Filtered by vendor Apache
Subscribe
Total
2223 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2013-2160 | 1 Apache | 1 Cxf | 2023-12-10 | 5.0 MEDIUM | N/A |
The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors. | |||||
CVE-2012-2378 | 1 Apache | 1 Cxf | 2023-12-10 | 4.3 MEDIUM | N/A |
Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies. | |||||
CVE-2013-0248 | 1 Apache | 1 Commons Fileupload | 2023-12-10 | 3.3 LOW | N/A |
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack. | |||||
CVE-2013-2254 | 1 Apache | 2 Org.apache.sling.servlets.post, Sling | 2023-12-10 | 5.0 MEDIUM | N/A |
The deepGetOrCreateNode function in impl/operations/AbstractCreateOperation.java in org.apache.sling.servlets.post.bundle 2.2.0 and 2.3.0 in Apache Sling does not properly handle a NULL value that returned when the session does not have permissions to the root node, which allows remote attackers to cause a denial of service (infinite loop) via unspecified vectors. | |||||
CVE-2013-3060 | 1 Apache | 1 Activemq | 2023-12-10 | 6.4 MEDIUM | N/A |
The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests. | |||||
CVE-2012-3499 | 1 Apache | 1 Http Server | 2023-12-10 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules. | |||||
CVE-2012-6612 | 1 Apache | 1 Solr | 2023-12-10 | 7.5 HIGH | N/A |
The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, different vectors than CVE-2013-6407. | |||||
CVE-2013-2251 | 1 Apache | 1 Struts | 2023-12-10 | 9.3 HIGH | N/A |
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix. | |||||
CVE-2012-5785 | 1 Apache | 1 Axis2 | 2023-12-10 | 5.8 MEDIUM | N/A |
Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
CVE-2012-0256 | 1 Apache | 1 Traffic Server | 2023-12-10 | 5.0 MEDIUM | N/A |
Apache Traffic Server 2.0.x and 3.0.x before 3.0.4 and 3.1.x before 3.1.3 does not properly allocate heap memory, which allows remote attackers to cause a denial of service (daemon crash) via a long HTTP Host header. | |||||
CVE-2013-1909 | 2 Apache, Redhat | 2 Qpid, Enterprise Mrg | 2023-12-10 | 5.8 MEDIUM | N/A |
The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
CVE-2013-2172 | 1 Apache | 1 Santuario Xml Security For Java | 2023-12-10 | 4.3 MEDIUM | N/A |
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature." | |||||
CVE-2013-4517 | 1 Apache | 1 Santuario Xml Security For Java | 2023-12-10 | 4.3 MEDIUM | N/A |
Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures. | |||||
CVE-2013-1845 | 2 Apache, Opensuse | 2 Subversion, Opensuse | 2023-12-10 | 2.1 LOW | N/A |
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory. | |||||
CVE-2013-4505 | 1 Apache | 2 Mod Dontdothat, Subversion | 2023-12-10 | 2.6 LOW | N/A |
The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request. | |||||
CVE-2012-4387 | 1 Apache | 1 Struts | 2023-12-10 | 5.0 MEDIUM | N/A |
Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. | |||||
CVE-2012-4431 | 1 Apache | 1 Tomcat | 2023-12-10 | 4.3 MEDIUM | N/A |
org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. | |||||
CVE-2012-3376 | 1 Apache | 1 Hadoop | 2023-12-10 | 7.5 HIGH | N/A |
DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have read access, and have other unspecified impacts. | |||||
CVE-2013-2134 | 1 Apache | 1 Struts | 2023-12-10 | 9.3 HIGH | N/A |
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. | |||||
CVE-2013-6398 | 1 Apache | 1 Cloudstack | 2023-12-10 | 2.8 LOW | N/A |
The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request. |