Filtered by vendor Apache
Subscribe
Total
2223 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-3161 | 1 Apache | 1 Hadoop | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter. | |||||
| CVE-2016-6799 | 1 Apache | 1 Cordova | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications. | |||||
| CVE-2016-6811 | 1 Apache | 1 Hadoop | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
| In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. | |||||
| CVE-2016-0779 | 1 Apache | 1 Tomee | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object. | |||||
| CVE-2015-5174 | 3 Apache, Canonical, Debian | 3 Tomcat, Ubuntu Linux, Debian Linux | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. | |||||
| CVE-2016-0784 | 1 Apache | 1 Openmeetings | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| Directory traversal vulnerability in the Import/Export System Backups functionality in Apache OpenMeetings before 3.1.1 allows remote authenticated administrators to write to arbitrary files via a .. (dot dot) in a ZIP archive entry. | |||||
| CVE-2016-0785 | 1 Apache | 1 Struts | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
| Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. | |||||
| CVE-2015-3252 | 1 Apache | 1 Cloudstack | 2023-12-10 | 6.0 MEDIUM | 9.8 CRITICAL |
| Apache CloudStack before 4.5.2 does not properly preserve VNC passwords when migrating KVM virtual machines, which allows remote attackers to gain access by connecting to the VNC server. | |||||
| CVE-2016-1513 | 1 Apache | 1 Openoffice | 2023-12-10 | 6.8 MEDIUM | 7.8 HIGH |
| The Impress tool in Apache OpenOffice 4.1.2 and earlier allows remote attackers to cause a denial of service (out-of-bounds read or write) or execute arbitrary code via crafted MetaActions in an (1) ODP or (2) OTP file. | |||||
| CVE-2015-3253 | 2 Apache, Oracle | 6 Groovy, Health Sciences Clinical Development Center, Retail Order Broker Cloud Service and 3 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. | |||||
| CVE-2016-2168 | 1 Apache | 1 Subversion | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check. | |||||
| CVE-2016-5387 | 8 Apache, Canonical, Debian and 5 more | 21 Http Server, Ubuntu Linux, Debian Linux and 18 more | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
| The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. | |||||
| CVE-2015-0253 | 3 Apache, Apple, Oracle | 5 Http Server, Mac Os X, Mac Os X Server and 2 more | 2023-12-10 | 5.0 MEDIUM | N/A |
| The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method to an installation that enables the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI. | |||||
| CVE-2016-4433 | 1 Apache | 1 Struts | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. | |||||
| CVE-2015-8320 | 1 Apache | 1 Cordova | 2023-12-10 | 5.0 MEDIUM | N/A |
| Apache Cordova-Android before 3.7.0 improperly generates random values for BridgeSecret data, which makes it easier for attackers to conduct bridge hijacking attacks by predicting a value. | |||||
| CVE-2015-3251 | 1 Apache | 1 Cloudstack | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
| Apache CloudStack before 4.5.2 might allow remote authenticated administrators to obtain sensitive password information for root accounts of virtual machines via unspecified vectors related to API calls. | |||||
| CVE-2016-5000 | 1 Apache | 1 Poi | 2023-12-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
| CVE-2016-6325 | 2 Apache, Redhat | 11 Tomcat, Enterprise Linux, Enterprise Linux Desktop and 8 more | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
| The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group. | |||||
| CVE-2014-3612 | 1 Apache | 1 Activemq | 2023-12-10 | 7.5 HIGH | N/A |
| The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames. | |||||
| CVE-2015-0266 | 1 Apache | 1 Ranger | 2023-12-10 | 6.5 MEDIUM | 7.1 HIGH |
| The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs. | |||||