Filtered by vendor Apache
Subscribe
Total
2295 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-37404 | 1 Apache | 1 Hadoop | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher. | |||||
| CVE-2021-37150 | 3 Apache, Debian, Fedoraproject | 3 Traffic Server, Debian Linux, Fedora | 2024-11-21 | N/A | 7.5 HIGH |
| Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. | |||||
| CVE-2021-37149 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0. | |||||
| CVE-2021-37148 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1. | |||||
| CVE-2021-37147 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0. | |||||
| CVE-2021-36774 | 1 Apache | 1 Kylin | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions. | |||||
| CVE-2021-36749 | 1 Apache | 1 Druid | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1. | |||||
| CVE-2021-36739 | 1 Apache | 1 Pluto | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks. | |||||
| CVE-2021-36738 | 1 Apache | 1 Pluto | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact | |||||
| CVE-2021-36737 | 1 Apache | 1 Pluto | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifact | |||||
| CVE-2021-36374 | 2 Apache, Oracle | 36 Ant, Agile Engineering Data Management, Agile Plm and 33 more | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected. | |||||
| CVE-2021-36373 | 2 Apache, Oracle | 32 Ant, Agile Plm, Banking Trade Finance and 29 more | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected. | |||||
| CVE-2021-36372 | 1 Apache | 1 Ozone | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked. | |||||
| CVE-2021-36163 | 1 Apache | 1 Dubbo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1 | |||||
| CVE-2021-36162 | 1 Apache | 1 Dubbo | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers will use SnakeYAML library to load the rules which by default will enable calling arbitrary constructors. An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them. This was fixed in Dubbo 2.7.13, 3.0.2 | |||||
| CVE-2021-36161 | 1 Apache | 1 Dubbo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13 | |||||
| CVE-2021-36160 | 6 Apache, Broadcom, Debian and 3 more | 13 Http Server, Brocade Fabric Operating System Firmware, Debian Linux and 10 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). | |||||
| CVE-2021-36152 | 1 Apache | 1 Gobblin | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Gobblin trusts all certificates used for LDAP connections in Gobblin-as-a-Service. This affects versions <= 0.15.0. Users should update to version 0.16.0 which addresses this issue. | |||||
| CVE-2021-36151 | 1 Apache | 1 Gobblin | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| In Apache Gobblin, the Hadoop token is written to a temp file that is visible to all local users on Unix-like systems. This affects versions <= 0.15.0. Users should update to version 0.16.0 which addresses this issue. | |||||
| CVE-2021-36090 | 3 Apache, Netapp, Oracle | 34 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 31 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. | |||||