Filtered by vendor Apache
Subscribe
Total
2282 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2012-4449 | 1 Apache | 1 Hadoop | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack. | |||||
CVE-2017-7665 | 1 Apache | 1 Nifi | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient. | |||||
CVE-2017-15707 | 3 Apache, Netapp, Oracle | 12 Struts, Oncommand Balance, Agile Plm Framework and 9 more | 2024-02-28 | 5.0 MEDIUM | 6.2 MEDIUM |
In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. | |||||
CVE-2017-7677 | 1 Apache | 1 Ranger | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table. | |||||
CVE-2016-5018 | 6 Apache, Canonical, Debian and 3 more | 15 Tomcat, Ubuntu Linux, Debian Linux and 12 more | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. | |||||
CVE-2016-4462 | 1 Apache | 1 Ofbiz | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01 | |||||
CVE-2015-5175 | 1 Apache | 1 Cxf Fediz | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Application plugins in Apache CXF Fediz before 1.1.3 and 1.2.x before 1.2.1 allow remote attackers to cause a denial of service. | |||||
CVE-2016-8739 | 1 Apache | 1 Cxf | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk. | |||||
CVE-2017-12607 | 2 Apache, Debian | 2 Openoffice, Debian Linux | 2024-02-28 | 6.8 MEDIUM | 7.8 HIGH |
A vulnerability in OpenOffice's PPT file parser before 4.1.4, and specifically in PPTStyleSheet, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution. | |||||
CVE-2017-3155 | 1 Apache | 1 Atlas | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to cross frame scripting. | |||||
CVE-2017-7688 | 1 Apache | 1 Openmeetings | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Apache OpenMeetings 1.0.0 updates user password in insecure manner. | |||||
CVE-2017-9804 | 1 Apache | 1 Struts | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672. | |||||
CVE-2017-15708 | 2 Apache, Oracle | 3 Synapse, Financial Services Market Risk Measurement And Management, Peoplesoft Enterprise Peopletools | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version. | |||||
CVE-2017-12635 | 1 Apache | 1 Couchdb | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges. | |||||
CVE-2017-3166 | 1 Apache | 1 Hadoop | 2024-02-28 | 4.6 MEDIUM | 7.8 HIGH |
In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file. | |||||
CVE-2017-12608 | 2 Apache, Debian | 2 Openoffice, Debian Linux | 2024-02-28 | 6.8 MEDIUM | 7.8 HIGH |
A vulnerability in Apache OpenOffice Writer DOC file parser before 4.1.4, and specifically in ImportOldFormatStyles, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution. | |||||
CVE-2016-3086 | 1 Apache | 1 Hadoop | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications. | |||||
CVE-2017-12622 | 1 Apache | 1 Geode | 2024-02-28 | 5.5 MEDIUM | 7.1 HIGH |
When an Apache Geode cluster before v1.3.0 is operating in secure mode and an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the user is able to obtain status information and control cluster members even without CLUSTER:MANAGE privileges. | |||||
CVE-2014-0030 | 1 Apache | 1 Roller | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. | |||||
CVE-2017-12625 | 1 Apache | 1 Hive | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before 2.3.1 expose an interface through which masking policies can be defined on tables or views, e.g., using Apache Ranger. When a view is created over a given table, the policy enforcement does not happen correctly on the table for masked columns. |