VYPR

Vendor CVEs

Apache

All CVEs

2,550 total · sorted by risk
  • CVE-2002-0936Oct 4, 2002
    risk 0.05cvss epss 0.27

    The Java Server Pages (JSP) engine in Tomcat allows web page owners to cause a denial of service (engine crash) on the web server via a JSP page that calls WPrinterJob().pageSetup(null,null).

  • CVE-2000-0759Oct 20, 2000
    risk 0.05cvss epss 0.26

    Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path.

  • CVE-1999-0448Jan 1, 1999
    risk 0.05cvss epss 0.24

    IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.

  • CVE-1999-0107Dec 30, 1997
    risk 0.05cvss epss 0.20

    Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters.

  • CVE-1999-0045Dec 10, 1996
    risk 0.05cvss epss 0.26

    List of arbitrary files on Web host via nph-test-cgi script.

  • CVE-2024-52046Dec 25, 2024
    risk 0.04cvss epss 0.24

    The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially…

  • CVE-2022-42889Oct 13, 2022
    risk 0.04cvss epss 1.00

    Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs…

  • CVE-2022-25813Sep 2, 2022
    risk 0.04cvss epss 0.67

    In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party…

  • CVE-2021-43557Nov 22, 2021
    risk 0.04cvss epss 0.15

    The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block…

  • CVE-2021-40865Oct 25, 2021
    risk 0.04cvss epss 0.66

    An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1.…

  • CVE-2021-33035Sep 23, 2021
    risk 0.04cvss epss 0.51

    Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. DBF are database files with data organized in fields. When reading DBF data the size of certain fields is not checked: the data is just copied into local variables. A carefully crafted document…

  • CVE-2021-33193Aug 16, 2021
    risk 0.04cvss epss 0.46

    A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

  • CVE-2021-26691Jun 10, 2021
    risk 0.04cvss epss 0.68

    In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow

  • CVE-2019-12422Nov 18, 2019
    risk 0.04cvss epss 0.09

    Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.

  • CVE-2014-0231Jul 20, 2014
    risk 0.04cvss epss 0.44

    The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.

  • CVE-2014-0114Apr 30, 2014
    risk 0.04cvss epss 0.96

    Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader…

  • CVE-2014-0094Mar 11, 2014
    risk 0.04cvss epss 1.00

    The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

  • CVE-2013-4295Oct 24, 2013
    risk 0.04cvss epss 0.12

    The gadget renderer in Apache Shindig 2.5.0 for PHP allows remote attackers to obtain sensitive information via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

  • CVE-2013-2248Jul 20, 2013
    risk 0.04cvss epss 0.95

    Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.

  • CVE-2012-0392Jan 8, 2012
    risk 0.04cvss epss 0.97

    The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

  • CVE-2008-2938Aug 13, 2008
    risk 0.04cvss epss 1.00

    Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different…

  • CVE-2007-5000Dec 13, 2007
    risk 0.04cvss epss 0.47

    Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or…

  • CVE-2007-5731Oct 30, 2007
    risk 0.04cvss epss 0.07

    Absolute path traversal vulnerability in Apache Jakarta Slide 2.1 and earlier allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag, a related issue to CVE-2007-5461.

  • CVE-2004-0173Apr 15, 2004
    risk 0.04cvss epss 0.16

    Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences.

  • CVE-2002-2272Dec 31, 2002
    risk 0.04cvss epss 0.10

    Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values.

  • CVE-2002-1148Oct 11, 2002
    risk 0.04cvss epss 0.17

    The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.

  • CVE-2002-0682Jul 23, 2002
    risk 0.04cvss epss 0.12

    Cross-site scripting vulnerability in Apache Tomcat 4.0.3 allows remote attackers to execute script as other web users via script in a URL with the /servlet/ mapping, which does not filter the script when an exception is thrown by the servlet.

  • CVE-2001-0590Aug 2, 2001
    risk 0.04cvss epss 0.11

    Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).

  • CVE-2001-0042Feb 16, 2001
    risk 0.04cvss epss 0.09

    PHP 3.x (PHP3) on Apache 1.3.6 allows remote attackers to read arbitrary files via a modified .. (dot dot) attack containing "%5c" (encoded backslash) sequences.

  • CVE-2000-1016Dec 11, 2000
    risk 0.04cvss epss 0.08

    The default configuration of Apache (httpd.conf) on SuSE 6.4 includes an alias for the /usr/doc directory, which allows remote attackers to read package documentation and obtain system configuration information via an HTTP request for the /doc/packages URL.

  • CVE-2000-0883Nov 14, 2000
    risk 0.04cvss epss 0.09

    The default configuration of mod_perl for Apache as installed on Mandrake Linux 6.1 through 7.1 sets the /perl/ directory to be browseable, which allows remote attackers to list the contents of that directory.

  • CVE-2000-0868Nov 14, 2000
    risk 0.04cvss epss 0.45

    The default configuration of Apache 1.3.12 in SuSE Linux 6.4 allows remote attackers to read source code for CGI scripts by replacing the /cgi-bin/ in the requested URL with /cgi-bin-sdb/.

  • CVE-1999-0926Sep 3, 1999
    risk 0.04cvss epss 0.09

    Apache allows remote attackers to conduct a denial of service via a large number of MIME headers.

  • CVE-2023-50386Feb 9, 2024
    risk 0.03cvss epss 0.84

    Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In…

  • CVE-2023-6710Dec 12, 2023
    risk 0.03cvss epss 0.02

    A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds…

  • CVE-2014-5329Sep 8, 2023
    risk 0.03cvss epss 0.02

    GIGAPOD file servers (Appliance model and Software model) provide two web interfaces, 80/tcp and 443/tcp for user operation, and 8001/tcp for administrative operation. 8001/tcp is served by a version of Apache HTTP server containing a flaw in handling HTTP requests…

  • CVE-2022-35741Jul 18, 2022
    risk 0.03cvss epss 0.07

    Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the…

  • CVE-2022-26377Jun 8, 2022
    risk 0.03cvss epss 0.19

    Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version…

  • CVE-2022-29266Apr 20, 2022
    risk 0.03cvss epss 0.08

    In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.

  • CVE-2021-39275Sep 16, 2021
    risk 0.03cvss epss 0.36

    ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

  • CVE-2021-30641Jun 10, 2021
    risk 0.03cvss epss 0.52

    Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

  • CVE-2020-9483Jun 30, 2020
    risk 0.03cvss epss 0.35

    **Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use…

  • CVE-2019-0235Apr 30, 2020
    risk 0.03cvss epss 0.33

    Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks.

  • CVE-2019-10082Sep 26, 2019
    risk 0.03cvss epss 0.17

    In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.

  • CVE-2019-12401Sep 10, 2019
    risk 0.03cvss epss 0.08

    Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the…

  • CVE-2019-10081Aug 15, 2019
    risk 0.03cvss epss 0.15

    HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the…

  • CVE-2019-0217Apr 8, 2019
    risk 0.03cvss epss 0.18

    In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

  • CVE-2015-1830Aug 19, 2015
    risk 0.03cvss epss 0.84

    Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.

  • CVE-2014-0118Jul 20, 2014
    risk 0.03cvss epss 0.37

    The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses…

  • CVE-2014-0117Jul 20, 2014
    risk 0.03cvss epss 0.36

    The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header.

Page 19 of 51