Vulnerabilities (CVE)

Filtered by vendor Apache Subscribe
Total 2451 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-5003 1 Apache 1 Ws-xmlrpc 2025-04-20 7.5 HIGH 9.8 CRITICAL
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
CVE-2017-5643 1 Apache 1 Camel 2025-04-20 5.8 MEDIUM 7.4 HIGH
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
CVE-2017-7684 1 Apache 1 Openmeetings 2025-04-20 5.0 MEDIUM 7.5 HIGH
Apache OpenMeetings 1.0.0 doesn't check contents of files being uploaded. An attacker can cause a denial of service by uploading multiple large files to the server.
CVE-2017-5636 1 Apache 1 Nifi 2025-04-20 7.5 HIGH 9.8 CRITICAL
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.
CVE-2014-9635 2 Apache, Jenkins 2 Tomcat, Jenkins 2025-04-20 5.0 MEDIUM 5.3 MEDIUM
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
CVE-2016-3090 1 Apache 1 Struts 2025-04-20 6.5 MEDIUM 8.8 HIGH
The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.
CVE-2016-5004 1 Apache 1 Ws-xmlrpc 2025-04-20 4.3 MEDIUM 6.5 MEDIUM
The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in Apache Archiva allows remote attackers to cause a denial of service (resource consumption) by decompressing a large file containing zeroes.
CVE-2017-9793 1 Apache 1 Struts 2025-04-20 5.0 MEDIUM 7.5 HIGH
The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.
CVE-2017-5653 1 Apache 1 Cxf 2025-04-20 5.0 MEDIUM 5.3 MEDIUM
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.
CVE-2016-8739 1 Apache 1 Cxf 2025-04-20 7.8 HIGH 7.5 HIGH
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
CVE-2017-7669 1 Apache 1 Hadoop 2025-04-20 8.5 HIGH 7.5 HIGH
In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root.
CVE-2017-12612 1 Apache 1 Spark 2025-04-20 7.2 HIGH 7.8 HIGH
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later.
CVE-2017-15707 3 Apache, Netapp, Oracle 12 Struts, Oncommand Balance, Agile Plm Framework and 9 more 2025-04-20 5.0 MEDIUM 6.2 MEDIUM
In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
CVE-2017-3159 1 Apache 1 Camel 2025-04-20 7.5 HIGH 9.8 CRITICAL
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.
CVE-2017-7676 1 Apache 1 Ranger 2025-04-20 7.5 HIGH 9.8 CRITICAL
Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can result in unintended behavior.
CVE-2016-6807 1 Apache 1 Ambari 2025-04-20 7.5 HIGH 9.8 CRITICAL
Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process.
CVE-2012-5636 1 Apache 1 Wicket 2025-04-20 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to <script> tags in a rendered response.
CVE-2017-9801 1 Apache 1 Commons Email 2025-04-20 5.0 MEDIUM 7.5 HIGH
When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.
CVE-2014-3582 1 Apache 1 Ambari 2025-04-20 7.5 HIGH 9.8 CRITICAL
In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster.
CVE-2016-8749 1 Apache 1 Camel 2025-04-20 7.5 HIGH 9.8 CRITICAL
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.