Filtered by vendor Apache
Subscribe
Total
2282 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13944 | 1 Apache | 1 Airflow | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. | |||||
| CVE-2020-13928 | 1 Apache | 1 Atlas | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Atlas before 2.1.0 contain a XSS vulnerability. While saving search or rendering elements values are not sanitized correctly and because of that it triggers the XSS vulnerability. | |||||
| CVE-2020-1953 | 2 Apache, Oracle | 3 Commons Configuration, Database Server, Healthcare Foundation | 2024-02-28 | 7.5 HIGH | 10.0 CRITICAL |
| Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application. | |||||
| CVE-2020-1958 | 1 Apache | 1 Druid | 2024-02-28 | 3.5 LOW | 6.5 MEDIUM |
| When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user. | |||||
| CVE-2019-12425 | 1 Apache | 1 Ofbiz | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host | |||||
| CVE-2019-17565 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and chunked encoding. Upgrade to versions 7.1.9 and 8.0.6 or later versions. | |||||
| CVE-2020-1963 | 1 Apache | 1 Ignite | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
| Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem. | |||||
| CVE-2019-0230 | 2 Apache, Oracle | 5 Struts, Communications Policy Management, Financial Services Data Integration Hub and 2 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. | |||||
| CVE-2020-9483 | 1 Apache | 1 Skywalking | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| **Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters. | |||||
| CVE-2020-1951 | 4 Apache, Canonical, Debian and 1 more | 6 Tika, Ubuntu Linux, Debian Linux and 3 more | 2024-02-28 | 4.3 MEDIUM | 5.5 MEDIUM |
| A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23. | |||||
| CVE-2020-1961 | 1 Apache | 1 Syncope | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered. | |||||
| CVE-2020-13921 | 1 Apache | 1 Skywalking | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| **Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases. | |||||
| CVE-2020-11976 | 1 Apache | 2 Fortress, Wicket | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5 | |||||
| CVE-2019-10091 | 1 Apache | 1 Geode | 2024-02-28 | 4.0 MEDIUM | 7.4 HIGH |
| When TLS is enabled with ssl-endpoint-identification-enabled set to true, Apache Geode fails to perform hostname verification of the entries in the certificate SAN during the SSL handshake. This could compromise intra-cluster communication using a man-in-the-middle attack. | |||||
| CVE-2020-11989 | 1 Apache | 1 Shiro | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. | |||||
| CVE-2020-13925 | 1 Apache | 1 Kylin | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0. | |||||
| CVE-2020-1945 | 5 Apache, Canonical, Fedoraproject and 2 more | 50 Ant, Ubuntu Linux, Fedora and 47 more | 2024-02-28 | 3.3 LOW | 6.3 MEDIUM |
| Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. | |||||
| CVE-2019-17564 | 1 Apache | 1 Dubbo | 2024-02-28 | 6.8 MEDIUM | 9.8 CRITICAL |
| Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions. | |||||
| CVE-2020-9484 | 7 Apache, Canonical, Debian and 4 more | 26 Tomcat, Ubuntu Linux, Debian Linux and 23 more | 2024-02-28 | 4.4 MEDIUM | 7.0 HIGH |
| When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. | |||||
| CVE-2020-9489 | 2 Apache, Oracle | 5 Tika, Communications Messaging Server, Flexcube Private Banking and 2 more | 2024-02-28 | 4.3 MEDIUM | 5.5 MEDIUM |
| A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release. | |||||