Filtered by vendor Apache
Subscribe
Total
2367 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-8008 | 1 Apache | 1 Storm | 2024-11-21 | 5.8 MEDIUM | 5.5 MEDIUM |
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder. | |||||
CVE-2018-8007 | 1 Apache | 1 Couchdb | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
Apache CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user that CouchDB runs under, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows an existing CouchDB admin user to gain arbitrary remote code execution, bypassing already disclosed CVE-2017-12636. Mitigation: All users should upgrade to CouchDB releases 1.7.2 or 2.1.2. | |||||
CVE-2018-8006 | 1 Apache | 1 Activemq | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the queue.jsp page of Apache ActiveMQ versions 5.0.0 to 5.15.5. The root cause of this issue is improper data filtering of the QueueFilter parameter. | |||||
CVE-2018-8005 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. This can cause performance problems with large objects in cache. This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x users should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions. | |||||
CVE-2018-8004 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions. | |||||
CVE-2018-8003 | 1 Apache | 1 Ambari | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
Apache Ambari, versions 1.4.0 to 2.6.1, is susceptible to a directory traversal attack allowing an unauthenticated user to craft an HTTP request which provides read-only access to any file on the filesystem of the host the Ambari Server runs on that is accessible by the user the Ambari Server is running as. Direct network access to the Ambari Server is required to issue this request, and those Ambari Servers that are protected behind a firewall, or in a restricted network zone are at less risk of being affected by this issue. | |||||
CVE-2018-2799 | 7 Apache, Canonical, Debian and 4 more | 15 Xerces-j, Ubuntu Linux, Debian Linux and 12 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). | |||||
CVE-2018-21234 | 2 Apache, Jodd | 2 Hive, Jodd | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set. | |||||
CVE-2018-20245 | 1 Apache | 1 Airflow | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking. | |||||
CVE-2018-20244 | 1 Apache | 1 Airflow | 2024-11-21 | 3.5 LOW | 5.5 MEDIUM |
In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. | |||||
CVE-2018-20243 | 1 Apache | 1 Fineract | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
The implementation of POST with the username and password in the URL parameters exposed the credentials. More infomration is available in fineract jira issues 726 and 629. | |||||
CVE-2018-20242 | 1 Apache | 1 Jspwiki | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking. | |||||
CVE-2018-1340 | 1 Apache | 1 Guacamole | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain. | |||||
CVE-2018-1339 | 1 Apache | 1 Tika | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18. | |||||
CVE-2018-1338 | 1 Apache | 1 Tika | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18. | |||||
CVE-2018-1337 | 1 Apache | 1 Directory Ldap Api | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request). | |||||
CVE-2018-1336 | 4 Apache, Canonical, Debian and 1 more | 9 Tomcat, Ubuntu Linux, Debian Linux and 6 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. | |||||
CVE-2018-1335 | 1 Apache | 1 Tika | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18. | |||||
CVE-2018-1334 | 1 Apache | 1 Spark | 2024-11-21 | 1.9 LOW | 4.7 MEDIUM |
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. | |||||
CVE-2018-1333 | 4 Apache, Canonical, Netapp and 1 more | 6 Http Server, Ubuntu Linux, Cloud Backup and 3 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.18-2.4.30,2.4.33). |