Vulnerabilities (CVE)

Filtered by vendor Apache Subscribe
Total 2463 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-14892 3 Apache, Fasterxml, Redhat 8 Geode, Jackson-databind, Decision Manager and 5 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
CVE-2019-14439 6 Apache, Debian, Fasterxml and 3 more 18 Drill, Debian Linux, Jackson-databind and 15 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
CVE-2019-13990 5 Apache, Atlassian, Netapp and 2 more 31 Tomee, Jira Service Management, Active Iq Unified Manager and 28 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
CVE-2019-12426 1 Apache 1 Ofbiz 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06
CVE-2019-12425 1 Apache 1 Ofbiz 2024-11-21 5.0 MEDIUM 7.5 HIGH
Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host
CVE-2019-12423 2 Apache, Oracle 8 Cxf, Commerce Guided Search, Communications Diameter Signaling Router and 5 more 2024-11-21 4.3 MEDIUM 7.5 HIGH
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs.security.keystore.type" to "jwk". For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. "oct" keys, which contain secret keys, are not returned at all.
CVE-2019-12422 1 Apache 1 Shiro 2024-11-21 5.0 MEDIUM 7.5 HIGH
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2019-12421 1 Apache 1 Nifi 2024-11-21 6.5 MEDIUM 8.8 HIGH
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.
CVE-2019-12420 2 Apache, Debian 2 Spamassassin, Debian Linux 2024-11-21 5.0 MEDIUM 7.5 HIGH
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-12419 2 Apache, Oracle 5 Cxf, Commerce Guided Search, Enterprise Manager Base Platform and 2 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.
CVE-2019-12418 6 Apache, Canonical, Debian and 3 more 6 Tomcat, Ubuntu Linux, Debian Linux and 3 more 2024-11-21 4.4 MEDIUM 7.0 HIGH
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.
CVE-2019-12417 1 Apache 1 Airflow 2024-11-21 3.5 LOW 4.8 MEDIUM
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.
CVE-2019-12416 1 Apache 1 Deltaspike 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
we got reports for 2 injection attacks against the DeltaSpike windowhandler.js. This is only active if a developer selected the ClientSideWindowStrategy which is not the default.
CVE-2019-12415 2 Apache, Oracle 27 Poi, Application Testing Suite, Banking Enterprise Originations and 24 more 2024-11-21 2.1 LOW 5.5 MEDIUM
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
CVE-2019-12414 1 Apache 1 Superset 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab
CVE-2019-12413 1 Apache 1 Superset 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
In Apache Incubator Superset before 0.31 user could query database metadata information from a database he has no access to, by using a specially crafted complex query.
CVE-2019-12412 1 Apache 1 Libapreq2 2024-11-21 5.0 MEDIUM 7.5 HIGH
A flaw in the libapreq2 v2.07 to v2.13 multipart parser can deference a null pointer leading to a process crash. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.
CVE-2019-12410 1 Apache 1 Arrow 2024-11-21 5.0 MEDIUM 7.5 HIGH
While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.
CVE-2019-12409 2 Apache, Linux 2 Solr, Linux Kernel 2024-11-21 7.5 HIGH 9.8 CRITICAL
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.
CVE-2019-12408 1 Apache 1 Arrow 2024-11-21 5.0 MEDIUM 7.5 HIGH
It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.