Filtered by vendor Apache
Subscriptions
Total
2322 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-41524 | 5 Apache, Fedoraproject, Netapp and 2 more | 5 Http Server, Fedora, Cloud Backup and 2 more | 2024-08-04 | 7.5 High |
| While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project. | ||||
| CVE-2021-41303 | 2 Apache, Oracle | 2 Shiro, Financial Services Crime And Compliance Management Studio | 2024-08-04 | 9.8 Critical |
| Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0. | ||||
| CVE-2021-41079 | 4 Apache, Debian, Netapp and 1 more | 6 Tomcat, Debian Linux, Management Services For Element Software And Netapp Hci and 3 more | 2024-08-04 | 7.5 High |
| Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. | ||||
| CVE-2021-40865 | 1 Apache | 1 Storm | 2024-08-04 | 9.8 Critical |
| An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4 | ||||
| CVE-2021-40690 | 4 Apache, Debian, Oracle and 1 more | 26 Cxf, Santuario Xml Security For Java, Tomee and 23 more | 2024-08-04 | 7.5 High |
| All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. | ||||
| CVE-2021-40525 | 1 Apache | 1 James | 2024-08-04 | 9.1 Critical |
| Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted. | ||||
| CVE-2021-40439 | 1 Apache | 1 Openoffice | 2024-08-04 | 6.5 Medium |
| Apache OpenOffice has a dependency on expat software. Versions prior to 2.1.0 were subject to CVE-2013-0340 a "Billion Laughs" entity expansion denial of service attack and exploit via crafted XML files. ODF files consist of a set of XML files. All versions of Apache OpenOffice up to 4.1.10 are subject to this issue. expat in version 4.1.11 is patched. | ||||
| CVE-2021-40438 | 10 Apache, Broadcom, Debian and 7 more | 25 Http Server, Brocade Fabric Operating System Firmware, Debian Linux and 22 more | 2024-08-04 | 9.0 Critical |
| A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. | ||||
| CVE-2021-40369 | 1 Apache | 1 Jspwiki | 2024-08-04 | 6.1 Medium |
| A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later. | ||||
| CVE-2021-40111 | 1 Apache | 1 James | 2024-08-04 | 6.5 Medium |
| In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. | ||||
| CVE-2021-40110 | 1 Apache | 1 James | 2024-08-04 | 7.5 High |
| In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking. | ||||
| CVE-2021-40146 | 1 Apache | 1 Any23 | 2024-08-04 | 9.8 Critical |
| A Remote Code Execution (RCE) vulnerability was discovered in the Any23 YAMLExtractor.java file and is known to affect Any23 versions < 2.5. RCE vulnerabilities allow a malicious actor to execute any code of their choice on a remote machine over LAN, WAN, or internet. RCE belongs to the broader class of arbitrary code execution (ACE) vulnerabilities. | ||||
| CVE-2021-39275 | 7 Apache, Debian, Fedoraproject and 4 more | 14 Http Server, Debian Linux, Fedora and 11 more | 2024-08-04 | 9.8 Critical |
| ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. | ||||
| CVE-2021-39235 | 1 Apache | 1 Ozone | 2024-08-04 | 6.5 Medium |
| In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block. | ||||
| CVE-2021-39236 | 1 Apache | 1 Ozone | 2024-08-04 | 8.8 High |
| In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user. | ||||
| CVE-2021-39239 | 1 Apache | 1 Jena | 2024-08-04 | 7.5 High |
| A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server. | ||||
| CVE-2021-39232 | 1 Apache | 1 Ozone | 2024-08-04 | 8.8 High |
| In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins. | ||||
| CVE-2021-39231 | 1 Apache | 1 Ozone | 2024-08-04 | 9.1 Critical |
| In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration. | ||||
| CVE-2021-39234 | 1 Apache | 1 Ozone | 2024-08-04 | 6.8 Medium |
| In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL. | ||||
| CVE-2021-39233 | 1 Apache | 1 Ozone | 2024-08-04 | 9.1 Critical |
| In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client. | ||||