Filtered by vendor Apache
Subscribe
Total
2282 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-1959 | 1 Apache | 1 Syncope | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code. | |||||
| CVE-2020-9497 | 3 Apache, Debian, Fedoraproject | 3 Guacamole, Debian Linux, Fedora | 2024-02-28 | 1.2 LOW | 4.4 MEDIUM |
| Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection. | |||||
| CVE-2020-13923 | 1 Apache | 1 Ofbiz | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04 | |||||
| CVE-2020-13941 | 1 Apache | 1 Solr | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access. | |||||
| CVE-2020-13926 | 1 Apache | 1 Kylin | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0. | |||||
| CVE-2019-0235 | 1 Apache | 1 Ofbiz | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
| Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks. | |||||
| CVE-2020-10727 | 2 Apache, Netapp | 2 Activemq Artemis, Oncommand Workflow Automation | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
| A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the `resetUsers` operation. A local attacker can use this flaw to read the contents of the Artemis shadow file. | |||||
| CVE-2020-1955 | 1 Apache | 1 Couchdb | 2024-02-28 | 6.8 MEDIUM | 9.8 CRITICAL |
| CouchDB version 3.0.0 shipped with a new configuration setting that governs access control to the entire database server called `require_valid_user_except_for_up`. It was meant as an extension to the long standing setting `require_valid_user`, which in turn requires that any and all requests to CouchDB will have to be made with valid credentials, effectively forbidding any anonymous requests. The new `require_valid_user_except_for_up` is an off-by-default setting that was meant to allow requiring valid credentials for all endpoints except for the `/_up` endpoint. However, the implementation of this made an error that lead to not enforcing credentials on any endpoint, when enabled. CouchDB versions 3.0.1[1] and 3.1.0[2] fix this issue. | |||||
| CVE-2020-1964 | 1 Apache | 1 Heron | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data). | |||||
| CVE-2020-11973 | 2 Apache, Oracle | 4 Camel, Communications Diameter Signaling Router, Enterprise Manager Base Platform and 1 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0. | |||||
| CVE-2020-11991 | 1 Apache | 1 Cocoon | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system. | |||||
| CVE-2020-11984 | 7 Apache, Canonical, Debian and 4 more | 13 Http Server, Ubuntu Linux, Debian Linux and 10 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE | |||||
| CVE-2019-17561 | 2 Apache, Oracle | 2 Netbeans, Graalvm | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| The "Apache NetBeans" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. "Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability. | |||||
| CVE-2020-11985 | 1 Apache | 1 Http Server | 2024-02-28 | 4.3 MEDIUM | 5.3 MEDIUM |
| IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020. | |||||
| CVE-2020-1960 | 1 Apache | 1 Flink | 2024-02-28 | 1.9 LOW | 4.7 MEDIUM |
| A vulnerability in Apache Flink (1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0) where, when running a process with an enabled JMXReporter, with a port configured via metrics.reporter.reporter_name>.port, an attacker with local access to the machine and JMX port can execute a man-in-the-middle attack using a specially crafted request to rebind the JMXRMI registry to one under the attacker's control. This compromises any connection established to the process via JMX, allowing extraction of credentials and any other transferred data. | |||||
| CVE-2020-1950 | 4 Apache, Canonical, Debian and 1 more | 6 Tika, Ubuntu Linux, Debian Linux and 3 more | 2024-02-28 | 4.3 MEDIUM | 5.5 MEDIUM |
| A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23. | |||||
| CVE-2020-11972 | 2 Apache, Oracle | 4 Camel, Communications Diameter Signaling Router, Enterprise Manager Base Platform and 1 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0. | |||||
| CVE-2020-1952 | 1 Apache | 1 Iotdb | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. When starting IoTDB, the JMX port 31999 is exposed with no certification.Then, clients could execute code remotely. | |||||
| CVE-2019-0233 | 2 Apache, Oracle | 5 Struts, Communications Policy Management, Financial Services Data Integration Hub and 2 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload. | |||||
| CVE-2020-11983 | 1 Apache | 1 Airflow | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
| An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks. | |||||