Filtered by vendor Apache
Subscribe
Total
2295 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-4438 | 1 Apache | 1 Struts | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. | |||||
| CVE-2016-4437 | 2 Apache, Redhat | 4 Aurora, Shiro, Fuse and 1 more | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. | |||||
| CVE-2016-4436 | 1 Apache | 1 Struts | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. | |||||
| CVE-2016-4434 | 1 Apache | 1 Tika | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175. | |||||
| CVE-2016-4433 | 1 Apache | 1 Struts | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. | |||||
| CVE-2016-4432 | 1 Apache | 1 Qpid Broker-j | 2024-11-21 | 5.0 MEDIUM | 9.1 CRITICAL |
| The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging. | |||||
| CVE-2016-4431 | 1 Apache | 1 Struts | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method. | |||||
| CVE-2016-4430 | 1 Apache | 1 Struts | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. | |||||
| CVE-2016-4003 | 1 Apache | 1 Struts | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter. | |||||
| CVE-2016-3427 | 8 Apache, Canonical, Debian and 5 more | 38 Cassandra, Ubuntu Linux, Debian Linux and 35 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. | |||||
| CVE-2016-3094 | 1 Apache | 1 Qpid Broker-j | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception. | |||||
| CVE-2016-3093 | 2 Apache, Ognl Project | 2 Struts, Ognl | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. | |||||
| CVE-2016-3092 | 4 Apache, Canonical, Debian and 1 more | 6 Commons Fileupload, Tomcat, Ubuntu Linux and 3 more | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. | |||||
| CVE-2016-3090 | 1 Apache | 1 Struts | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. | |||||
| CVE-2016-3089 | 1 Apache | 1 Openmeetings | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the SWF panel in Apache OpenMeetings before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the swf parameter. | |||||
| CVE-2016-3088 | 1 Apache | 1 Activemq | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. | |||||
| CVE-2016-3087 | 1 Apache | 1 Struts | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin. | |||||
| CVE-2016-3086 | 1 Apache | 1 Hadoop | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications. | |||||
| CVE-2016-3085 | 1 Apache | 1 Cloudstack | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| Apache CloudStack 4.5.x before 4.5.2.1, 4.6.x before 4.6.2.1, 4.7.x before 4.7.1.1, and 4.8.x before 4.8.0.1, when SAML-based authentication is enabled and used, allow remote attackers to bypass authentication and access the user interface via vectors related to the SAML plugin. | |||||
| CVE-2016-3083 | 1 Apache | 1 Hive | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) but issued to xyz.com, the client will accept that as a valid certificate and the SSL handshake will go through. | |||||