Filtered by vendor Apache
Subscribe
Search
Total
280 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43082 | 1 Apache | 1 Traffic Server | 2021-11-05 | 7.5 HIGH | 9.8 CRITICAL |
| Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traffic Server allows an attacker to overwrite memory. This issue affects Apache Traffic Server 9.1.0. | |||||
| CVE-2021-40865 | 1 Apache | 1 Storm | 2021-10-28 | 7.5 HIGH | 9.8 CRITICAL |
| An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4 | |||||
| CVE-2019-0230 | 2 Apache, Oracle | 3 Struts, Financial Services Data Integration Hub, Financial Services Market Risk Measurement And Management | 2021-10-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. | |||||
| CVE-2021-37608 | 1 Apache | 1 Ofbiz | 2021-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12297. | |||||
| CVE-2019-12405 | 1 Apache | 1 Traffic Control | 2021-10-12 | 6.8 MEDIUM | 9.8 CRITICAL |
| Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password. | |||||
| CVE-2021-41616 | 1 Apache | 1 Ddlutils | 2021-10-07 | 7.5 HIGH | 9.8 CRITICAL |
| Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for use when migrating database data with a SQL data type of BINARY, VARBINARY, LONGVARBINARY, or BLOB between databases using the ddlutils features. The BinaryObjectsHelper class was insecure and used ObjectInputStream.readObject without validating that the input data was safe to deserialize. Please note that DdlUtils is no longer being actively developed. To address the insecurity of the BinaryObjectHelper class, the following changes to DdlUtils have been made: (1) BinaryObjectsHelper.java has been deleted from the DdlUtils source repository and the DdlUtils feature of propagating data of SQL binary types is therefore no longer present in DdlUtils; (2) The ddlutils-1.0 release has been removed from the Apache Release Distribution Infrastructure; (3) The DdlUtils web site has been updated to indicate that DdlUtils is now available only as source code, not as a packaged release. | |||||
| CVE-2017-7525 | 6 Apache, Debian, Fasterxml and 3 more | 23 Struts, Debian Linux, Jackson-databind and 20 more | 2021-09-27 | 7.5 HIGH | 9.8 CRITICAL |
| A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. | |||||
| CVE-2021-40146 | 1 Apache | 1 Any23 | 2021-09-23 | 10.0 HIGH | 9.8 CRITICAL |
| A Remote Code Execution (RCE) vulnerability was discovered in the Any23 YAMLExtractor.java file and is known to affect Any23 versions < 2.5. RCE vulnerabilities allow a malicious actor to execute any code of their choice on a remote machine over LAN, WAN, or internet. RCE belongs to the broader class of arbitrary code execution (ACE) vulnerabilities. | |||||
| CVE-2021-38555 | 1 Apache | 1 Any23 | 2021-09-23 | 6.4 MEDIUM | 9.1 CRITICAL |
| An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. | |||||
| CVE-2021-38540 | 1 Apache | 1 Airflow | 2021-09-21 | 7.5 HIGH | 9.8 CRITICAL |
| The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3. | |||||
| CVE-2021-35474 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2021-09-20 | 7.5 HIGH | 9.8 CRITICAL |
| Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. | |||||
| CVE-2021-30128 | 1 Apache | 1 Ofbiz | 2021-09-20 | 10.0 HIGH | 9.8 CRITICAL |
| Apache OFBiz has unsafe deserialization prior to 17.12.07 version | |||||
| CVE-2021-29200 | 1 Apache | 1 Ofbiz | 2021-09-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack | |||||
| CVE-2021-37579 | 1 Apache | 1 Dubbo | 2021-09-17 | 7.5 HIGH | 9.8 CRITICAL |
| The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found. | |||||
| CVE-2021-36161 | 1 Apache | 1 Dubbo | 2021-09-17 | 7.5 HIGH | 9.8 CRITICAL |
| Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13 | |||||
| CVE-2021-26295 | 1 Apache | 1 Ofbiz | 2021-09-16 | 7.5 HIGH | 9.8 CRITICAL |
| Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. | |||||
| CVE-2021-27905 | 1 Apache | 1 Solr | 2021-09-16 | 7.5 HIGH | 9.8 CRITICAL |
| The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2. | |||||
| CVE-2021-36163 | 1 Apache | 1 Dubbo | 2021-09-14 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1 | |||||
| CVE-2019-20445 | 6 Apache, Canonical, Debian and 3 more | 8 Spark, Ubuntu Linux, Debian Linux and 5 more | 2021-09-14 | 6.4 MEDIUM | 9.1 CRITICAL |
| HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. | |||||
| CVE-2021-33191 | 1 Apache | 1 Nifi Minifi C\+\+ | 2021-08-31 | 7.5 HIGH | 9.8 CRITICAL |
| From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an "agent-update" command which was designed to patch the application binary. This "patching" command defaults to calling a trusted binary, but might be modified to an arbitrary value through a "c2-update" command. Said command is then executed using the same privileges as the application binary. This was addressed in version 0.10.0 | |||||
| CVE-2017-12629 | 4 Apache, Canonical, Debian and 1 more | 5 Solr, Ubuntu Linux, Debian Linux and 2 more | 2021-08-17 | 7.5 HIGH | 9.8 CRITICAL |
| Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr. | |||||
| CVE-2021-37578 | 1 Apache | 1 Juddi | 2021-08-11 | 6.8 MEDIUM | 9.8 CRITICAL |
| Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely. For both jUDDI web service applications and jUDDI clients, the usage of RMI is disabled by default. Since this is an optional feature and an extension to the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI related code was removed. | |||||
| CVE-2018-21234 | 2 Apache, Jodd | 2 Hive, Jodd | 2021-08-11 | 7.5 HIGH | 9.8 CRITICAL |
| Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set. | |||||
| CVE-2020-17510 | 1 Apache | 1 Shiro | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. | |||||
| CVE-2017-12627 | 1 Apache | 1 Xerces-c\+\+ | 2021-07-31 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Xerces-C XML Parser library before 3.2.1, processing of external DTD paths can result in a null pointer dereference under certain conditions. | |||||
| CVE-2020-1959 | 1 Apache | 1 Syncope | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code. | |||||
| CVE-2020-1955 | 1 Apache | 1 Couchdb | 2021-07-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| CouchDB version 3.0.0 shipped with a new configuration setting that governs access control to the entire database server called `require_valid_user_except_for_up`. It was meant as an extension to the long standing setting `require_valid_user`, which in turn requires that any and all requests to CouchDB will have to be made with valid credentials, effectively forbidding any anonymous requests. The new `require_valid_user_except_for_up` is an off-by-default setting that was meant to allow requiring valid credentials for all endpoints except for the `/_up` endpoint. However, the implementation of this made an error that lead to not enforcing credentials on any endpoint, when enabled. CouchDB versions 3.0.1[1] and 3.1.0[2] fix this issue. | |||||
| CVE-2019-17562 | 1 Apache | 1 Cloudstack | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| A buffer overflow vulnerability has been found in the baremetal component of Apache CloudStack. This applies to all versions prior to 4.13.1. The vulnerability is due to the lack of validation of the mac parameter in baremetal virtual router. If you insert an arbitrary shell command into the mac parameter, v-router will process the command. For example: Normal: http://{GW}:10086/baremetal/provisiondone/{mac}, Abnormal: http://{GW}:10086/baremetal/provisiondone/#';whoami;#. Mitigation of this issue is an upgrade to Apache CloudStack 4.13.1.0 or beyond. | |||||
| CVE-2020-1957 | 1 Apache | 1 Shiro | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. | |||||
| CVE-2019-10071 | 1 Apache | 1 Tapestry | 2021-07-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison should be done with a constant time algorithm instead. | |||||
| CVE-2019-10074 | 1 Apache | 1 Ofbiz | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533 | |||||
| CVE-2020-11969 | 1 Apache | 1 Tomee | 2021-07-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5. | |||||
| CVE-2020-11975 | 1 Apache | 1 Unomi | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process. | |||||
| CVE-2020-1953 | 2 Apache, Oracle | 3 Commons Configuration, Database Server, Healthcare Foundation | 2021-07-21 | 7.5 HIGH | 10.0 CRITICAL |
| Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application. | |||||
| CVE-2020-11973 | 2 Apache, Oracle | 4 Camel, Communications Diameter Signaling Router, Enterprise Manager Base Platform and 1 more | 2021-07-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0. | |||||
| CVE-2021-26461 | 1 Apache | 1 Nuttx | 2021-06-24 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Nuttx Versions prior to 10.1.0 are vulnerable to integer wrap-around in functions malloc, realloc and memalign. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. | |||||
| CVE-2019-12419 | 2 Apache, Oracle | 5 Cxf, Commerce Guided Search, Enterprise Manager Base Platform and 2 more | 2021-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client. | |||||
| CVE-2016-4464 | 1 Apache | 1 Cxf Fediz | 2021-06-16 | 7.5 HIGH | 9.8 CRITICAL |
| The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature. | |||||
| CVE-2012-0803 | 1 Apache | 1 Cxf | 2021-06-16 | 7.5 HIGH | 9.8 CRITICAL |
| The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty UsernameToken as part of a SOAP request. | |||||
| CVE-2021-30180 | 1 Apache | 1 Dubbo | 2021-06-10 | 6.8 MEDIUM | 9.8 CRITICAL |
| Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors. | |||||
| CVE-2021-30181 | 1 Apache | 1 Dubbo | 2021-06-10 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code. | |||||
| CVE-2021-30179 | 1 Apache | 1 Dubbo | 2021-06-10 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument. | |||||
| CVE-2021-25641 | 1 Apache | 1 Dubbo | 2021-06-10 | 7.5 HIGH | 9.8 CRITICAL |
| Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it. | |||||
| CVE-2021-29943 | 1 Apache | 1 Solr | 2021-06-08 | 6.4 MEDIUM | 9.1 CRITICAL |
| When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts. | |||||
| CVE-2017-9788 | 6 Apache, Apple, Debian and 3 more | 16 Http Server, Mac Os X, Debian Linux and 13 more | 2021-06-06 | 6.4 MEDIUM | 9.1 CRITICAL |
| In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. | |||||
| CVE-2020-11984 | 7 Apache, Canonical, Debian and 4 more | 13 Http Server, Ubuntu Linux, Debian Linux and 10 more | 2021-06-06 | 7.5 HIGH | 9.8 CRITICAL |
| Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE | |||||
| CVE-2017-3167 | 6 Apache, Apple, Debian and 3 more | 15 Http Server, Mac Os X, Debian Linux and 12 more | 2021-06-06 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. | |||||
| CVE-2017-7679 | 1 Apache | 1 Http Server | 2021-06-06 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. | |||||
| CVE-2017-3169 | 1 Apache | 1 Http Server | 2021-06-06 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. | |||||
| CVE-2017-7668 | 1 Apache | 1 Http Server | 2021-06-06 | 7.5 HIGH | 9.8 CRITICAL |
| The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. | |||||