Vulnerabilities (CVE)

Filtered by vendor Apache Subscribe
Total 2428 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2014-0072 1 Apache 2 Cordova, Cordova File Transfer 2025-04-20 5.0 MEDIUM 7.5 HIGH
ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the trustAllHosts option.
CVE-2016-4461 2 Apache, Netapp 2 Struts, Oncommand Balance 2025-04-20 9.0 HIGH 8.8 HIGH
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
CVE-2017-7681 1 Apache 1 Openmeetings 2025-04-20 6.5 MEDIUM 8.8 HIGH
Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end.
CVE-2017-5657 1 Apache 1 Archiva 2025-04-20 6.0 MEDIUM 8.0 HIGH
Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights).
CVE-2013-4366 1 Apache 1 Httpclient 2025-04-20 7.5 HIGH 9.8 CRITICAL
http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.
CVE-2017-5663 1 Apache 1 Fineract 2025-04-20 6.5 MEDIUM 8.8 HIGH
In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on a number of endpoints is not sanitized and appended directly to the query.
CVE-2014-0115 1 Apache 1 Storm 2025-04-20 7.8 HIGH 7.5 HIGH
Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log.
CVE-2014-3526 1 Apache 1 Wicket 2025-04-20 5.0 MEDIUM 7.5 HIGH
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions.
CVE-2017-7665 1 Apache 1 Nifi 2025-04-20 4.3 MEDIUM 6.1 MEDIUM
In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.
CVE-2016-6808 1 Apache 1 Tomcat Jk Connector 2025-04-20 7.5 HIGH 9.8 CRITICAL
Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42.
CVE-2014-7808 1 Apache 1 Wicket 2025-04-20 5.0 MEDIUM 7.5 HIGH
Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider.
CVE-2015-5168 1 Apache 1 Traffic Server 2025-04-20 10.0 HIGH 9.8 CRITICAL
Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5206.
CVE-2017-5647 1 Apache 1 Tomcat 2025-04-20 5.0 MEDIUM 7.5 HIGH
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
CVE-2017-5655 1 Apache 1 Ambari 2025-04-20 4.0 MEDIUM 6.5 MEDIUM
In Ambari 2.2.2 through 2.4.2 and Ambari 2.5.0, sensitive data may be stored on disk in temporary files on the Ambari Server host. The temporary files are readable by any user authenticated on the host.
CVE-2014-3579 1 Apache 1 Activemq Apollo 2025-04-20 7.5 HIGH 9.8 CRITICAL
XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
CVE-2017-3166 1 Apache 1 Hadoop 2025-04-20 4.6 MEDIUM 7.8 HIGH
In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.
CVE-2016-6794 6 Apache, Canonical, Debian and 3 more 14 Tomcat, Ubuntu Linux, Debian Linux and 11 more 2025-04-20 5.0 MEDIUM 5.3 MEDIUM
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.
CVE-2016-6811 1 Apache 1 Hadoop 2025-04-20 9.0 HIGH 8.8 HIGH
In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
CVE-2017-7682 1 Apache 1 Openmeetings 2025-04-20 6.4 MEDIUM 8.2 HIGH
Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas.
CVE-2017-12633 1 Apache 1 Camel 2025-04-20 7.5 HIGH 9.8 CRITICAL
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.