Filtered by vendor Apache
Subscribe
Total
2451 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-8735 | 6 Apache, Canonical, Debian and 3 more | 19 Tomcat, Ubuntu Linux, Debian Linux and 16 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types. | |||||
| CVE-2016-0779 | 1 Apache | 1 Tomee | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object. | |||||
| CVE-2017-7673 | 1 Apache | 1 Openmeetings | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection. | |||||
| CVE-2017-7684 | 1 Apache | 1 Openmeetings | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Apache OpenMeetings 1.0.0 doesn't check contents of files being uploaded. An attacker can cause a denial of service by uploading multiple large files to the server. | |||||
| CVE-2017-7678 | 1 Apache | 1 Spark | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs. | |||||
| CVE-2016-8743 | 4 Apache, Debian, Netapp and 1 more | 12 Http Server, Debian Linux, Clustered Data Ontap and 9 more | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. | |||||
| CVE-2017-15708 | 2 Apache, Oracle | 3 Synapse, Financial Services Market Risk Measurement And Management, Peoplesoft Enterprise Peopletools | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version. | |||||
| CVE-2009-1198 | 1 Apache | 1 Juddi | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Apache jUDDI before 2.0 allows remote attackers to inject arbitrary web script or HTML via the dsname parameter to happyjuddi.jsp. | |||||
| CVE-2016-8748 | 1 Apache | 1 Nifi | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM. | |||||
| CVE-2017-12628 | 1 Apache | 1 James Server | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library. | |||||
| CVE-2012-0880 | 1 Apache | 1 Xerces-c\+\+ | 2025-04-20 | 7.8 HIGH | 7.5 HIGH |
| Apache Xerces-C++ allows remote attackers to cause a denial of service (CPU consumption) via a crafted message sent to an XML service that causes hash table collisions. | |||||
| CVE-2017-7679 | 1 Apache | 1 Http Server | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. | |||||
| CVE-2014-3582 | 1 Apache | 1 Ambari | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster. | |||||
| CVE-2016-5004 | 1 Apache | 1 Ws-xmlrpc | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in Apache Archiva allows remote attackers to cause a denial of service (resource consumption) by decompressing a large file containing zeroes. | |||||
| CVE-2017-5646 | 1 Apache | 1 Knox | 2025-04-20 | 4.9 MEDIUM | 6.8 MEDIUM |
| For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release. | |||||
| CVE-2012-1622 | 1 Apache | 1 Ofbiz | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors. | |||||
| CVE-2015-3188 | 1 Apache | 1 Storm | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors. | |||||
| CVE-2016-6796 | 6 Apache, Canonical, Debian and 3 more | 15 Tomcat, Ubuntu Linux, Debian Linux and 12 more | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. | |||||
| CVE-2016-6803 | 2 Apache, Microsoft | 2 Openoffice, Windows | 2025-04-20 | 9.3 HIGH | 7.8 HIGH |
| An installer defect known as an "unquoted Windows search path vulnerability" affected the Apache OpenOffice before 4.1.3 installers for Windows. The PC must have previously been infected by a Trojan Horse application (or user) running with administrative privilege. Any installer with the unquoted search path vulnerability becomes a delayed trigger for the exploit. | |||||
| CVE-2017-7683 | 1 Apache | 1 Openmeetings | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Apache OpenMeetings 1.0.0 displays Tomcat version and detailed error stack trace, which is not secure. | |||||