Filtered by vendor Apache
Subscriptions
Total
2430 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-4970 | 3 Apache, Netty, Redhat | 6 Cassandra, Netty, Jboss Amq and 3 more | 2025-04-20 | 7.5 High |
| handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop). | ||||
| CVE-2015-1835 | 1 Apache | 1 Cordova | 2025-04-20 | N/A |
| Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL. | ||||
| CVE-2016-8749 | 2 Apache, Redhat | 3 Camel, Jboss Amq, Jboss Fuse | 2025-04-20 | N/A |
| Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. | ||||
| CVE-2016-6497 | 1 Apache | 1 Groovy Ldap | 2025-04-20 | 7.5 High |
| main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API in Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods. | ||||
| CVE-2015-3188 | 1 Apache | 1 Storm | 2025-04-20 | N/A |
| The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors. | ||||
| CVE-2010-2245 | 1 Apache | 1 Wink | 2025-04-20 | N/A |
| XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial of service via a crafted XML document. | ||||
| CVE-2015-0249 | 1 Apache | 1 Roller | 2025-04-20 | N/A |
| The weblog page template in Apache Roller 5.1 through 5.1.1 allows remote authenticated users with admin privileges for a weblog to execute arbitrary Java code via crafted Velocity Text Language (aka VTL). | ||||
| CVE-2012-0881 | 1 Apache | 1 Xerces2 Java | 2025-04-20 | N/A |
| Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions. | ||||
| CVE-2015-3254 | 2 Apache, Redhat | 4 Thrift, Jboss Amq, Jboss Data Virtualization and 1 more | 2025-04-20 | N/A |
| The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function. | ||||
| CVE-2016-0762 | 6 Apache, Canonical, Debian and 3 more | 16 Tomcat, Ubuntu Linux, Debian Linux and 13 more | 2025-04-20 | 5.9 Medium |
| The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. | ||||
| CVE-2017-7659 | 2 Apache, Redhat | 2 Http Server, Rhel Software Collections | 2025-04-20 | N/A |
| A maliciously constructed HTTP/2 request could cause mod_http2 in Apache HTTP Server 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process. | ||||
| CVE-2016-6794 | 6 Apache, Canonical, Debian and 3 more | 15 Tomcat, Ubuntu Linux, Debian Linux and 12 more | 2025-04-20 | 5.3 Medium |
| When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. | ||||
| CVE-2009-1197 | 1 Apache | 1 Juddi | 2025-04-20 | N/A |
| Apache jUDDI before 2.0 allows attackers to spoof entries in log files via vectors related to error logging of keys from uddiget.jsp. | ||||
| CVE-2009-1198 | 1 Apache | 1 Juddi | 2025-04-20 | N/A |
| Cross-site scripting (XSS) vulnerability in Apache jUDDI before 2.0 allows remote attackers to inject arbitrary web script or HTML via the dsname parameter to happyjuddi.jsp. | ||||
| CVE-2016-6811 | 1 Apache | 1 Hadoop | 2025-04-20 | N/A |
| In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. | ||||
| CVE-2016-6798 | 1 Apache | 1 Sling | 2025-04-20 | N/A |
| In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application. | ||||
| CVE-2016-6804 | 2 Apache, Microsoft | 2 Openoffice, Windows | 2025-04-20 | 7.8 High |
| The Apache OpenOffice installer (versions prior to 4.1.3, including some branded as OpenOffice.org) for Windows contains a defective operation that allows execution of arbitrary code with elevated privileges. This requires that the location in which the installer is run has been previously poisoned by a file that impersonates a dynamic-link library that the installer depends upon. | ||||
| CVE-2015-0226 | 2 Apache, Redhat | 7 Wss4j, Jboss Amq, Jboss Data Grid and 4 more | 2025-04-20 | N/A |
| Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487. | ||||
| CVE-2016-5394 | 1 Apache | 1 Sling | 2025-04-20 | 6.1 Medium |
| In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities. | ||||
| CVE-2016-5396 | 1 Apache | 1 Traffic Server | 2025-04-20 | N/A |
| Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack. | ||||