Filtered by vendor Apache
Subscribe
Total
2627 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-3150 | 1 Apache | 1 Atlas | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating use cookies that could be accessible to client-side script. | |||||
| CVE-2017-3159 | 1 Apache | 1 Camel | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. | |||||
| CVE-2017-12630 | 1 Apache | 1 Drill | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards. | |||||
| CVE-2017-12634 | 1 Apache | 1 Camel | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. | |||||
| CVE-2017-5653 | 1 Apache | 1 Cxf | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. | |||||
| CVE-2014-9634 | 2 Apache, Jenkins | 2 Tomcat, Jenkins | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session. | |||||
| CVE-2016-8738 | 1 Apache | 1 Struts | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. | |||||
| CVE-2016-8736 | 1 Apache | 1 Openmeetings | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack. | |||||
| CVE-2015-0224 | 1 Apache | 1 Qpid | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted protocol sequence set. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0203. | |||||
| CVE-2017-3151 | 1 Apache | 1 Atlas | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Stored Cross-Site Scripting in the edit-tag functionality. | |||||
| CVE-2017-9788 | 6 Apache, Apple, Debian and 3 more | 16 Http Server, Mac Os X, Debian Linux and 13 more | 2025-04-20 | 6.4 MEDIUM | 9.1 CRITICAL |
| In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. | |||||
| CVE-2017-15702 | 1 Apache | 1 Qpid Broker-j | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured with different authentication providers on different ports one of which is an HTTP port, then the broker can be tricked by a remote unauthenticated attacker connecting to the HTTP port into using an authentication provider that was configured on a different port. The attacker still needs valid credentials with the authentication provider on the spoofed port. This becomes an issue when the spoofed port has weaker authentication protection (e.g., anonymous access, default accounts) and is normally protected by firewall rules or similar which can be circumvented by this vulnerability. AMQP ports are not affected. Versions 6.0.0 and newer are not affected. | |||||
| CVE-2016-2161 | 1 Apache | 1 Http Server | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests. | |||||
| CVE-2016-8747 | 1 Apache | 1 Tomcat | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different request. | |||||
| CVE-2010-2232 | 1 Apache | 1 Derby | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file. | |||||
| CVE-2017-5640 | 1 Apache | 1 Impala | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| It was noticed that a malicious process impersonating an Impala daemon in Apache Impala (incubating) 2.7.0 to 2.8.0 could cause Impala daemons to skip authentication checks when Kerberos is enabled (but TLS is not). If the malicious server responds with 'COMPLETE' before the SASL handshake has completed, the client will consider the handshake as completed even though no exchange of credentials has happened. | |||||
| CVE-2017-7685 | 1 Apache | 1 Openmeetings | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH. | |||||
| CVE-2017-5636 | 1 Apache | 1 Nifi | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node. | |||||
| CVE-2016-6800 | 1 Apache | 1 Ofbiz | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the article field is not properly sanitized. It is possible to inject arbitrary JavaScript code in these form fields. This code gets executed from the browser of every user who is visiting this article. Mitigation: Upgrade to Apache OFBiz 16.11.01. | |||||
| CVE-2017-3167 | 6 Apache, Apple, Debian and 3 more | 15 Http Server, Mac Os X, Debian Linux and 12 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. | |||||