Filtered by vendor Apache
Subscribe
Total
2724 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-1198 | 1 Apache | 1 Juddi | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Apache jUDDI before 2.0 allows remote attackers to inject arbitrary web script or HTML via the dsname parameter to happyjuddi.jsp. | |||||
| CVE-2017-15701 | 1 Apache | 1 Qpid Broker-j | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the broker does not properly enforce a maximum frame size in AMQP 1.0 frames. A remote unauthenticated attacker could exploit this to cause the broker to exhaust all available memory and eventually terminate. Older AMQP protocols are not affected. | |||||
| CVE-2017-5645 | 4 Apache, Netapp, Oracle and 1 more | 79 Log4j, Oncommand Api Services, Oncommand Insight and 76 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. | |||||
| CVE-2017-12628 | 1 Apache | 1 James Server | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library. | |||||
| CVE-2012-1622 | 1 Apache | 1 Ofbiz | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors. | |||||
| CVE-2016-8752 | 1 Apache | 1 Atlas | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Atlas versions 0.6.0 (incubating), 0.7.0 (incubating), and 0.7.1 (incubating) allow access to the webapp directory contents by pointing to URIs like /js and /img. | |||||
| CVE-2015-1835 | 1 Apache | 1 Cordova | 2025-04-20 | 2.6 LOW | 5.3 MEDIUM |
| Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL. | |||||
| CVE-2017-7678 | 1 Apache | 1 Spark | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs. | |||||
| CVE-2017-5637 | 2 Apache, Debian | 2 Zookeeper, Debian Linux | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later. | |||||
| CVE-2016-6794 | 6 Apache, Canonical, Debian and 3 more | 14 Tomcat, Ubuntu Linux, Debian Linux and 11 more | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. | |||||
| CVE-2014-7808 | 1 Apache | 1 Wicket | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider. | |||||
| CVE-2017-7666 | 1 Apache | 1 Openmeetings | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks. | |||||
| CVE-2017-7660 | 1 Apache | 1 Solr | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected. | |||||
| CVE-2017-7663 | 1 Apache | 1 Openmeetings | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0. | |||||
| CVE-2017-7659 | 1 Apache | 1 Http Server | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| A maliciously constructed HTTP/2 request could cause mod_http2 in Apache HTTP Server 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process. | |||||
| CVE-2015-0224 | 1 Apache | 1 Qpid | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted protocol sequence set. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0203. | |||||
| CVE-2017-7682 | 1 Apache | 1 Openmeetings | 2025-04-20 | 6.4 MEDIUM | 8.2 HIGH |
| Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas. | |||||
| CVE-2016-9775 | 3 Apache, Canonical, Debian | 3 Tomcat, Ubuntu Linux, Debian Linux | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u7 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to gain root privileges via a setgid program in the Catalina directory, as demonstrated by /etc/tomcat8/Catalina/attack. | |||||
| CVE-2016-6815 | 1 Apache | 1 Ranger | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin" role. | |||||
| CVE-2016-8749 | 1 Apache | 1 Camel | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. | |||||