Filtered by vendor Apache
Subscriptions
Total
2322 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-13925 | 1 Apache | 1 Kylin | 2024-08-04 | 9.8 Critical |
| Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0. | ||||
| CVE-2020-11978 | 1 Apache | 1 Airflow | 2024-08-04 | 8.8 High |
| An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable. | ||||
| CVE-2020-11985 | 2 Apache, Redhat | 3 Http Server, Enterprise Linux, Rhel Software Collections | 2024-08-04 | 5.3 Medium |
| IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020. | ||||
| CVE-2020-11998 | 2 Apache, Oracle | 7 Activemq, Communications Diameter Signaling Router, Communications Element Manager and 4 more | 2024-08-04 | 9.8 Critical |
| A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html "A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code." Mitigation: Upgrade to Apache ActiveMQ 5.15.13 | ||||
| CVE-2020-11989 | 2 Apache, Redhat | 2 Shiro, Jboss Fuse | 2024-08-04 | 9.8 Critical |
| Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. | ||||
| CVE-2020-11987 | 5 Apache, Debian, Fedoraproject and 2 more | 23 Batik, Debian Linux, Fedora and 20 more | 2024-08-04 | 8.2 High |
| Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. | ||||
| CVE-2020-11986 | 1 Apache | 1 Netbeans | 2024-08-04 | 9.8 Critical |
| To be able to analyze gradle projects, the build scripts need to be executed. Apache NetBeans follows this pattern. This causes the code of the build script to be invoked at load time of the project. Apache NetBeans up to and including 12.0 did not request consent from the user for the analysis of the project at load time. This in turn will run potentially malicious code, from an external source, without the consent of the user. | ||||
| CVE-2020-11990 | 1 Apache | 1 Cordova | 2024-08-04 | 3.3 Low |
| We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications. An attacker who could install (or lead the victim to install) a specially crafted (or malicious) Android application would be able to access pictures taken with the app externally. | ||||
| CVE-2020-11991 | 1 Apache | 1 Cocoon | 2024-08-04 | 7.5 High |
| When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system. | ||||
| CVE-2020-11977 | 1 Apache | 1 Syncope | 2024-08-04 | 7.2 High |
| In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution. | ||||
| CVE-2020-11976 | 1 Apache | 2 Fortress, Wicket | 2024-08-04 | 7.5 High |
| By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5 | ||||
| CVE-2020-11984 | 8 Apache, Canonical, Debian and 5 more | 16 Http Server, Ubuntu Linux, Debian Linux and 13 more | 2024-08-04 | 9.8 Critical |
| Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE | ||||
| CVE-2020-11988 | 3 Apache, Fedoraproject, Redhat | 5 Xmlgraphics Commons, Fedora, Jboss Enterprise Bpms Platform and 2 more | 2024-08-04 | 8.2 High |
| Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later. | ||||
| CVE-2020-11979 | 5 Apache, Fedoraproject, Gradle and 2 more | 38 Ant, Fedora, Gradle and 35 more | 2024-08-04 | 7.5 High |
| As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process. | ||||
| CVE-2020-11983 | 1 Apache | 1 Airflow | 2024-08-04 | 5.4 Medium |
| An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks. | ||||
| CVE-2020-11994 | 3 Apache, Oracle, Redhat | 5 Camel, Communications Diameter Signaling Router, Enterprise Manager Base Platform and 2 more | 2024-08-04 | 7.5 High |
| Server-Side Template Injection and arbitrary file disclosure on Camel templating components | ||||
| CVE-2020-11982 | 1 Apache | 1 Airflow | 2024-08-04 | 9.8 Critical |
| An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker. | ||||
| CVE-2020-11974 | 1 Apache | 1 Dolphinscheduler | 2024-08-04 | 9.8 Critical |
| In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database. | ||||
| CVE-2020-11996 | 7 Apache, Canonical, Debian and 4 more | 11 Tomcat, Ubuntu Linux, Debian Linux and 8 more | 2024-08-04 | 7.5 High |
| A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. | ||||
| CVE-2020-11972 | 3 Apache, Oracle, Redhat | 5 Camel, Communications Diameter Signaling Router, Enterprise Manager Base Platform and 2 more | 2024-08-04 | 9.8 Critical |
| Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0. | ||||