Filtered by vendor Apache
Subscribe
Total
2451 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2016-5003 | 1 Apache | 1 Ws-xmlrpc | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element. | |||||
CVE-2017-5643 | 1 Apache | 1 Camel | 2025-04-20 | 5.8 MEDIUM | 7.4 HIGH |
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. | |||||
CVE-2017-7684 | 1 Apache | 1 Openmeetings | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
Apache OpenMeetings 1.0.0 doesn't check contents of files being uploaded. An attacker can cause a denial of service by uploading multiple large files to the server. | |||||
CVE-2017-5636 | 1 Apache | 1 Nifi | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node. | |||||
CVE-2014-9635 | 2 Apache, Jenkins | 2 Tomcat, Jenkins | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies. | |||||
CVE-2016-3090 | 1 Apache | 1 Struts | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. | |||||
CVE-2016-5004 | 1 Apache | 1 Ws-xmlrpc | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in Apache Archiva allows remote attackers to cause a denial of service (resource consumption) by decompressing a large file containing zeroes. | |||||
CVE-2017-9793 | 1 Apache | 1 Struts | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload. | |||||
CVE-2017-5653 | 1 Apache | 1 Cxf | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. | |||||
CVE-2016-8739 | 1 Apache | 1 Cxf | 2025-04-20 | 7.8 HIGH | 7.5 HIGH |
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk. | |||||
CVE-2017-7669 | 1 Apache | 1 Hadoop | 2025-04-20 | 8.5 HIGH | 7.5 HIGH |
In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root. | |||||
CVE-2017-12612 | 1 Apache | 1 Spark | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later. | |||||
CVE-2017-15707 | 3 Apache, Netapp, Oracle | 12 Struts, Oncommand Balance, Agile Plm Framework and 9 more | 2025-04-20 | 5.0 MEDIUM | 6.2 MEDIUM |
In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. | |||||
CVE-2017-3159 | 1 Apache | 1 Camel | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. | |||||
CVE-2017-7676 | 1 Apache | 1 Ranger | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can result in unintended behavior. | |||||
CVE-2016-6807 | 1 Apache | 1 Ambari | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process. | |||||
CVE-2012-5636 | 1 Apache | 1 Wicket | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to <script> tags in a rendered response. | |||||
CVE-2017-9801 | 1 Apache | 1 Commons Email | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers. | |||||
CVE-2014-3582 | 1 Apache | 1 Ambari | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster. | |||||
CVE-2016-8749 | 1 Apache | 1 Camel | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. |