Filtered by vendor Apache
Subscribe
Total
2223 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2016-8749 | 1 Apache | 1 Camel | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. | |||||
CVE-2017-3159 | 1 Apache | 1 Camel | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. | |||||
CVE-2016-5393 | 1 Apache | 1 Hadoop | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service. | |||||
CVE-2017-5659 | 1 Apache | 1 Traffic Server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked encoding. | |||||
CVE-2017-7661 | 1 Apache | 1 Cxf Fediz | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3, Jetty 8 and Jetty 9 plugins in Apache CXF Fediz prior to 1.4.0, 1.3.2 and 1.2.4. | |||||
CVE-2017-5651 | 1 Apache | 1 Tomcat | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. | |||||
CVE-2016-8740 | 1 Apache | 1 Http Server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request. | |||||
CVE-2014-3582 | 1 Apache | 1 Ambari | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster. | |||||
CVE-2017-5644 | 1 Apache | 1 Poi | 2023-12-10 | 7.1 HIGH | 5.5 MEDIUM |
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. | |||||
CVE-2017-5645 | 4 Apache, Netapp, Oracle and 1 more | 79 Log4j, Oncommand Api Services, Oncommand Insight and 76 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. | |||||
CVE-2016-8747 | 1 Apache | 1 Tomcat | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different request. | |||||
CVE-2016-8741 | 1 Apache | 1 Qpid Broker-j | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256. | |||||
CVE-2017-5653 | 1 Apache | 1 Cxf | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. | |||||
CVE-2015-3188 | 1 Apache | 1 Storm | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors. | |||||
CVE-2015-5241 | 1 Apache | 1 Juddi | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
After logging into the portal, the logout jsp page redirects the browser back to the login page after. It is feasible for malicious users to redirect the browser to an unintended web page in Apache jUDDI 3.1.2, 3.1.3, 3.1.4, and 3.1.5 when utilizing the portlets based user interface also known as 'Pluto', 'jUDDI Portal', 'UDDI Portal' or 'uddi-console'. User session data, credentials, and auth tokens are cleared before the redirect. | |||||
CVE-2017-5642 | 1 Apache | 1 Ambari | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artifacts are not created with proper ACLs. | |||||
CVE-2016-6816 | 1 Apache | 1 Tomcat | 2023-12-10 | 6.8 MEDIUM | 7.1 HIGH |
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. | |||||
CVE-2016-9775 | 3 Apache, Canonical, Debian | 3 Tomcat, Ubuntu Linux, Debian Linux | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u7 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to gain root privileges via a setgid program in the Catalina directory, as demonstrated by /etc/tomcat8/Catalina/attack. | |||||
CVE-2016-6497 | 1 Apache | 1 Groovy Ldap | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API in Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods. | |||||
CVE-2017-7662 | 1 Apache | 1 Cxf Fediz | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc. A CSRF (Cross Style Request Forgery) style vulnerability has been found in this web application in Apache CXF Fediz prior to 1.4.0 and 1.3.2, meaning that a malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the session is still active. |