Filtered by vendor Apache
Subscribe
Total
2295 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17359 | 4 Apache, Bouncycastle, Netapp and 1 more | 21 Tomee, Legion-of-the-bouncy-castle-java-crytography-api, Active Iq Unified Manager and 18 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64. | |||||
| CVE-2019-17195 | 3 Apache, Connect2id, Oracle | 15 Hadoop, Nimbus Jose\+jwt, Communications Cloud Native Core Security Edge Protection Proxy and 12 more | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. | |||||
| CVE-2019-15752 | 3 Apache, Docker, Microsoft | 3 Geode, Docker, Windows | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command. | |||||
| CVE-2019-15544 | 2 Apache, Rust-protobuf Project | 2 Hbase, Rust-protobuf | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls. | |||||
| CVE-2019-14892 | 3 Apache, Fasterxml, Redhat | 8 Geode, Jackson-databind, Decision Manager and 5 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. | |||||
| CVE-2019-14439 | 6 Apache, Debian, Fasterxml and 3 more | 18 Drill, Debian Linux, Jackson-databind and 15 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. | |||||
| CVE-2019-13990 | 5 Apache, Atlassian, Netapp and 2 more | 31 Tomee, Jira Service Management, Active Iq Unified Manager and 28 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. | |||||
| CVE-2019-12426 | 1 Apache | 1 Ofbiz | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06 | |||||
| CVE-2019-12425 | 1 Apache | 1 Ofbiz | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host | |||||
| CVE-2019-12423 | 2 Apache, Oracle | 8 Cxf, Commerce Guided Search, Communications Diameter Signaling Router and 5 more | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs.security.keystore.type" to "jwk". For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. "oct" keys, which contain secret keys, are not returned at all. | |||||
| CVE-2019-12422 | 1 Apache | 1 Shiro | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. | |||||
| CVE-2019-12421 | 1 Apache | 1 Nifi | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi. | |||||
| CVE-2019-12420 | 2 Apache, Debian | 2 Spamassassin, Debian Linux | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly. | |||||
| CVE-2019-12419 | 2 Apache, Oracle | 5 Cxf, Commerce Guided Search, Enterprise Manager Base Platform and 2 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client. | |||||
| CVE-2019-12418 | 6 Apache, Canonical, Debian and 3 more | 6 Tomcat, Ubuntu Linux, Debian Linux and 3 more | 2024-11-21 | 4.4 MEDIUM | 7.0 HIGH |
| When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. | |||||
| CVE-2019-12417 | 1 Apache | 1 Airflow | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process. | |||||
| CVE-2019-12416 | 1 Apache | 1 Deltaspike | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| we got reports for 2 injection attacks against the DeltaSpike windowhandler.js. This is only active if a developer selected the ClientSideWindowStrategy which is not the default. | |||||
| CVE-2019-12415 | 2 Apache, Oracle | 27 Poi, Application Testing Suite, Banking Enterprise Originations and 24 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing. | |||||
| CVE-2019-12414 | 1 Apache | 1 Superset | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab | |||||
| CVE-2019-12413 | 1 Apache | 1 Superset | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Apache Incubator Superset before 0.31 user could query database metadata information from a database he has no access to, by using a specially crafted complex query. | |||||