Filtered by vendor Apache
Subscribe
Total
2282 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-17515 | 1 Apache | 1 Airflow | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely. | |||||
CVE-2020-17530 | 2 Apache, Oracle | 8 Struts, Business Intelligence, Communications Diameter Intelligence Hub and 5 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. | |||||
CVE-2020-13937 | 1 Apache | 1 Kylin | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin's configuration information without any authentication, so it is dangerous because some confidential information entries will be disclosed to everyone. | |||||
CVE-2020-17513 | 1 Apache | 1 Airflow | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. | |||||
CVE-2020-9492 | 2 Apache, Oracle | 3 Hadoop, Solr, Financial Services Crime And Compliance Management Studio | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. | |||||
CVE-2020-1936 | 1 Apache | 1 Ambari | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
A cross-site scripting issue was found in Apache Ambari Views. This was addressed in Apache Ambari 2.7.4. | |||||
CVE-2020-13940 | 1 Apache | 1 Nifi | 2024-02-28 | 4.3 MEDIUM | 5.5 MEDIUM |
In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE). | |||||
CVE-2021-23926 | 4 Apache, Debian, Netapp and 1 more | 7 Xmlbeans, Debian Linux, Oncommand Unified Manager Core Package and 4 more | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0. | |||||
CVE-2020-28052 | 3 Apache, Bouncycastle, Oracle | 20 Karaf, Legion-of-the-bouncy-castle-java-crytography-api, Banking Corporate Lending Process Management and 17 more | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different. | |||||
CVE-2020-13953 | 1 Apache | 1 Tapestry | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run. | |||||
CVE-2020-25649 | 6 Apache, Fasterxml, Fedoraproject and 3 more | 39 Iotdb, Jackson-databind, Fedora and 36 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. | |||||
CVE-2021-23901 | 2 Apache, Netapp | 2 Nutch, Snap Creator Framework | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18. | |||||
CVE-2020-13936 | 3 Apache, Debian, Oracle | 16 Velocity Engine, Wss4j, Debian Linux and 13 more | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. | |||||
CVE-2020-17523 | 1 Apache | 1 Shiro | 2024-02-28 | 9.0 HIGH | 9.8 CRITICAL |
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. | |||||
CVE-2020-11997 | 1 Apache | 1 Guacamole | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users. | |||||
CVE-2020-17526 | 1 Apache | 1 Airflow | 2024-02-28 | 3.5 LOW | 7.7 HIGH |
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config. | |||||
CVE-2020-13958 | 1 Apache | 1 Openoffice | 2024-02-28 | 9.3 HIGH | 7.8 HIGH |
A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. These hyperlinks can be triggered unconditionally. In fixed versions no internal protocol may be called from the document event handler and other hyperlinks require a control-click. | |||||
CVE-2020-17529 | 1 Apache | 1 Nuttx | 2024-02-28 | 6.8 MEDIUM | 9.8 CRITICAL |
Out-of-bounds Write vulnerability in TCP Stack of Apache NuttX (incubating) versions up to and including 9.1.0 and 10.0.0 allows attacker to corrupt memory by supplying and invalid fragmentation offset value specified in the IP header. This is only impacts builds with both CONFIG_EXPERIMENTAL and CONFIG_NET_TCP_REASSEMBLY build flags enabled. | |||||
CVE-2020-13922 | 1 Apache | 1 Dolphinscheduler | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface. | |||||
CVE-2020-9487 | 1 Apache | 1 Nifi | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens. |