Filtered by vendor Apache
Subscribe
Total
2396 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-47502 | 1 Apache | 1 Openoffice | 2025-02-13 | N/A | 7.8 HIGH |
| Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. In the affected versions of OpenOffice, approval for certain links is not requested; when activated, such links could therefore result in arbitrary script execution. | |||||
| CVE-2022-47501 | 1 Apache | 1 Ofbiz | 2025-02-13 | N/A | 7.5 HIGH |
| Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07. | |||||
| CVE-2022-47185 | 1 Apache | 1 Traffic Server | 2025-02-13 | N/A | 7.5 HIGH |
| Improper input validation vulnerability on the range header in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1. | |||||
| CVE-2022-47184 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2025-02-13 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: 8.0.0 to 9.2.0. | |||||
| CVE-2022-46907 | 1 Apache | 1 Jspwiki | 2025-02-13 | N/A | 6.1 MEDIUM |
| A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.0 or later. | |||||
| CVE-2022-46751 | 1 Apache | 1 Ivy | 2025-02-13 | N/A | 8.2 HIGH |
| Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide". | |||||
| CVE-2022-45135 | 1 Apache | 1 Cocoon | 2025-02-13 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue. | |||||
| CVE-2022-44730 | 2 Apache, Debian | 2 Xml Graphics Batik, Debian Linux | 2025-02-13 | N/A | 4.4 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data and send it directly as parameter to a URL. | |||||
| CVE-2022-44729 | 2 Apache, Debian | 2 Xml Graphics Batik, Debian Linux | 2025-02-13 | N/A | 7.1 HIGH |
| Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later. | |||||
| CVE-2022-25147 | 1 Apache | 1 Portable Runtime Utility | 2025-02-13 | N/A | 6.5 MEDIUM |
| Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions. | |||||
| CVE-2006-20001 | 1 Apache | 1 Http Server | 2025-02-13 | N/A | 7.5 HIGH |
| A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier. | |||||
| CVE-2020-17519 | 1 Apache | 1 Flink | 2025-02-13 | 5.0 MEDIUM | 7.5 HIGH |
| A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master. | |||||
| CVE-2023-28708 | 1 Apache | 1 Tomcat | 2025-02-13 | N/A | 4.3 MEDIUM |
| When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. | |||||
| CVE-2023-25695 | 1 Apache | 1 Airflow | 2025-02-13 | N/A | 5.3 MEDIUM |
| Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. | |||||
| CVE-2023-25693 | 1 Apache | 1 Apache-airflow-providers-apache-sqoop | 2025-02-13 | N/A | 9.8 CRITICAL |
| Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1. | |||||
| CVE-2022-38745 | 1 Apache | 1 Openoffice | 2025-02-13 | N/A | 7.8 HIGH |
| Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory. | |||||
| CVE-2024-55633 | 1 Apache | 1 Superset | 2025-02-12 | N/A | 6.5 MEDIUM |
| Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable. This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue. | |||||
| CVE-2024-53949 | 1 Apache | 1 Superset | 2025-02-12 | N/A | 6.5 MEDIUM |
| Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API. issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue. | |||||
| CVE-2024-52046 | 1 Apache | 1 Mina | 2025-02-12 | N/A | 9.8 CRITICAL |
| The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks. This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4. It's also important to note that an application using MINA core library will only be affected if the IoBuffer#getObject() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the ObjectSerializationCodecFactory class in the filter chain. If your application is specifically using those classes, you have to upgrade to the latest version of MINA core library. Upgrading will not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods: /** * Accept class names where the supplied ClassNameMatcher matches for * deserialization, unless they are otherwise rejected. * * @param classNameMatcher the matcher to use */ public void accept(ClassNameMatcher classNameMatcher) /** * Accept class names that match the supplied pattern for * deserialization, unless they are otherwise rejected. * * @param pattern standard Java regexp */ public void accept(Pattern pattern) /** * Accept the wildcard specified classes for deserialization, * unless they are otherwise rejected. * * @param patterns Wildcard file name patterns as defined by * {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch} */ public void accept(String... patterns) By default, the decoder will reject *all* classes that will be present in the incoming data. Note: The FtpServer, SSHd and Vysper sub-project are not affected by this issue. | |||||
| CVE-2024-45461 | 1 Apache | 1 Cloudstack | 2025-02-12 | N/A | 5.7 MEDIUM |
| The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting "quota.enable.service" to "false". | |||||