus, Integration and 1 more | 2024-08-04 | 7.5 High |
| Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master. | ||||
| CVE-2020-17528 | 1 Apache | 1 Nuttx | 2024-08-04 | 9.1 Critical |
| Out-of-bounds Write vulnerability in TCP stack of Apache NuttX (incubating) versions up to and including 9.1.0 and 10.0.0 allows attacker to corrupt memory by supplying arbitrary urgent data pointer offsets within TCP packets including beyond the length of the packet. | ||||
| CVE-2020-17527 | 5 Apache, Debian, Netapp and 2 more | 15 Tomcat, Debian Linux, Element Plug-in and 12 more | 2024-08-04 | 7.5 High |
| While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. | ||||
| CVE-2020-17533 | 1 Apache | 1 Accumulo | 2024-08-04 | 8.1 High |
| Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations. Specifically, the return values of the 'canFlush' and 'canPerformSystemActions' security functions are not checked in some instances, therefore allowing an authenticated user with insufficient permissions to perform the following actions: flushing a table, shutting down Accumulo or an individual tablet server, and setting or removing system-wide Accumulo configuration properties. | ||||
| CVE-2020-17510 | 3 Apache, Debian, Redhat | 3 Shiro, Debian Linux, Jboss Fuse | 2024-08-04 | 9.8 Critical |
| Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. | ||||
| CVE-2020-17508 | 1 Apache | 1 Traffic Server | 2024-08-04 | 7.5 High |
| The ATS ESI plugin has a memory disclosure vulnerability. If you are running the plugin please upgrade. Apache Traffic Server versions 7.0.0 to 7.1.11 and 8.0.0 to 8.1.0 are affected. | ||||
| CVE-2020-17513 | 1 Apache | 1 Airflow | 2024-08-04 | 5.3 Medium |
| In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. | ||||
| CVE-2020-17525 | 3 Apache, Debian, Redhat | 4 Subversion, Debian Linux, Enterprise Linux and 1 more | 2024-08-04 | 7.5 High |
| Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. This issue was fixed in mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers 1.10.7 | ||||
| CVE-2020-17511 | 1 Apache | 1 Airflow | 2024-08-04 | 6.5 Medium |
| In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field. | ||||
| CVE-2020-17514 | 1 Apache | 1 Fineract | 2024-08-04 | 7.4 High |
| Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful. | ||||
| CVE-2020-17517 | 1 Apache | 1 Ozone | 2024-08-04 | 7.5 High |
| The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release. | ||||
| CVE-2020-17515 | 1 Apache | 1 Airflow | 2024-08-04 | 6.1 Medium |
| The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely. | ||||