Filtered by vendor Apache
Subscribe
Search
Total
1894 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-1847 | 1 Apache | 1 Subversion | 2017-09-19 | 5.0 MEDIUM | N/A |
| The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an anonymous LOCK for a URL that does not exist. | |||||
| CVE-2013-1884 | 1 Apache | 1 Subversion | 2017-09-19 | 5.0 MEDIUM | N/A |
| The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (segmentation fault and crash) via a log REPORT request with an invalid limit, which triggers an access of an uninitialized variable. | |||||
| CVE-2015-2091 | 1 Apache | 1 Mod-gnutls | 2017-09-19 | 5.0 MEDIUM | N/A |
| The authentication hook (mgs_hook_authz) in mod-gnutls 0.5.10 and earlier does not validate client certificates when "GnuTLSClientVerify require" is set, which allows remote attackers to spoof clients via a crafted certificate. | |||||
| CVE-2013-1849 | 1 Apache | 1 Subversion | 2017-09-19 | 4.3 MEDIUM | N/A |
| The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a PROPFIND request for an activity URL. | |||||
| CVE-2013-4277 | 1 Apache | 1 Subversion | 2017-09-19 | 3.3 LOW | N/A |
| Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through 1.8.1 allows local users to overwrite arbitrary files or kill arbitrary processes via a symlink attack on the file specified by the --pid-file option. | |||||
| CVE-2012-4534 | 1 Apache | 1 Tomcat | 2017-09-19 | 2.6 LOW | N/A |
| org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a response. | |||||
| CVE-2012-5885 | 1 Apache | 1 Tomcat | 2017-09-19 | 5.0 MEDIUM | N/A |
| The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184. | |||||
| CVE-2012-3546 | 1 Apache | 1 Tomcat | 2017-09-19 | 4.3 MEDIUM | N/A |
| org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI. | |||||
| CVE-2012-4431 | 1 Apache | 1 Tomcat | 2017-09-19 | 4.3 MEDIUM | N/A |
| org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. | |||||
| CVE-2012-2733 | 1 Apache | 1 Tomcat | 2017-09-19 | 5.0 MEDIUM | N/A |
| java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which allows remote attackers to cause a denial of service (memory consumption) via a large amount of header data. | |||||
| CVE-2011-1921 | 1 Apache | 1 Subversion | 2017-09-19 | 4.3 MEDIUM | N/A |
| The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is disabled, does not properly enforce permissions for files that had been publicly readable in the past, which allows remote attackers to obtain sensitive information via a replay REPORT operation. | |||||
| CVE-2011-0715 | 1 Apache | 1 Subversion | 2017-09-19 | 4.3 MEDIUM | N/A |
| The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.16, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request that contains a lock token. | |||||
| CVE-2011-1475 | 1 Apache | 1 Tomcat | 2017-09-19 | 5.0 MEDIUM | N/A |
| The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users." | |||||
| CVE-2010-3315 | 1 Apache | 1 Subversion | 2017-09-19 | 6.0 MEDIUM | N/A |
| authz.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x before 1.5.8 and 1.6.x before 1.6.13, when SVNPathAuthz short_circuit is enabled, does not properly handle a named repository as a rule scope, which allows remote authenticated users to bypass intended access restrictions via svn commands. | |||||
| CVE-2016-4462 | 1 Apache | 1 Ofbiz | 2017-09-12 | 6.5 MEDIUM | 8.8 HIGH |
| By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01 | |||||
| CVE-2016-3086 | 1 Apache | 1 Hadoop | 2017-09-11 | 5.0 MEDIUM | 9.8 CRITICAL |
| The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications. | |||||
| CVE-2017-3155 | 1 Apache | 1 Atlas | 2017-09-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to cross frame scripting. | |||||
| CVE-2017-3154 | 1 Apache | 1 Atlas | 2017-09-06 | 5.0 MEDIUM | 7.5 HIGH |
| Error responses from Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating included stack trace, exposing excessive information. | |||||
| CVE-2017-3153 | 1 Apache | 1 Atlas | 2017-09-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Reflected XSS in the search functionality. | |||||
| CVE-2017-3152 | 1 Apache | 1 Atlas | 2017-09-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to DOM XSS in the edit-tag functionality. | |||||
| CVE-2016-8752 | 1 Apache | 1 Atlas | 2017-09-02 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Atlas versions 0.6.0 (incubating), 0.7.0 (incubating), and 0.7.1 (incubating) allow access to the webapp directory contents by pointing to URIs like /js and /img. | |||||
| CVE-2017-3150 | 1 Apache | 1 Atlas | 2017-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating use cookies that could be accessible to client-side script. | |||||
| CVE-2016-1513 | 1 Apache | 1 Openoffice | 2017-09-01 | 6.8 MEDIUM | 7.8 HIGH |
| The Impress tool in Apache OpenOffice 4.1.2 and earlier allows remote attackers to cause a denial of service (out-of-bounds read or write) or execute arbitrary code via crafted MetaActions in an (1) ODP or (2) OTP file. | |||||
| CVE-2016-4460 | 1 Apache | 1 Pony Mail | 2017-08-29 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass authentication. | |||||
| CVE-2014-3529 | 1 Apache | 1 Poi | 2017-08-29 | 4.3 MEDIUM | N/A |
| The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
| CVE-2014-0032 | 1 Apache | 1 Subversion | 2017-08-29 | 4.3 MEDIUM | N/A |
| The get_resource function in repos.c in the mod_dav_svn module in Apache Subversion before 1.7.15 and 1.8.x before 1.8.6, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via vectors related to the server root and request methods other than GET, as demonstrated by the "svn ls http://svn.example.com" command. | |||||
| CVE-2014-3574 | 1 Apache | 1 Poi | 2017-08-29 | 4.3 MEDIUM | N/A |
| Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack. | |||||
| CVE-2014-3525 | 1 Apache | 1 Traffic Server | 2017-08-29 | 10.0 HIGH | N/A |
| Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, 4.x before 4.2.1.1, and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks. | |||||
| CVE-2013-2254 | 1 Apache | 2 Org.apache.sling.servlets.post, Sling | 2017-08-29 | 5.0 MEDIUM | N/A |
| The deepGetOrCreateNode function in impl/operations/AbstractCreateOperation.java in org.apache.sling.servlets.post.bundle 2.2.0 and 2.3.0 in Apache Sling does not properly handle a NULL value that returned when the session does not have permissions to the root node, which allows remote attackers to cause a denial of service (infinite loop) via unspecified vectors. | |||||
| CVE-2013-4212 | 1 Apache | 1 Roller | 2017-08-29 | 6.8 MEDIUM | N/A |
| Certain getText methods in the ActionSupport controller in Apache Roller before 5.0.2 allow remote attackers to execute arbitrary OGNL expressions via the first or second parameter, as demonstrated by the pageTitle parameter in the !getPageTitle sub-URL to roller-ui/login.rol, which uses a subclass of UIAction, aka "OGNL Injection." | |||||
| CVE-2013-2758 | 2 Apache, Citrix | 2 Cloudstack, Cloudplatform | 2017-08-29 | 5.0 MEDIUM | N/A |
| Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform (formerly Citrix CloudStack) 3.0.x before 3.0.6 Patch C uses a hash of a predictable sequence, which makes it easier for remote attackers to guess the console access URL via a brute force attack. | |||||
| CVE-2013-2756 | 2 Apache, Citrix | 2 Cloudstack, Cloudplatform | 2017-08-29 | 5.0 MEDIUM | N/A |
| Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform (formerly Citrix CloudStack) 3.0.x before 3.0.6 Patch C allows remote attackers to bypass the console proxy authentication by leveraging knowledge of the source code. | |||||
| CVE-2013-2136 | 1 Apache | 1 Cloudstack | 2017-08-29 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Apache CloudStack before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Physical network name to the Zone wizard; (2) New network name, (3) instance name, or (4) group to the Instance wizard; (5) unspecified "multi-edit fields;" and (6) unspecified "list view" edit fields related to global settings. | |||||
| CVE-2013-1879 | 1 Apache | 1 Activemq | 2017-08-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving the "cron of a message." | |||||
| CVE-2012-5887 | 1 Apache | 1 Tomcat | 2017-08-29 | 5.0 MEDIUM | N/A |
| The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests. | |||||
| CVE-2012-5886 | 1 Apache | 1 Tomcat | 2017-08-29 | 5.0 MEDIUM | N/A |
| The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID. | |||||
| CVE-2012-5785 | 1 Apache | 1 Axis2 | 2017-08-29 | 5.8 MEDIUM | N/A |
| Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
| CVE-2012-5351 | 1 Apache | 1 Axis2 | 2017-08-29 | 6.4 MEDIUM | N/A |
| Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418. | |||||
| CVE-2012-4386 | 1 Apache | 1 Struts | 2017-08-29 | 6.8 MEDIUM | N/A |
| The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute. | |||||
| CVE-2012-4387 | 1 Apache | 1 Struts | 2017-08-29 | 5.0 MEDIUM | N/A |
| Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. | |||||
| CVE-2012-6107 | 1 Apache | 1 Apache Axis2\/c | 2017-08-29 | 4.3 MEDIUM | N/A |
| Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
| CVE-2012-5641 | 2 Apache, Mochiweb Project | 2 Couchdb, Mochiweb | 2017-08-29 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in the partition2 function in mochiweb_util.erl in MochiWeb before 2.4.0, as used in Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2.1, allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the default URI. | |||||
| CVE-2012-2334 | 2 Apache, Libreoffice | 2 Openoffice.org, Libreoffice | 2017-08-29 | 6.8 MEDIUM | N/A |
| Integer overflow in filter/source/msfilter/msdffimp.cxx in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and LibreOffice before 3.5.3, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the length of an Escher graphics record in a PowerPoint (.ppt) document, which triggers a buffer overflow. | |||||
| CVE-2012-1149 | 5 Apache, Debian, Fedoraproject and 2 more | 10 Openoffice.org, Debian Linux, Fedora and 7 more | 2017-08-29 | 7.5 HIGH | N/A |
| Integer overflow in the vclmi.dll module in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and LibreOffice before 3.5.3, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted embedded image object, as demonstrated by a JPEG image in a .DOC file, which triggers a heap-based buffer overflow. | |||||
| CVE-2012-1006 | 1 Apache | 1 Struts | 2017-08-29 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/orders. | |||||
| CVE-2012-3373 | 1 Apache | 1 Wicket | 2017-08-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or HTML via vectors involving a %00 sequence in an Ajax link URL associated with a Wicket app. | |||||
| CVE-2012-3467 | 1 Apache | 1 Qpid | 2017-08-29 | 5.0 MEDIUM | N/A |
| Apache QPID 0.14, 0.16, and earlier uses a NullAuthenticator mechanism to authenticate catch-up shadow connections to AMQP brokers, which allows remote attackers to bypass authentication. | |||||
| CVE-2012-3526 | 2 Apache, Thomas Eibner | 2 Http Server, Mod Rpaf | 2017-08-29 | 5.0 MEDIUM | N/A |
| The reverse proxy add forward module (mod_rpaf) 0.5 and 0.6 for the Apache HTTP Server allows remote attackers to cause a denial of service (server or application crash) via multiple X-Forwarded-For headers in a request. | |||||
| CVE-2012-2145 | 1 Apache | 1 Qpid | 2017-08-29 | 5.0 MEDIUM | N/A |
| Apache Qpid 0.17 and earlier does not properly restrict incoming client connections, which allows remote attackers to cause a denial of service (file descriptor consumption) via a large number of incomplete connections. | |||||
| CVE-2012-1181 | 1 Apache | 2 Http Server, Mod Fcgid | 2017-08-29 | 5.0 MEDIUM | N/A |
| fcgid_spawn_ctl.c in the mod_fcgid module 2.3.6 for the Apache HTTP Server does not recognize the FcgidMaxProcessesPerClass directive for a virtual host, which makes it easier for remote attackers to cause a denial of service (memory consumption) via a series of HTTP requests that triggers a process count higher than the intended limit. | |||||