Filtered by vendor Apache
Subscribe
Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2011-2516 | 2 Apache, Shibboleth | 2 Xml Security For C\+\+, Shibboleth-sp | 2025-04-11 | 5.0 MEDIUM | N/A |
| Off-by-one error in the XML signature feature in Apache XML Security for C++ 1.6.0, as used in Shibboleth before 2.4.3 and possibly other products, allows remote attackers to cause a denial of service (crash) via a signature using a large RSA key, which triggers a buffer overflow. | |||||
| CVE-2012-0256 | 1 Apache | 1 Traffic Server | 2025-04-11 | 5.0 MEDIUM | N/A |
| Apache Traffic Server 2.0.x and 3.0.x before 3.0.4 and 3.1.x before 3.1.3 does not properly allocate heap memory, which allows remote attackers to cause a denial of service (daemon crash) via a long HTTP Host header. | |||||
| CVE-2011-2088 | 2 Apache, Opensymphony | 3 Struts, Webwork, Xwork | 2025-04-11 | 5.0 MEDIUM | N/A |
| XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3. | |||||
| CVE-2010-3315 | 1 Apache | 1 Subversion | 2025-04-11 | 6.0 MEDIUM | N/A |
| authz.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x before 1.5.8 and 1.6.x before 1.6.13, when SVNPathAuthz short_circuit is enabled, does not properly handle a named repository as a rule scope, which allows remote authenticated users to bypass intended access restrictions via svn commands. | |||||
| CVE-2009-2901 | 1 Apache | 1 Tomcat | 2025-04-11 | 4.3 MEDIUM | N/A |
| The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests. | |||||
| CVE-2013-4505 | 1 Apache | 2 Mod Dontdothat, Subversion | 2025-04-11 | 2.6 LOW | N/A |
| The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request. | |||||
| CVE-2013-2115 | 1 Apache | 1 Struts | 2025-04-11 | 9.3 HIGH | 8.1 HIGH |
| Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966. | |||||
| CVE-2013-2192 | 1 Apache | 1 Hadoop | 2025-04-11 | 3.2 LOW | N/A |
| The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication. | |||||
| CVE-2013-0239 | 1 Apache | 1 Cxf | 2025-04-11 | 5.0 MEDIUM | N/A |
| Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element. | |||||
| CVE-2013-2249 | 1 Apache | 1 Http Server | 2025-04-11 | 7.5 HIGH | N/A |
| mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors. | |||||
| CVE-2011-0419 | 9 Apache, Apple, Debian and 6 more | 10 Http Server, Portable Runtime, Mac Os X and 7 more | 2025-04-11 | 4.3 MEDIUM | N/A |
| Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd. | |||||
| CVE-2013-1965 | 1 Apache | 2 Struts, Struts2-showcase | 2025-04-11 | 9.3 HIGH | N/A |
| Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. | |||||
| CVE-2013-3060 | 1 Apache | 1 Activemq | 2025-04-11 | 6.4 MEDIUM | N/A |
| The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests. | |||||
| CVE-2013-2251 | 5 Apache, Fujitsu, Microsoft and 2 more | 21 Archiva, Struts, Gp-s and 18 more | 2025-04-11 | 9.3 HIGH | 9.8 CRITICAL |
| Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix. | |||||
| CVE-2012-3499 | 1 Apache | 1 Http Server | 2025-04-11 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules. | |||||
| CVE-2011-1183 | 1 Apache | 1 Tomcat | 2025-04-11 | 5.8 MEDIUM | N/A |
| Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419. | |||||
| CVE-2011-1772 | 2 Apache, Opensymphony | 3 Struts, Webwork, Xwork | 2025-04-11 | 2.6 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element. | |||||
| CVE-2011-2329 | 1 Apache | 1 Rampart\/c | 2025-04-11 | 6.5 MEDIUM | N/A |
| The rampart_timestamp_token_validate function in util/rampart_timestamp_token.c in Apache Rampart/C 1.3.0 does not properly calculate the expiration of timestamp tokens, which allows remote attackers to bypass intended access restrictions by leveraging an expired token, a different vulnerability than CVE-2011-0730. | |||||
| CVE-2012-2665 | 5 Apache, Canonical, Debian and 2 more | 11 Openoffice, Ubuntu Linux, Debian Linux and 8 more | 2025-04-11 | 7.5 HIGH | N/A |
| Multiple heap-based buffer overflows in the XML manifest encryption tag parsing functionality in OpenOffice.org and LibreOffice before 3.5.5 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Open Document Text (.odt) file with (1) a child tag within an incorrect parent tag, (2) duplicate tags, or (3) a Base64 ChecksumAttribute whose length is not evenly divisible by four. | |||||
| CVE-2022-45935 | 1 Apache | 1 James | 2025-04-10 | N/A | 5.5 MEDIUM |
| Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions. | |||||