VYPR

Apache

by Apache

Source repositories

CVEs (202)

  • CVE-2017-3150MedAug 29, 2017
    risk 0.40cvss 6.1epss 0.02

    Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating use cookies that could be accessible to client-side script.

  • CVE-2017-7665MedJun 12, 2017
    risk 0.40cvss 6.1epss 0.04

    In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.

  • CVE-2018-11762MedSep 19, 2018
    risk 0.39cvss 5.9epss 0.05

    In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file.

  • CVE-2017-5646MedMay 26, 2017
    risk 0.37cvss 6.8epss 0.01

    For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit…

  • CVE-2018-1338MedApr 25, 2018
    risk 0.36cvss 5.5epss 0.02

    A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.

  • CVE-2017-5644MedMar 24, 2017
    risk 0.36cvss 5.5epss 0.05

    Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

  • CVE-2016-8748MedOct 19, 2017
    risk 0.35cvss 5.4epss 0.02

    In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.

  • CVE-2012-3536MedFeb 27, 2018
    risk 0.33cvss 6.1epss 0.02

    Two XSS vulnerabilities were fixed in message list and view in the Hupa Webmail application from the Apache James project. An attacker could send a carefully crafted email to a user of Hupa which would trigger a XSS when the email was opened or when a list of messages were…

  • CVE-2016-6812MedAug 10, 2017
    risk 0.33cvss 6.1epss 0.09

    The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current…

  • CVE-2018-8017MedSep 19, 2018
    risk 0.29cvss 5.5epss 0.03

    In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger an infinite loop in the IptcAnpaParser.

  • CVE-2018-8026MedJul 5, 2018
    risk 0.29cvss 5.5epss 0.09

    This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr config files (currency.xml, enumsConfig.xml referred from schema.xml, TIKA parsecontext config file). In addition, Xinclude functionality provided in…

  • CVE-2018-8010MedMay 21, 2018
    risk 0.29cvss 5.5epss 0.04

    This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar…

  • CVE-2018-1339MedApr 25, 2018
    risk 0.29cvss 5.5epss 0.03

    A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.

  • CVE-2017-12624MedNov 14, 2017
    risk 0.29cvss 5.5epss 0.04

    Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are…

  • CVE-2017-12625MedNov 1, 2017
    risk 0.28cvss 4.3epss 0.01

    Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before 2.3.1 expose an interface through which masking policies can be defined on tables or views, e.g., using Apache Ranger. When a view is created over a given table, the policy enforcement does not happen correctly…

  • CVE-2017-5653MedApr 18, 2017
    risk 0.28cvss 5.3epss 0.11

    JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

  • CVE-2017-15703MedJan 25, 2018
    risk 0.26cvss 5.0epss 0.01

    Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi…

  • CVE-2018-1315LowApr 5, 2018
    risk 0.24cvss 3.7epss 0.02

    In Apache Hive 2.1.0 to 2.3.2, when 'COPY FROM FTP' statement is run using HPL/SQL extension to Hive, a compromised/malicious FTP server can cause the file to be written to an arbitrary location on the cluster where the command is run from. This is because FTP client code in…

  • CVE-2022-24112KEVFeb 11, 2022
    risk 0.23cvss epss 0.96

    An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed…

  • CVE-2018-1284LowApr 5, 2018
    risk 0.17cvss 3.7epss 0.02

    In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually…

Page 3 of 11