Filtered by vendor Apache
Subscribe
Total
2282 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-5657 | 1 Apache | 1 Archiva | 2024-02-28 | 6.0 MEDIUM | 8.0 HIGH |
Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights). | |||||
CVE-2016-9774 | 3 Apache, Canonical, Debian | 3 Tomcat, Ubuntu Linux, Debian Linux | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u8 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to obtain sensitive information or gain root privileges via a symlink attack on the Catalina localhost directory. | |||||
CVE-2017-5643 | 1 Apache | 1 Camel | 2024-02-28 | 5.8 MEDIUM | 7.4 HIGH |
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. | |||||
CVE-2017-6891 | 3 Apache, Debian, Gnu | 3 Bookkeeper, Debian Linux, Libtasn1 | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
Two errors in the "asn1_find_node()" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility. | |||||
CVE-2017-5656 | 1 Apache | 1 Cxf | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user. | |||||
CVE-2016-4467 | 1 Apache | 1 Qpid Proton | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
The C client and C-based client bindings in the Apache Qpid Proton library before 0.13.1 on Windows do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when using the SChannel-based security layer, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. | |||||
CVE-2016-6497 | 1 Apache | 1 Groovy Ldap | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API in Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods. | |||||
CVE-2017-3162 | 1 Apache | 1 Hadoop | 2024-02-28 | 7.5 HIGH | 7.3 HIGH |
HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0. | |||||
CVE-2016-1566 | 1 Apache | 1 Guacamole | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
Cross-site scripting (XSS) vulnerability in the file browser in Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location shared by multiple users, allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename. NOTE: this vulnerability was fixed in guacamole.war on 2016-01-13, but the version number was not changed. | |||||
CVE-2015-5241 | 1 Apache | 1 Juddi | 2024-02-28 | 5.8 MEDIUM | 6.1 MEDIUM |
After logging into the portal, the logout jsp page redirects the browser back to the login page after. It is feasible for malicious users to redirect the browser to an unintended web page in Apache jUDDI 3.1.2, 3.1.3, 3.1.4, and 3.1.5 when utilizing the portlets based user interface also known as 'Pluto', 'jUDDI Portal', 'UDDI Portal' or 'uddi-console'. User session data, credentials, and auth tokens are cleared before the redirect. | |||||
CVE-2014-0229 | 2 Apache, Cloudera | 2 Hadoop, Cdh | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command. | |||||
CVE-2016-6805 | 1 Apache | 1 Ignite | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents. | |||||
CVE-2016-6811 | 1 Apache | 1 Hadoop | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. | |||||
CVE-2014-3582 | 1 Apache | 1 Ambari | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster. | |||||
CVE-2017-5642 | 1 Apache | 1 Ambari | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artifacts are not created with proper ACLs. | |||||
CVE-2016-8749 | 1 Apache | 1 Camel | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. | |||||
CVE-2016-5396 | 1 Apache | 1 Traffic Server | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack. | |||||
CVE-2015-3188 | 1 Apache | 1 Storm | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors. | |||||
CVE-2016-8740 | 1 Apache | 1 Http Server | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request. | |||||
CVE-2016-6809 | 1 Apache | 2 Nutch, Tika | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization. |