Filtered by vendor Apache
Subscribe
Total
2282 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-5645 | 4 Apache, Netapp, Oracle and 1 more | 79 Log4j, Oncommand Api Services, Oncommand Insight and 76 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. | |||||
CVE-2017-3159 | 1 Apache | 1 Camel | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. | |||||
CVE-2016-0779 | 1 Apache | 1 Tomee | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object. | |||||
CVE-2017-5655 | 1 Apache | 1 Ambari | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
In Ambari 2.2.2 through 2.4.2 and Ambari 2.5.0, sensitive data may be stored on disk in temporary files on the Ambari Server host. The temporary files are readable by any user authenticated on the host. | |||||
CVE-2016-5387 | 8 Apache, Canonical, Debian and 5 more | 21 Http Server, Ubuntu Linux, Debian Linux and 18 more | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. | |||||
CVE-2015-3253 | 2 Apache, Oracle | 6 Groovy, Health Sciences Clinical Development Center, Retail Order Broker Cloud Service and 3 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. | |||||
CVE-2016-4438 | 1 Apache | 1 Struts | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. | |||||
CVE-2015-5346 | 3 Apache, Canonical, Debian | 3 Tomcat, Ubuntu Linux, Debian Linux | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. | |||||
CVE-2015-1775 | 1 Apache | 1 Ambari | 2024-02-28 | 5.5 MEDIUM | N/A |
Server-side request forgery (SSRF) vulnerability in the proxy endpoint (api/v1/proxy) in Apache Ambari before 2.1.0 allows remote authenticated users to conduct port scans and access unsecured services via a crafted REST call. | |||||
CVE-2015-4940 | 2 Apache, Ibm | 2 Ambari, Infosphere Biginsights | 2024-02-28 | 2.1 LOW | N/A |
Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x before 4.1, stores a cleartext BigSheets password in a configuration file, which allows local users to obtain sensitive information by reading this file. | |||||
CVE-2015-3185 | 3 Apache, Apple, Canonical | 5 Http Server, Mac Os X, Mac Os X Server and 2 more | 2024-02-28 | 4.3 MEDIUM | N/A |
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. | |||||
CVE-2016-3082 | 1 Apache | 1 Struts | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. | |||||
CVE-2016-2164 | 1 Apache | 1 Openmeetings | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file. | |||||
CVE-2015-1836 | 2 Apache, Ibm | 2 Hbase, Infosphere Biginsights | 2024-02-28 | 7.5 HIGH | 7.3 HIGH |
Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before 1.1.0.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, uses incorrect ACLs for ZooKeeper coordination state, which allows remote attackers to cause a denial of service (daemon outage), obtain sensitive information, or modify data via unspecified client traffic. | |||||
CVE-2015-4551 | 4 Apache, Canonical, Debian and 1 more | 4 Openoffice, Ubuntu Linux, Debian Linux and 1 more | 2024-02-28 | 4.3 MEDIUM | N/A |
LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 uses the stored LinkUpdateMode configuration information in OpenDocument Format files and templates when handling links, which might allow remote attackers to obtain sensitive information via a crafted document, which embeds data from local files into (1) Calc or (2) Writer. | |||||
CVE-2015-5256 | 1 Apache | 1 Cordova | 2024-02-28 | 4.3 MEDIUM | N/A |
Apache Cordova-Android before 4.1.0, when an application relies on a remote server, improperly implements a JavaScript whitelist protection mechanism, which allows attackers to bypass intended access restrictions via a crafted URI. | |||||
CVE-2015-5254 | 3 Apache, Fedoraproject, Redhat | 3 Activemq, Fedora, Openshift | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. | |||||
CVE-2015-0899 | 1 Apache | 1 Struts | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. | |||||
CVE-2015-7521 | 1 Apache | 1 Hive | 2024-02-28 | 7.5 HIGH | 8.3 HIGH |
The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0 and 1.2.1, on clusters protected by Ranger and SqlStdHiveAuthorization, allows attackers to bypass intended parent table access restrictions via unspecified partition-level operations. | |||||
CVE-2016-5388 | 4 Apache, Hp, Oracle and 1 more | 11 Tomcat, System Management Homepage, Linux and 8 more | 2024-02-28 | 5.1 MEDIUM | 8.1 HIGH |
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability. |