Filtered by vendor Apache
Subscribe
Total
2223 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-0119 | 1 Apache | 1 Tomcat | 2023-12-10 | 4.3 MEDIUM | N/A |
| Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application. | |||||
| CVE-2013-1880 | 1 Apache | 1 Activemq | 2023-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Portfolio publisher servlet in the demo web application in Apache ActiveMQ before 5.9.0 allows remote attackers to inject arbitrary web script or HTML via the refresh parameter to demo/portfolioPublish, a different vulnerability than CVE-2012-6092. | |||||
| CVE-2013-2192 | 1 Apache | 1 Hadoop | 2023-12-10 | 3.2 LOW | N/A |
| The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication. | |||||
| CVE-2015-0250 | 3 Apache, Canonical, Redhat | 3 Batik, Ubuntu Linux, Jboss Enterprise Brms Platform | 2023-12-10 | 6.4 MEDIUM | N/A |
| XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file. | |||||
| CVE-2014-0094 | 1 Apache | 1 Struts | 2023-12-10 | 5.0 MEDIUM | N/A |
| The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. | |||||
| CVE-2014-3501 | 1 Apache | 1 Cordova | 2023-12-10 | 4.3 MEDIUM | N/A |
| Apache Cordova Android before 3.5.1 allows remote attackers to bypass the HTTP whitelist and connect to arbitrary servers by using JavaScript to open WebSocket connections through WebView. | |||||
| CVE-2015-0228 | 4 Apache, Apple, Canonical and 1 more | 5 Http Server, Mac Os X, Mac Os X Server and 2 more | 2023-12-10 | 5.0 MEDIUM | N/A |
| The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function. | |||||
| CVE-2014-0032 | 1 Apache | 1 Subversion | 2023-12-10 | 4.3 MEDIUM | N/A |
| The get_resource function in repos.c in the mod_dav_svn module in Apache Subversion before 1.7.15 and 1.8.x before 1.8.6, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via vectors related to the server root and request methods other than GET, as demonstrated by the "svn ls http://svn.example.com" command. | |||||
| CVE-2014-0110 | 1 Apache | 1 Cxf | 2023-12-10 | 4.3 MEDIUM | N/A |
| Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (/tmp disk consumption) via a large invalid SOAP message. | |||||
| CVE-2015-0202 | 2 Apache, Opensuse | 2 Subversion, Opensuse | 2023-12-10 | 7.8 HIGH | N/A |
| The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes. | |||||
| CVE-2012-6107 | 1 Apache | 1 Apache Axis2\/c | 2023-12-10 | 4.3 MEDIUM | N/A |
| Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
| CVE-2014-3525 | 1 Apache | 1 Traffic Server | 2023-12-10 | 10.0 HIGH | N/A |
| Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, 4.x before 4.2.1.1, and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks. | |||||
| CVE-2014-3504 | 3 Apache, Canonical, Serf Project | 3 Subversion, Ubuntu Linux, Serf | 2023-12-10 | 4.0 MEDIUM | N/A |
| The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. | |||||
| CVE-2013-4322 | 1 Apache | 1 Tomcat | 2023-12-10 | 4.3 MEDIUM | N/A |
| Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544. | |||||
| CVE-2015-0254 | 2 Apache, Canonical | 2 Standard Taglibs, Ubuntu Linux | 2023-12-10 | 7.5 HIGH | N/A |
| Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag. | |||||
| CVE-2014-0095 | 1 Apache | 1 Tomcat | 2023-12-10 | 5.0 MEDIUM | N/A |
| java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a "Content-Length: 0" AJP request to trigger a hang in request processing. | |||||
| CVE-2014-3529 | 1 Apache | 1 Poi | 2023-12-10 | 4.3 MEDIUM | N/A |
| The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
| CVE-2014-10022 | 1 Apache | 1 Traffic Server | 2023-12-10 | 5.0 MEDIUM | N/A |
| Apache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to internal buffer sizing. | |||||
| CVE-2014-3627 | 1 Apache | 1 Hadoop | 2023-12-10 | 5.0 MEDIUM | N/A |
| The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache. | |||||
| CVE-2013-7372 | 2 Apache, Google | 2 Harmony, Android | 2023-12-10 | 5.0 MEDIUM | N/A |
| The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013. | |||||