Filtered by vendor Apache
Subscribe
Total
2223 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2016-0763 | 3 Apache, Canonical, Debian | 3 Tomcat, Ubuntu Linux, Debian Linux | 2023-12-10 | 6.5 MEDIUM | 6.3 MEDIUM |
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. | |||||
CVE-2016-0782 | 1 Apache | 1 Activemq | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and consequently obtain sensitive information from a Java memory dump via vectors related to creating a queue. | |||||
CVE-2015-0265 | 1 Apache | 1 Ranger | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in the Policy Admin Tool in Apache Ranger before 0.5.0 allows remote attackers to inject arbitrary web script or HTML via the HTTP User-Agent header. | |||||
CVE-2016-0712 | 1 Apache | 1 Jetspeed | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in Apache Jetspeed before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to portal. | |||||
CVE-2016-2174 | 1 Apache | 1 Ranger | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administrators to execute arbitrary SQL commands via the eventTime parameter to service/plugins/policies/eventTime. | |||||
CVE-2015-5345 | 3 Apache, Canonical, Debian | 3 Tomcat, Ubuntu Linux, Debian Linux | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. | |||||
CVE-2016-2167 | 1 Apache | 1 Subversion | 2023-12-10 | 4.9 MEDIUM | 6.8 MEDIUM |
The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string. | |||||
CVE-2015-8795 | 1 Apache | 1 Solr | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arbitrary web script or HTML via crafted fields that are mishandled during the rendering of the (1) Analysis page, related to webapp/web/js/scripts/analysis.js or (2) Schema-Browser page, related to webapp/web/js/scripts/schema-browser.js. | |||||
CVE-2015-1836 | 2 Apache, Ibm | 2 Hbase, Infosphere Biginsights | 2023-12-10 | 7.5 HIGH | 7.3 HIGH |
Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before 1.1.0.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, uses incorrect ACLs for ZooKeeper coordination state, which allows remote attackers to cause a denial of service (daemon outage), obtain sensitive information, or modify data via unspecified client traffic. | |||||
CVE-2016-5017 | 1 Apache | 1 Zookeeper | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string. | |||||
CVE-2016-0783 | 1 Apache | 1 Openmeetings | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The sendHashByUser function in Apache OpenMeetings before 3.1.1 generates predictable password reset tokens, which makes it easier for remote attackers to reset arbitrary user passwords by leveraging knowledge of a user name and the current system time. | |||||
CVE-2015-3185 | 3 Apache, Apple, Canonical | 5 Http Server, Mac Os X, Mac Os X Server and 2 more | 2023-12-10 | 4.3 MEDIUM | N/A |
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. | |||||
CVE-2015-4928 | 2 Apache, Ibm | 2 Ambari, Infosphere Biginsights | 2023-12-10 | 4.3 MEDIUM | N/A |
Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x before 4.1, includes cleartext passwords on a Configs screen, which allows physically proximate attackers to obtain sensitive information by reading password fields. | |||||
CVE-2016-5425 | 3 Apache, Oracle, Redhat | 9 Tomcat, Instantis Enterprisetrack, Linux and 6 more | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group. | |||||
CVE-2016-0733 | 1 Apache | 1 Ranger | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which allows remote attackers to bypass authentication by leveraging knowledge of a valid username. | |||||
CVE-2015-5347 | 1 Apache | 1 Wicket | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 might allow remote attackers to inject arbitrary web script or HTML via a ModalWindow title. | |||||
CVE-2016-3087 | 1 Apache | 1 Struts | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin. | |||||
CVE-2016-0731 | 1 Apache | 1 Ambari | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
The File Browser View in Apache Ambari before 2.2.1 allows remote authenticated administrators to read arbitrary files via a file: URL in the WebHDFS URL configuration. | |||||
CVE-2015-5344 | 1 Apache | 1 Camel | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. | |||||
CVE-2014-0231 | 1 Apache | 1 Http Server | 2023-12-10 | 5.0 MEDIUM | N/A |
The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor. |