Apache
by Apache
Source repositories
CVEs (202)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-0193 | 0.12 | — | 0.84 | KEV | Aug 1, 2019 | In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow… | ||
| CVE-2002-0392 | 0.11 | — | 0.95 | Jul 3, 2002 | Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a chunk-encoded HTTP request that causes Apache to use an incorrect size. | |||
| CVE-2020-13945 | 0.10 | — | 0.73 | Dec 7, 2020 | In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5. | |||
| CVE-2024-45216 | 0.08 | — | 0.91 | Oct 16, 2024 | Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests… | |||
| CVE-2021-27905 | 0.08 | — | 0.93 | Apr 13, 2021 | The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent… | |||
| CVE-2001-0731 | 0.08 | — | 0.57 | Oct 1, 2001 | Apache 1.3.20 with Multiviews enabled allows remote attackers to view directory contents and bypass the index page via a URL containing the "M=D" query string. | |||
| CVE-2019-0192 | 0.07 | — | 0.78 | Mar 7, 2019 | In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on… | |||
| CVE-2008-2168 | 0.07 | — | 0.55 | May 13, 2008 | Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page. | |||
| CVE-1999-0678 | 0.06 | — | 0.31 | Jan 17, 1999 | A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server. | |||
| CVE-2017-3164 | 0.05 | — | 0.19 | Mar 8, 2019 | Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL. | |||
| CVE-2024-52046 | 0.04 | — | 0.24 | Dec 25, 2024 | The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially… | |||
| CVE-2021-43557 | 0.04 | — | 0.15 | Nov 22, 2021 | The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block… | |||
| CVE-2023-50386 | 0.03 | — | 0.84 | Feb 9, 2024 | Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In… | |||
| CVE-2022-29266 | 0.03 | — | 0.08 | Apr 20, 2022 | In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information. | |||
| CVE-2003-0132 | 0.03 | — | 0.87 | Apr 11, 2003 | A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed. | |||
| CVE-2021-29262 | 0.02 | — | 0.08 | Apr 13, 2021 | When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and… | |||
| CVE-2005-3357 | 0.02 | — | 0.24 | Dec 31, 2005 | mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with access control and a custom error 400 error page, allows remote attackers to cause a denial of service (application crash) via a non-SSL request to an SSL port, which triggers a NULL pointer dereference. | |||
| CVE-2004-0748 | 0.02 | — | 0.22 | Oct 20, 2004 | mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (CPU consumption) by aborting an SSL connection in a way that causes an Apache child process to enter an infinite loop. | |||
| CVE-2002-0843 | 0.02 | — | 0.21 | Oct 11, 2002 | Buffer overflows in the ApacheBench benchmark support program (ab.c) in Apache before 1.3.27, and Apache 2.x before 2.0.43, allow a malicious web server to cause a denial of service and possibly execute arbitrary code via a long response. | |||
| CVE-2023-34468 | 0.01 | — | 0.63 | Jun 12, 2023 | The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and… |
- risk 0.12cvss —epss 0.84
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow…
- CVE-2002-0392Jul 3, 2002risk 0.11cvss —epss 0.95
Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a chunk-encoded HTTP request that causes Apache to use an incorrect size.
- CVE-2020-13945Dec 7, 2020risk 0.10cvss —epss 0.73
In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.
- CVE-2024-45216Oct 16, 2024risk 0.08cvss —epss 0.91
Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests…
- CVE-2021-27905Apr 13, 2021risk 0.08cvss —epss 0.93
The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent…
- CVE-2001-0731Oct 1, 2001risk 0.08cvss —epss 0.57
Apache 1.3.20 with Multiviews enabled allows remote attackers to view directory contents and bypass the index page via a URL containing the "M=D" query string.
- CVE-2019-0192Mar 7, 2019risk 0.07cvss —epss 0.78
In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on…
- CVE-2008-2168May 13, 2008risk 0.07cvss —epss 0.55
Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page.
- CVE-1999-0678Jan 17, 1999risk 0.06cvss —epss 0.31
A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server.
- CVE-2017-3164Mar 8, 2019risk 0.05cvss —epss 0.19
Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.
- CVE-2024-52046Dec 25, 2024risk 0.04cvss —epss 0.24
The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially…
- CVE-2021-43557Nov 22, 2021risk 0.04cvss —epss 0.15
The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block…
- CVE-2023-50386Feb 9, 2024risk 0.03cvss —epss 0.84
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In…
- CVE-2022-29266Apr 20, 2022risk 0.03cvss —epss 0.08
In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.
- CVE-2003-0132Apr 11, 2003risk 0.03cvss —epss 0.87
A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.
- CVE-2021-29262Apr 13, 2021risk 0.02cvss —epss 0.08
When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and…
- CVE-2005-3357Dec 31, 2005risk 0.02cvss —epss 0.24
mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with access control and a custom error 400 error page, allows remote attackers to cause a denial of service (application crash) via a non-SSL request to an SSL port, which triggers a NULL pointer dereference.
- CVE-2004-0748Oct 20, 2004risk 0.02cvss —epss 0.22
mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (CPU consumption) by aborting an SSL connection in a way that causes an Apache child process to enter an infinite loop.
- CVE-2002-0843Oct 11, 2002risk 0.02cvss —epss 0.21
Buffer overflows in the ApacheBench benchmark support program (ab.c) in Apache before 1.3.27, and Apache 2.x before 2.0.43, allow a malicious web server to cause a denial of service and possibly execute arbitrary code via a long response.
- CVE-2023-34468Jun 12, 2023risk 0.01cvss —epss 0.63
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and…
Page 4 of 11