Filtered by vendor Apache
Subscribe
Total
2724 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-9527 | 2 Apache, Fedoraproject | 2 Poi, Fedora | 2025-04-12 | 5.0 MEDIUM | N/A |
| HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file. | |||||
| CVE-2016-1546 | 1 Apache | 1 Http Server | 2025-04-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service (stream-processing outage) via modified flow-control windows. | |||||
| CVE-2012-5649 | 1 Apache | 1 Couchdb | 2025-04-12 | 6.8 MEDIUM | N/A |
| Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2.1 allows remote attackers to execute arbitrary code via a JSONP callback, related to Adobe Flash. | |||||
| CVE-2025-30067 | 1 Apache | 1 Kylin | 2025-04-11 | N/A | 7.2 HIGH |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2 or above, which fixes the issue. | |||||
| CVE-2022-44621 | 1 Apache | 1 Kylin | 2025-04-11 | N/A | 9.8 CRITICAL |
| Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. | |||||
| CVE-2022-43396 | 1 Apache | 1 Kylin | 2025-04-11 | N/A | 8.8 HIGH |
| In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf. | |||||
| CVE-2025-30473 | 1 Apache | 1 Airflow Common Sql Provider | 2025-04-11 | N/A | 8.8 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow Common SQL Provider. When using the partition clause in SQLTableCheckOperator as parameter (which was a recommended pattern), Authenticated UI User could inject arbitrary SQL command when triggering DAG exposing partition_clause to the user. This allowed the DAG Triggering user to escalate privileges to execute those arbitrary commands which they normally would not have. This issue affects Apache Airflow Common SQL Provider: before 1.24.1. Users are recommended to upgrade to version 1.24.1, which fixes the issue. | |||||
| CVE-2013-4590 | 3 Apache, Debian, Oracle | 3 Tomcat, Debian Linux, Solaris | 2025-04-11 | 4.3 MEDIUM | N/A |
| Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
| CVE-2010-0432 | 1 Apache | 1 Ofbiz | 2025-04-11 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to control/exportProductListing, (2) the partyId parameter to partymgr/control/viewprofile (aka partymgr/control/login), (3) the start parameter to myportal/control/showPortalPage, (4) an invalid URI beginning with /facility/control/ReceiveReturn (aka /crmsfa/control/ReceiveReturn or /cms/control/ReceiveReturn), (5) the contentId parameter (aka the entityName variable) to ecommerce/control/ViewBlogArticle, (6) the entityName parameter to webtools/control/FindGeneric, or the (7) subject or (8) content parameter to an unspecified component under ecommerce/control/contactus. | |||||
| CVE-2012-0021 | 1 Apache | 1 Http Server | 2025-04-11 | 2.6 LOW | N/A |
| The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value. | |||||
| CVE-2013-2250 | 1 Apache | 1 Ofbiz | 2025-04-11 | 10.0 HIGH | N/A |
| Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to execute arbitrary Unified Expression Language (UEL) functions via JUEL metacharacters in unspecified parameters, related to nested expressions. | |||||
| CVE-2012-3373 | 1 Apache | 1 Wicket | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or HTML via vectors involving a %00 sequence in an Ajax link URL associated with a Wicket app. | |||||
| CVE-2010-1870 | 1 Apache | 1 Struts | 2025-04-11 | 5.0 MEDIUM | N/A |
| The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504. | |||||
| CVE-2010-0219 | 2 Apache, Sap | 2 Axis2, Businessobjects | 2025-04-11 | 10.0 HIGH | N/A |
| Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service. | |||||
| CVE-2010-1157 | 1 Apache | 1 Tomcat | 2025-04-11 | 2.6 LOW | N/A |
| Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply. | |||||
| CVE-2012-4001 | 2 Apache, Google | 2 Http Server, Mod Pagespeed | 2025-04-11 | 5.0 MEDIUM | N/A |
| The mod_pagespeed module before 0.10.22.6 for the Apache HTTP Server does not properly verify its host name, which allows remote attackers to trigger HTTP requests to arbitrary hosts via unspecified vectors, as demonstrated by requests to intranet servers. | |||||
| CVE-2010-0408 | 1 Apache | 1 Http Server | 2025-04-11 | 5.0 MEDIUM | N/A |
| The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code. | |||||
| CVE-2012-2145 | 1 Apache | 1 Qpid | 2025-04-11 | 5.0 MEDIUM | N/A |
| Apache Qpid 0.17 and earlier does not properly restrict incoming client connections, which allows remote attackers to cause a denial of service (file descriptor consumption) via a large number of incomplete connections. | |||||
| CVE-2010-4008 | 9 Apache, Apple, Canonical and 6 more | 15 Openoffice, Iphone Os, Itunes and 12 more | 2025-04-11 | 4.3 MEDIUM | N/A |
| libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, and other products, reads from invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a denial of service (application crash) via a crafted XML document. | |||||
| CVE-2011-2688 | 3 Apache, Debian, Mod Authnz External Project | 3 Http Server, Debian Linux, Mod Authnz External | 2025-04-11 | 7.5 HIGH | N/A |
| SQL injection vulnerability in mysql/mysql-auth.pl in the mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the user field. | |||||