Filtered by vendor Apache
Subscriptions
Total
2529 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2017-5635 | 1 Apache | 1 Nifi | 2025-04-20 | N/A |
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user. | ||||
CVE-2014-3600 | 2 Apache, Redhat | 6 Activemq, Fuse Esb Enterprise, Fuse Management Console and 3 more | 2025-04-20 | N/A |
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. | ||||
CVE-2016-6805 | 1 Apache | 1 Ignite | 2025-04-20 | N/A |
Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents. | ||||
CVE-2010-2232 | 1 Apache | 1 Derby | 2025-04-20 | N/A |
In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file. | ||||
CVE-2014-3624 | 1 Apache | 1 Traffic Server | 2025-04-20 | N/A |
Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT. | ||||
CVE-2016-6806 | 1 Apache | 1 Wicket | 2025-04-20 | N/A |
Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed. | ||||
CVE-2016-6807 | 1 Apache | 1 Ambari | 2025-04-20 | N/A |
Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process. | ||||
CVE-2016-6803 | 2 Apache, Microsoft | 2 Openoffice, Windows | 2025-04-20 | N/A |
An installer defect known as an "unquoted Windows search path vulnerability" affected the Apache OpenOffice before 4.1.3 installers for Windows. The PC must have previously been infected by a Trojan Horse application (or user) running with administrative privilege. Any installer with the unquoted search path vulnerability becomes a delayed trigger for the exploit. | ||||
CVE-2009-1198 | 1 Apache | 1 Juddi | 2025-04-20 | N/A |
Cross-site scripting (XSS) vulnerability in Apache jUDDI before 2.0 allows remote attackers to inject arbitrary web script or HTML via the dsname parameter to happyjuddi.jsp. | ||||
CVE-2017-7676 | 1 Apache | 1 Ranger | 2025-04-20 | N/A |
Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can result in unintended behavior. | ||||
CVE-2016-6794 | 6 Apache, Canonical, Debian and 3 more | 15 Tomcat, Ubuntu Linux, Debian Linux and 12 more | 2025-04-20 | 5.3 Medium |
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. | ||||
CVE-2016-6804 | 2 Apache, Microsoft | 2 Openoffice, Windows | 2025-04-20 | 7.8 High |
The Apache OpenOffice installer (versions prior to 4.1.3, including some branded as OpenOffice.org) for Windows contains a defective operation that allows execution of arbitrary code with elevated privileges. This requires that the location in which the installer is run has been previously poisoned by a file that impersonates a dynamic-link library that the installer depends upon. | ||||
CVE-2016-5001 | 1 Apache | 1 Hadoop | 2025-04-20 | N/A |
This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token. | ||||
CVE-2013-4246 | 1 Apache | 1 Subversion | 2025-04-20 | N/A |
libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing packed revision properties. | ||||
CVE-2017-9787 | 1 Apache | 1 Struts | 2025-04-20 | N/A |
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. | ||||
CVE-2017-7682 | 1 Apache | 1 Openmeetings | 2025-04-20 | N/A |
Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas. | ||||
CVE-2016-6798 | 1 Apache | 1 Sling | 2025-04-20 | N/A |
In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application. | ||||
CVE-2016-6799 | 1 Apache | 1 Cordova | 2025-04-20 | N/A |
Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications. | ||||
CVE-2014-3582 | 1 Apache | 1 Ambari | 2025-04-20 | N/A |
In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster. | ||||
CVE-2016-6808 | 2 Apache, Redhat | 2 Tomcat Jk Connector, Jboss Core Services | 2025-04-20 | N/A |
Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. |