VYPR

Apache

by Apache

Source repositories

CVEs (202)

  • CVE-2017-3163HigAug 30, 2017
    risk 0.49cvss 7.5epss 0.07

    When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special…

  • CVE-2017-3154HigAug 29, 2017
    risk 0.49cvss 7.5epss 0.02

    Error responses from Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating included stack trace, exposing excessive information.

  • CVE-2016-8752HigAug 29, 2017
    risk 0.49cvss 7.5epss 0.02

    Apache Atlas versions 0.6.0 (incubating), 0.7.0 (incubating), and 0.7.1 (incubating) allow access to the webapp directory contents by pointing to URIs like /js and /img.

  • CVE-2017-7660HigJul 7, 2017
    risk 0.49cvss 7.5epss 0.06

    Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe…

  • CVE-2017-7667HigJun 12, 2017
    risk 0.49cvss 7.5epss 0.01

    Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin.

  • CVE-2016-3083HigMay 30, 2017
    risk 0.49cvss 7.5epss 0.01

    Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be…

  • CVE-2017-5661HigApr 18, 2017
    risk 0.48cvss 7.3epss 0.03

    In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user…

  • CVE-2018-8039HigJul 2, 2018
    risk 0.46cvss 8.1epss 0.10

    It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work…

  • CVE-2017-15691MedApr 26, 2018
    risk 0.43cvss 6.5epss 0.09

    In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers.…

  • CVE-2018-1308HigApr 9, 2018
    risk 0.43cvss 7.5epss 0.21

    This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files…

  • CVE-2017-12626HigJan 29, 2018
    risk 0.43cvss 7.5epss 0.10

    Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and…

  • CVE-2018-8015HigMay 18, 2018
    risk 0.42cvss 7.5epss 0.03

    In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an endlessly recursive function call in the C++ or Java parser. The impact of this bug is most likely denial-of-service against software that uses the ORC file parser. With the C++ parser, the stack overflow might…

  • CVE-2017-12623MedOct 10, 2017
    risk 0.42cvss 6.5epss 0.02

    An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should…

  • CVE-2017-3156HigAug 10, 2017
    risk 0.42cvss 7.5epss 0.06

    The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

  • CVE-2016-8739HigAug 10, 2017
    risk 0.42cvss 7.5epss 0.07

    The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

  • CVE-2017-5656HigApr 18, 2017
    risk 0.42cvss 7.5epss 0.07

    Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.

  • CVE-2017-3155MedAug 29, 2017
    risk 0.40cvss 6.1epss 0.02

    Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to cross frame scripting.

  • CVE-2017-3153MedAug 29, 2017
    risk 0.40cvss 6.1epss 0.02

    Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Reflected XSS in the search functionality.

  • CVE-2017-3152MedAug 29, 2017
    risk 0.40cvss 6.1epss 0.02

    Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to DOM XSS in the edit-tag functionality.

  • CVE-2017-3151MedAug 29, 2017
    risk 0.40cvss 6.1epss 0.02

    Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Stored Cross-Site Scripting in the edit-tag functionality.

Page 2 of 11