Filtered by vendor Apache
Subscribe
Total
349 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-5648 | 1 Apache | 1 Tomcat | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. | |||||
CVE-2016-6808 | 1 Apache | 1 Tomcat Jk Connector | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. | |||||
CVE-2016-6807 | 1 Apache | 1 Ambari | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process. | |||||
CVE-2016-8749 | 1 Apache | 1 Camel | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. | |||||
CVE-2017-3159 | 1 Apache | 1 Camel | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. | |||||
CVE-2017-5651 | 1 Apache | 1 Tomcat | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. | |||||
CVE-2014-3582 | 1 Apache | 1 Ambari | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster. | |||||
CVE-2017-5645 | 4 Apache, Netapp, Oracle and 1 more | 79 Log4j, Oncommand Api Services, Oncommand Insight and 76 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. | |||||
CVE-2015-3188 | 1 Apache | 1 Storm | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors. | |||||
CVE-2017-5642 | 1 Apache | 1 Ambari | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artifacts are not created with proper ACLs. | |||||
CVE-2016-0779 | 1 Apache | 1 Tomee | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object. | |||||
CVE-2015-3252 | 1 Apache | 1 Cloudstack | 2023-12-10 | 6.0 MEDIUM | 9.8 CRITICAL |
Apache CloudStack before 4.5.2 does not properly preserve VNC passwords when migrating KVM virtual machines, which allows remote attackers to gain access by connecting to the VNC server. | |||||
CVE-2015-3253 | 2 Apache, Oracle | 6 Groovy, Health Sciences Clinical Development Center, Retail Order Broker Cloud Service and 3 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. | |||||
CVE-2016-2099 | 2 Apache, Opensuse | 2 Xerces-c\+\+, Opensuse | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier allows context-dependent attackers to have unspecified impact via an invalid character in an XML document. | |||||
CVE-2016-4438 | 1 Apache | 1 Struts | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. | |||||
CVE-2016-3088 | 1 Apache | 1 Activemq | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. | |||||
CVE-2016-1000031 | 1 Apache | 1 Commons Fileupload | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution | |||||
CVE-2016-0729 | 2 Apache, Fedoraproject | 2 Xerces-c\\\+\\\+, Fedora | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Multiple buffer overflows in (1) internal/XMLReader.cpp, (2) util/XMLURL.cpp, and (3) util/XMLUri.cpp in the XML Parser library in Apache Xerces-C before 3.1.3 allow remote attackers to cause a denial of service (segmentation fault or memory corruption) or possibly execute arbitrary code via a crafted document. | |||||
CVE-2016-5019 | 1 Apache | 1 Myfaces Trinidad | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string. | |||||
CVE-2016-4436 | 1 Apache | 1 Struts | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. |