Filtered by vendor Apache
Subscribe
Search
Total
1894 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-3060 | 1 Apache | 1 Activemq | 2016-11-28 | 6.4 MEDIUM | N/A |
| The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests. | |||||
| CVE-2013-1880 | 1 Apache | 1 Activemq | 2016-11-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Portfolio publisher servlet in the demo web application in Apache ActiveMQ before 5.9.0 allows remote attackers to inject arbitrary web script or HTML via the refresh parameter to demo/portfolioPublish, a different vulnerability than CVE-2012-6092. | |||||
| CVE-2012-6551 | 1 Apache | 1 Activemq | 2016-11-28 | 5.0 MEDIUM | N/A |
| The default configuration of Apache ActiveMQ before 5.8.0 enables a sample web application, which allows remote attackers to cause a denial of service (broker resource consumption) via HTTP requests. | |||||
| CVE-2012-6092 | 1 Apache | 1 Activemq | 2016-11-28 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551. | |||||
| CVE-2013-2185 | 2 Apache, Redhat | 3 Tomcat, Jboss Enterprise Application Platform, Jboss Enterprise Portal Platform | 2016-11-01 | 7.5 HIGH | N/A |
| ** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue. | |||||
| CVE-2009-2696 | 2 Apache, Redhat | 4 Tomcat, Desktop Workstation, Enterprise Linux and 1 more | 2016-10-27 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781. | |||||
| CVE-2013-4262 | 1 Apache | 1 Subversion | 2016-10-18 | 2.4 LOW | N/A |
| svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-2013-7393. | |||||
| CVE-2013-7393 | 1 Apache | 1 Subversion | 2016-10-18 | 2.4 LOW | N/A |
| The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions (ADT3). | |||||
| CVE-2002-1850 | 1 Apache | 1 Http Server | 2016-10-18 | 5.0 MEDIUM | N/A |
| mod_cgi in Apache 2.0.39 and 2.0.40 allows local users and possibly remote attackers to cause a denial of service (hang and memory consumption) by causing a CGI script to send a large amount of data to stderr, which results in a read/write deadlock between httpd and the CGI script. | |||||
| CVE-2002-1233 | 1 Apache | 1 Http Server | 2016-10-18 | 2.6 LOW | N/A |
| A regression error in the Debian distributions of the apache-ssl package (before 1.3.9 on Debian 2.2, and before 1.3.26 on Debian 3.0), for Apache 1.3.27 and earlier, allows local users to read or modify the Apache password file via a symlink attack on temporary files when the administrator runs (1) htpasswd or (2) htdigest, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2001-0131. | |||||
| CVE-2002-0240 | 1 Apache | 1 Http Server | 2016-10-18 | 5.0 MEDIUM | N/A |
| PHP, when installed with Apache and configured to search for index.php as a default web page, allows remote attackers to obtain the full pathname of the server via the HTTP OPTIONS method, which reveals the pathname in the resulting error message. | |||||
| CVE-2002-0249 | 1 Apache | 1 Http Server | 2016-10-18 | 5.0 MEDIUM | N/A |
| PHP for Windows, when installed on Apache 2.0.28 beta as a standalone CGI module, allows remote attackers to obtain the physical path of the php.exe via a request with malformed arguments such as /123, which leaks the pathname in the error message. | |||||
| CVE-2002-0257 | 2 Apache, Usanet Creations | 2 Http Server, Makebid Auction Deluxe | 2016-10-18 | 7.5 HIGH | N/A |
| Cross-site scripting vulnerability in auction.pl of MakeBid Auction Deluxe 3.30 allows remote attackers to obtain information from other users via the form fields (1) TITLE, (2) DESCTIT, (3) DESC, (4) searchstring, (5) ALIAS, (6) EMAIL, (7) ADDRESS1, (8) ADDRESS2, (9) ADDRESS3, (10) PHONE1, (11) PHONE2, (12) PHONE3, or (13) PHONE4. | |||||
| CVE-2000-1210 | 1 Apache | 1 Tomcat | 2016-10-18 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp. | |||||
| CVE-1999-1293 | 1 Apache | 1 Http Server | 2016-10-18 | 10.0 HIGH | N/A |
| mod_proxy in Apache 1.2.5 and earlier allows remote attackers to cause a denial of service via malformed FTP commands, which causes Apache to dump core. | |||||
| CVE-2016-6801 | 2 Apache, Debian | 2 Jackrabbit, Debian Linux | 2016-10-04 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header. | |||||
| CVE-2016-5395 | 1 Apache | 1 Ranger | 2016-09-27 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web script or HTML via vectors related to policies. | |||||
| CVE-2016-0760 | 1 Apache | 1 Sentry | 2016-08-22 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple incomplete blacklist vulnerabilities in Apache Sentry before 1.7.0 allow remote authenticated users to execute arbitrary code via the (1) reflect, (2) reflect2, or (3) java_method Hive builtin functions. | |||||
| CVE-2012-2149 | 3 Apache, Libwpd, Redhat | 4 Openoffice.org, Libwpd, Enterprise Linux Optional Productivity Applications and 1 more | 2016-08-17 | 7.5 HIGH | N/A |
| The WPXContentListener::_closeTableRow function in WPXContentListener.cpp in libwpd 0.8.8, as used by OpenOffice.org (OOo) before 3.4, allows remote attackers to execute arbitrary code via a crafted Wordperfect .WPD document that causes a negative array index to be used. NOTE: some sources report this issue as an integer overflow. | |||||
| CVE-2009-3569 | 1 Apache | 1 Openoffice.org | 2016-08-17 | 9.3 HIGH | N/A |
| Stack-based buffer overflow in OpenOffice.org (OOo) allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.8, aka "Client-side stack overflow exploit." NOTE: as of 20091005, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. | |||||
| CVE-2016-2174 | 1 Apache | 1 Ranger | 2016-06-14 | 6.5 MEDIUM | 7.2 HIGH |
| SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administrators to execute arbitrary SQL commands via the eventTime parameter to service/plugins/policies/eventTime. | |||||
| CVE-2016-0707 | 1 Apache | 1 Ambari | 2016-05-18 | 2.1 LOW | 3.3 LOW |
| The agent in Apache Ambari before 2.1.2 uses weak permissions for the (1) /var/lib/ambari-agent/data and (2) /var/lib/ambari-agent/keys directories, which allows local users to obtain sensitive information by reading files in the directories. | |||||
| CVE-2016-0731 | 1 Apache | 1 Ambari | 2016-05-18 | 4.0 MEDIUM | 4.9 MEDIUM |
| The File Browser View in Apache Ambari before 2.2.1 allows remote authenticated administrators to read arbitrary files via a file: URL in the WebHDFS URL configuration. | |||||
| CVE-2016-0712 | 1 Apache | 1 Jetspeed | 2016-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Apache Jetspeed before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to portal. | |||||
| CVE-2016-0711 | 1 Apache | 1 Jetspeed | 2016-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Apache Jetspeed before 2.3.1 allow remote attackers to inject arbitrary web script or HTML via the title parameter when adding a (1) link, (2) page, or (3) folder resource. | |||||
| CVE-2016-0710 | 1 Apache | 1 Jetspeed | 2016-04-20 | 7.5 HIGH | 8.8 HIGH |
| Multiple SQL injection vulnerabilities in the User Manager service in Apache Jetspeed before 2.3.1 allow remote attackers to execute arbitrary SQL commands via the (1) role or (2) user parameter to services/usermanager/users/. | |||||
| CVE-2016-0709 | 1 Apache | 1 Jetspeed | 2016-04-20 | 9.0 HIGH | 7.2 HIGH |
| Directory traversal vulnerability in the Import/Export function in the Portal Site Manager in Apache Jetspeed before 2.3.1 allows remote authenticated administrators to write to arbitrary files, and consequently execute arbitrary code, via a .. (dot dot) in a ZIP archive entry, as demonstrated by "../../webapps/x.jsp." | |||||
| CVE-2016-0735 | 1 Apache | 1 Ranger | 2016-04-19 | 6.5 MEDIUM | 8.8 HIGH |
| Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to bypass intended parent resource-level access restrictions by leveraging mishandling of a resource-level exclude policy. | |||||
| CVE-2016-0733 | 1 Apache | 1 Ranger | 2016-04-19 | 7.5 HIGH | 9.8 CRITICAL |
| The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which allows remote attackers to bypass authentication by leveraging knowledge of a valid username. | |||||
| CVE-2016-2171 | 1 Apache | 1 Jetspeed | 2016-04-14 | 6.4 MEDIUM | 7.5 HIGH |
| The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API. | |||||
| CVE-2015-5167 | 1 Apache | 1 Ranger | 2016-04-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrictions via the REST API. | |||||
| CVE-2015-0266 | 1 Apache | 1 Ranger | 2016-04-13 | 6.5 MEDIUM | 7.1 HIGH |
| The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs. | |||||
| CVE-2015-0265 | 1 Apache | 1 Ranger | 2016-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Policy Admin Tool in Apache Ranger before 0.5.0 allows remote attackers to inject arbitrary web script or HTML via the HTTP User-Agent header. | |||||
| CVE-2015-8797 | 1 Apache | 1 Solr | 2016-02-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via the entry parameter to a plugins/cache URI. | |||||
| CVE-2015-8795 | 1 Apache | 1 Solr | 2016-02-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arbitrary web script or HTML via crafted fields that are mishandled during the rendering of the (1) Analysis page, related to webapp/web/js/scripts/analysis.js or (2) Schema-Browser page, related to webapp/web/js/scripts/schema-browser.js. | |||||
| CVE-2015-7430 | 1 Apache | 1 Hadoop | 2016-01-07 | 4.6 MEDIUM | 8.4 HIGH |
| The Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 before 2.7.0-3 for IBM Spectrum Scale and General Parallel File System (GPFS) allows local users to read or write to arbitrary GPFS data via unspecified vectors. | |||||
| CVE-2015-5204 | 1 Apache | 1 Cordova File Transfer | 2015-12-18 | 4.3 MEDIUM | N/A |
| CRLF injection vulnerability in the Apache Cordova File Transfer Plugin (cordova-plugin-file-transfer) for Android before 1.3.0 allows remote attackers to inject arbitrary headers via CRLF sequences in the filename of an uploaded file. | |||||
| CVE-2015-5210 | 1 Apache | 1 Ambari | 2015-11-04 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in Apache Ambari before 2.1.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the targetURI parameter. | |||||
| CVE-2015-3186 | 1 Apache | 1 Ambari | 2015-11-04 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in Apache Ambari before 2.1.0 allows remote authenticated cluster operator users to inject arbitrary web script or HTML via the note field in a configuration change. | |||||
| CVE-2015-3270 | 1 Apache | 1 Ambari | 2015-11-04 | 6.5 MEDIUM | N/A |
| Apache Ambari before 2.0.2 or 2.1.x before 2.1.1 allows remote authenticated users to gain administrative privileges via unspecified vectors, possibly related to changing passwords. | |||||
| CVE-2015-1775 | 1 Apache | 1 Ambari | 2015-11-04 | 5.5 MEDIUM | N/A |
| Server-side request forgery (SSRF) vulnerability in the proxy endpoint (api/v1/proxy) in Apache Ambari before 2.1.0 allows remote authenticated users to conduct port scans and access unsecured services via a crafted REST call. | |||||
| CVE-2013-6397 | 1 Apache | 1 Solr | 2015-10-23 | 4.3 MEDIUM | N/A |
| Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries. | |||||
| CVE-2015-1773 | 1 Apache | 1 Flex | 2015-10-05 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in asdoc/templates/index.html in Apache Flex before 4.14.1 allows remote attackers to inject arbitrary web script or HTML by providing a crafted URI to JavaScript code generated by the asdoc component. | |||||
| CVE-2014-9593 | 1 Apache | 1 Cloudstack | 2015-01-16 | 5.0 MEDIUM | N/A |
| Apache CloudStack before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to obtain private keys via a listSslCerts API call. | |||||
| CVE-2014-10022 | 1 Apache | 1 Traffic Server | 2015-01-14 | 5.0 MEDIUM | N/A |
| Apache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to internal buffer sizing. | |||||
| CVE-2014-3628 | 1 Apache | 1 Solr | 2015-01-06 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Admin UI Plugin / Stats page in Apache Solr 4.x before 4.10.3 allows remote attackers to inject arbitrary web script or HTML via the fieldvaluecache object. | |||||
| CVE-2014-3627 | 1 Apache | 1 Hadoop | 2014-12-06 | 5.0 MEDIUM | N/A |
| The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache. | |||||
| CVE-2014-3502 | 1 Apache | 1 Cordova | 2014-11-17 | 4.3 MEDIUM | N/A |
| Apache Cordova Android before 3.5.1 allows remote attackers to open and send data to arbitrary applications via a URL with a crafted URI scheme for an Android intent. | |||||
| CVE-2014-3501 | 1 Apache | 1 Cordova | 2014-11-17 | 4.3 MEDIUM | N/A |
| Apache Cordova Android before 3.5.1 allows remote attackers to bypass the HTTP whitelist and connect to arbitrary servers by using JavaScript to open WebSocket connections through WebView. | |||||
| CVE-2014-3500 | 1 Apache | 1 Cordova | 2014-11-17 | 6.4 MEDIUM | N/A |
| Apache Cordova Android before 3.5.1 allows remote attackers to change the start page via a crafted intent URL. | |||||