Filtered by vendor Apache
Subscribe
Total
2627 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2010-1870 | 1 Apache | 1 Struts | 2025-04-11 | 5.0 MEDIUM | N/A |
| The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504. | |||||
| CVE-2010-3689 | 3 Apache, Canonical, Debian | 3 Openoffice, Ubuntu Linux, Debian Linux | 2025-04-11 | 6.9 MEDIUM | N/A |
| soffice in OpenOffice.org (OOo) 3.x before 3.3 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. | |||||
| CVE-2009-4269 | 1 Apache | 1 Derby | 2025-04-11 | 2.1 LOW | N/A |
| The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution. | |||||
| CVE-2013-1909 | 2 Apache, Redhat | 2 Qpid, Enterprise Mrg | 2025-04-11 | 5.8 MEDIUM | N/A |
| The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
| CVE-2012-4558 | 1 Apache | 1 Http Server | 2025-04-11 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string. | |||||
| CVE-2009-5006 | 2 Apache, Redhat | 2 Qpid, Enterprise Mrg | 2025-04-11 | 4.0 MEDIUM | N/A |
| The SessionAdapter::ExchangeHandlerImpl::checkAlternate function in broker/SessionAdapter.cpp in the C++ Broker component in Apache Qpid before 0.6, as used in Red Hat Enterprise MRG before 1.3 and other products, allows remote authenticated users to cause a denial of service (NULL pointer dereference, daemon crash, and cluster outage) by attempting to modify the alternate of an exchange. | |||||
| CVE-2011-1419 | 1 Apache | 1 Tomcat | 2025-04-11 | 5.8 MEDIUM | N/A |
| Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088. | |||||
| CVE-2013-4517 | 1 Apache | 1 Santuario Xml Security For Java | 2025-04-11 | 4.3 MEDIUM | N/A |
| Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures. | |||||
| CVE-2012-0047 | 1 Apache | 1 Wicket | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the wicket:pageMapName parameter. | |||||
| CVE-2013-4131 | 1 Apache | 1 Subversion | 2025-04-11 | 4.0 MEDIUM | N/A |
| The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.10 and 1.8.x before 1.8.1 allows remote authenticated users to cause a denial of service (assertion failure or out-of-bounds read) via a certain (1) COPY, (2) DELETE, or (3) MOVE request against a revision root. | |||||
| CVE-2009-2949 | 3 Apache, Canonical, Debian | 3 Openoffice, Ubuntu Linux, Debian Linux | 2025-04-11 | 9.3 HIGH | N/A |
| Integer overflow in the XPMReader::ReadXPM function in filter.vcl/ixpm/svt_xpmread.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to execute arbitrary code via a crafted XPM file that triggers a heap-based buffer overflow. | |||||
| CVE-2011-1475 | 1 Apache | 1 Tomcat | 2025-04-11 | 5.0 MEDIUM | N/A |
| The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users." | |||||
| CVE-2010-3872 | 1 Apache | 1 Mod Fcgid | 2025-04-11 | 7.2 HIGH | 7.5 HIGH |
| A flaw was found in the mod_fcgid module of httpd. A malformed FastCGI response may result in a stack-based buffer overflow in the modules/fcgid/fcgid_bucket.c file in the fcgid_header_bucket_read() function, resulting in an application crash. | |||||
| CVE-2010-3083 | 2 Apache, Redhat | 2 Qpid, Enterprise Mrg | 2025-04-11 | 4.3 MEDIUM | N/A |
| sys/ssl/SslSocket.cpp in qpidd in Apache Qpid, as used in Red Hat Enterprise MRG before 1.2.2 and other products, when SSL is enabled, allows remote attackers to cause a denial of service (daemon outage) by connecting to the SSL port but not participating in an SSL handshake. | |||||
| CVE-2011-3192 | 4 Apache, Canonical, Opensuse and 1 more | 5 Http Server, Ubuntu Linux, Opensuse and 2 more | 2025-04-11 | 7.8 HIGH | N/A |
| The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086. | |||||
| CVE-2013-0248 | 1 Apache | 1 Commons Fileupload | 2025-04-11 | 3.3 LOW | N/A |
| The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack. | |||||
| CVE-2010-1157 | 1 Apache | 1 Tomcat | 2025-04-11 | 2.6 LOW | N/A |
| Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply. | |||||
| CVE-2012-5575 | 2 Apache, Redhat | 6 Cxf, Jboss Enterprise Application Platform, Jboss Enterprise Portal Platform and 3 more | 2025-04-11 | 6.4 MEDIUM | N/A |
| Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack." | |||||
| CVE-2011-4317 | 1 Apache | 1 Http Server | 2025-04-11 | 4.3 MEDIUM | N/A |
| The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368. | |||||
| CVE-2013-1879 | 1 Apache | 1 Activemq | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving the "cron of a message." | |||||