Vulnerabilities (CVE)

Filtered by vendor Apache Subscribe
Total 2472 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-17561 2 Apache, Oracle 2 Netbeans, Graalvm 2024-11-21 5.0 MEDIUM 7.5 HIGH
The "Apache NetBeans" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. "Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability.
CVE-2019-17560 2 Apache, Oracle 2 Netbeans, Graalvm 2024-11-21 6.4 MEDIUM 9.1 CRITICAL
The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. “Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability.
CVE-2019-17559 2 Apache, Debian 2 Traffic Server, Debian Linux 2024-11-21 7.5 HIGH 9.8 CRITICAL
There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and scheme parsing. Upgrade to versions 7.1.9 and 8.0.6 or later versions.
CVE-2019-17557 1 Apache 1 Syncope 2024-11-21 3.5 LOW 5.4 MEDIUM
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.
CVE-2019-17556 1 Apache 1 Olingo 2024-11-21 10.0 HIGH 9.8 CRITICAL
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
CVE-2019-17555 1 Apache 1 Olingo 2024-11-21 5.0 MEDIUM 7.5 HIGH
The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack.
CVE-2019-17554 1 Apache 1 Olingo 2024-11-21 4.3 MEDIUM 5.5 MEDIUM
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
CVE-2019-17195 3 Apache, Connect2id, Oracle 15 Hadoop, Nimbus Jose\+jwt, Communications Cloud Native Core Security Edge Protection Proxy and 12 more 2024-11-21 6.8 MEDIUM 9.8 CRITICAL
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.
CVE-2019-15544 2 Apache, Rust-protobuf Project 2 Hbase, Rust-protobuf 2024-11-21 5.0 MEDIUM 7.5 HIGH
An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls.
CVE-2019-14892 3 Apache, Fasterxml, Redhat 8 Geode, Jackson-databind, Decision Manager and 5 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
CVE-2019-14439 6 Apache, Debian, Fasterxml and 3 more 18 Drill, Debian Linux, Jackson-databind and 15 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
CVE-2019-13990 5 Apache, Atlassian, Netapp and 2 more 31 Tomee, Jira Service Management, Active Iq Unified Manager and 28 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
CVE-2019-12426 1 Apache 1 Ofbiz 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06
CVE-2019-12425 1 Apache 1 Ofbiz 2024-11-21 5.0 MEDIUM 7.5 HIGH
Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host
CVE-2019-12423 2 Apache, Oracle 8 Cxf, Commerce Guided Search, Communications Diameter Signaling Router and 5 more 2024-11-21 4.3 MEDIUM 7.5 HIGH
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs.security.keystore.type" to "jwk". For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. "oct" keys, which contain secret keys, are not returned at all.
CVE-2019-12422 1 Apache 1 Shiro 2024-11-21 5.0 MEDIUM 7.5 HIGH
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2019-12421 1 Apache 1 Nifi 2024-11-21 6.5 MEDIUM 8.8 HIGH
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.
CVE-2019-12420 2 Apache, Debian 2 Spamassassin, Debian Linux 2024-11-21 5.0 MEDIUM 7.5 HIGH
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-12419 2 Apache, Oracle 5 Cxf, Commerce Guided Search, Enterprise Manager Base Platform and 2 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.
CVE-2019-12418 6 Apache, Canonical, Debian and 3 more 6 Tomcat, Ubuntu Linux, Debian Linux and 3 more 2024-11-21 4.4 MEDIUM 7.0 HIGH
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.