Vendor CVEs
Apache
All CVEs
2,550 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2002-0936 | 0.05 | — | 0.27 | Oct 4, 2002 | The Java Server Pages (JSP) engine in Tomcat allows web page owners to cause a denial of service (engine crash) on the web server via a JSP page that calls WPrinterJob().pageSetup(null,null). | |||
| CVE-2000-0759 | 0.05 | — | 0.26 | Oct 20, 2000 | Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path. | |||
| CVE-1999-0448 | 0.05 | — | 0.24 | Jan 1, 1999 | IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request. | |||
| CVE-1999-0107 | 0.05 | — | 0.20 | Dec 30, 1997 | Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters. | |||
| CVE-1999-0045 | 0.05 | — | 0.26 | Dec 10, 1996 | List of arbitrary files on Web host via nph-test-cgi script. | |||
| CVE-2024-52046 | 0.04 | — | 0.24 | Dec 25, 2024 | The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially… | |||
| CVE-2022-42889 | 0.04 | — | 1.00 | Oct 13, 2022 | Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs… | |||
| CVE-2022-25813 | 0.04 | — | 0.67 | Sep 2, 2022 | In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party… | |||
| CVE-2021-43557 | 0.04 | — | 0.15 | Nov 22, 2021 | The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block… | |||
| CVE-2021-40865 | 0.04 | — | 0.66 | Oct 25, 2021 | An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1.… | |||
| CVE-2021-33035 | 0.04 | — | 0.51 | Sep 23, 2021 | Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. DBF are database files with data organized in fields. When reading DBF data the size of certain fields is not checked: the data is just copied into local variables. A carefully crafted document… | |||
| CVE-2021-33193 | 0.04 | — | 0.46 | Aug 16, 2021 | A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48. | |||
| CVE-2021-26691 | 0.04 | — | 0.68 | Jun 10, 2021 | In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow | |||
| CVE-2019-12422 | 0.04 | — | 0.09 | Nov 18, 2019 | Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. | |||
| CVE-2014-0231 | 0.04 | — | 0.44 | Jul 20, 2014 | The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor. | |||
| CVE-2014-0114 | 0.04 | — | 0.96 | Apr 30, 2014 | Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader… | |||
| CVE-2014-0094 | 0.04 | — | 1.00 | Mar 11, 2014 | The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. | |||
| CVE-2013-4295 | 0.04 | — | 0.12 | Oct 24, 2013 | The gadget renderer in Apache Shindig 2.5.0 for PHP allows remote attackers to obtain sensitive information via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||
| CVE-2013-2248 | 0.04 | — | 0.95 | Jul 20, 2013 | Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix. | |||
| CVE-2012-0392 | 0.04 | — | 0.97 | Jan 8, 2012 | The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. | |||
| CVE-2008-2938 | 0.04 | — | 1.00 | Aug 13, 2008 | Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different… | |||
| CVE-2007-5000 | 0.04 | — | 0.47 | Dec 13, 2007 | Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or… | |||
| CVE-2007-5731 | 0.04 | — | 0.07 | Oct 30, 2007 | Absolute path traversal vulnerability in Apache Jakarta Slide 2.1 and earlier allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag, a related issue to CVE-2007-5461. | |||
| CVE-2004-0173 | 0.04 | — | 0.16 | Apr 15, 2004 | Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences. | |||
| CVE-2002-2272 | 0.04 | — | 0.10 | Dec 31, 2002 | Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values. | |||
| CVE-2002-1148 | 0.04 | — | 0.17 | Oct 11, 2002 | The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet. | |||
| CVE-2002-0682 | 0.04 | — | 0.12 | Jul 23, 2002 | Cross-site scripting vulnerability in Apache Tomcat 4.0.3 allows remote attackers to execute script as other web users via script in a URL with the /servlet/ mapping, which does not filter the script when an exception is thrown by the servlet. | |||
| CVE-2001-0590 | 0.04 | — | 0.11 | Aug 2, 2001 | Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0). | |||
| CVE-2001-0042 | 0.04 | — | 0.09 | Feb 16, 2001 | PHP 3.x (PHP3) on Apache 1.3.6 allows remote attackers to read arbitrary files via a modified .. (dot dot) attack containing "%5c" (encoded backslash) sequences. | |||
| CVE-2000-1016 | 0.04 | — | 0.08 | Dec 11, 2000 | The default configuration of Apache (httpd.conf) on SuSE 6.4 includes an alias for the /usr/doc directory, which allows remote attackers to read package documentation and obtain system configuration information via an HTTP request for the /doc/packages URL. | |||
| CVE-2000-0883 | 0.04 | — | 0.09 | Nov 14, 2000 | The default configuration of mod_perl for Apache as installed on Mandrake Linux 6.1 through 7.1 sets the /perl/ directory to be browseable, which allows remote attackers to list the contents of that directory. | |||
| CVE-2000-0868 | 0.04 | — | 0.45 | Nov 14, 2000 | The default configuration of Apache 1.3.12 in SuSE Linux 6.4 allows remote attackers to read source code for CGI scripts by replacing the /cgi-bin/ in the requested URL with /cgi-bin-sdb/. | |||
| CVE-1999-0926 | 0.04 | — | 0.09 | Sep 3, 1999 | Apache allows remote attackers to conduct a denial of service via a large number of MIME headers. | |||
| CVE-2023-50386 | 0.03 | — | 0.84 | Feb 9, 2024 | Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In… | |||
| CVE-2023-6710 | 0.03 | — | 0.02 | Dec 12, 2023 | A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds… | |||
| CVE-2014-5329 | 0.03 | — | 0.02 | Sep 8, 2023 | GIGAPOD file servers (Appliance model and Software model) provide two web interfaces, 80/tcp and 443/tcp for user operation, and 8001/tcp for administrative operation. 8001/tcp is served by a version of Apache HTTP server containing a flaw in handling HTTP requests… | |||
| CVE-2022-35741 | 0.03 | — | 0.07 | Jul 18, 2022 | Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the… | |||
| CVE-2022-26377 | 0.03 | — | 0.19 | Jun 8, 2022 | Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version… | |||
| CVE-2022-29266 | 0.03 | — | 0.08 | Apr 20, 2022 | In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information. | |||
| CVE-2021-39275 | 0.03 | — | 0.36 | Sep 16, 2021 | ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. | |||
| CVE-2021-30641 | 0.03 | — | 0.52 | Jun 10, 2021 | Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF' | |||
| CVE-2020-9483 | 0.03 | — | 0.35 | Jun 30, 2020 | **Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use… | |||
| CVE-2019-0235 | 0.03 | — | 0.33 | Apr 30, 2020 | Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks. | |||
| CVE-2019-10082 | 0.03 | — | 0.17 | Sep 26, 2019 | In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. | |||
| CVE-2019-12401 | 0.03 | — | 0.08 | Sep 10, 2019 | Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the… | |||
| CVE-2019-10081 | 0.03 | — | 0.15 | Aug 15, 2019 | HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the… | |||
| CVE-2019-0217 | 0.03 | — | 0.18 | Apr 8, 2019 | In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. | |||
| CVE-2015-1830 | 0.03 | — | 0.84 | Aug 19, 2015 | Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors. | |||
| CVE-2014-0118 | 0.03 | — | 0.37 | Jul 20, 2014 | The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses… | |||
| CVE-2014-0117 | 0.03 | — | 0.36 | Jul 20, 2014 | The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header. |
- CVE-2002-0936Oct 4, 2002risk 0.05cvss —epss 0.27
The Java Server Pages (JSP) engine in Tomcat allows web page owners to cause a denial of service (engine crash) on the web server via a JSP page that calls WPrinterJob().pageSetup(null,null).
- CVE-2000-0759Oct 20, 2000risk 0.05cvss —epss 0.26
Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path.
- CVE-1999-0448Jan 1, 1999risk 0.05cvss —epss 0.24
IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.
- CVE-1999-0107Dec 30, 1997risk 0.05cvss —epss 0.20
Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters.
- CVE-1999-0045Dec 10, 1996risk 0.05cvss —epss 0.26
List of arbitrary files on Web host via nph-test-cgi script.
- CVE-2024-52046Dec 25, 2024risk 0.04cvss —epss 0.24
The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially…
- CVE-2022-42889Oct 13, 2022risk 0.04cvss —epss 1.00
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs…
- CVE-2022-25813Sep 2, 2022risk 0.04cvss —epss 0.67
In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party…
- CVE-2021-43557Nov 22, 2021risk 0.04cvss —epss 0.15
The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block…
- CVE-2021-40865Oct 25, 2021risk 0.04cvss —epss 0.66
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1.…
- CVE-2021-33035Sep 23, 2021risk 0.04cvss —epss 0.51
Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. DBF are database files with data organized in fields. When reading DBF data the size of certain fields is not checked: the data is just copied into local variables. A carefully crafted document…
- CVE-2021-33193Aug 16, 2021risk 0.04cvss —epss 0.46
A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
- CVE-2021-26691Jun 10, 2021risk 0.04cvss —epss 0.68
In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
- CVE-2019-12422Nov 18, 2019risk 0.04cvss —epss 0.09
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
- CVE-2014-0231Jul 20, 2014risk 0.04cvss —epss 0.44
The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.
- CVE-2014-0114Apr 30, 2014risk 0.04cvss —epss 0.96
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader…
- CVE-2014-0094Mar 11, 2014risk 0.04cvss —epss 1.00
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
- CVE-2013-4295Oct 24, 2013risk 0.04cvss —epss 0.12
The gadget renderer in Apache Shindig 2.5.0 for PHP allows remote attackers to obtain sensitive information via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
- CVE-2013-2248Jul 20, 2013risk 0.04cvss —epss 0.95
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.
- CVE-2012-0392Jan 8, 2012risk 0.04cvss —epss 0.97
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
- CVE-2008-2938Aug 13, 2008risk 0.04cvss —epss 1.00
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different…
- CVE-2007-5000Dec 13, 2007risk 0.04cvss —epss 0.47
Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or…
- CVE-2007-5731Oct 30, 2007risk 0.04cvss —epss 0.07
Absolute path traversal vulnerability in Apache Jakarta Slide 2.1 and earlier allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag, a related issue to CVE-2007-5461.
- CVE-2004-0173Apr 15, 2004risk 0.04cvss —epss 0.16
Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences.
- CVE-2002-2272Dec 31, 2002risk 0.04cvss —epss 0.10
Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values.
- CVE-2002-1148Oct 11, 2002risk 0.04cvss —epss 0.17
The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.
- CVE-2002-0682Jul 23, 2002risk 0.04cvss —epss 0.12
Cross-site scripting vulnerability in Apache Tomcat 4.0.3 allows remote attackers to execute script as other web users via script in a URL with the /servlet/ mapping, which does not filter the script when an exception is thrown by the servlet.
- CVE-2001-0590Aug 2, 2001risk 0.04cvss —epss 0.11
Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).
- CVE-2001-0042Feb 16, 2001risk 0.04cvss —epss 0.09
PHP 3.x (PHP3) on Apache 1.3.6 allows remote attackers to read arbitrary files via a modified .. (dot dot) attack containing "%5c" (encoded backslash) sequences.
- CVE-2000-1016Dec 11, 2000risk 0.04cvss —epss 0.08
The default configuration of Apache (httpd.conf) on SuSE 6.4 includes an alias for the /usr/doc directory, which allows remote attackers to read package documentation and obtain system configuration information via an HTTP request for the /doc/packages URL.
- CVE-2000-0883Nov 14, 2000risk 0.04cvss —epss 0.09
The default configuration of mod_perl for Apache as installed on Mandrake Linux 6.1 through 7.1 sets the /perl/ directory to be browseable, which allows remote attackers to list the contents of that directory.
- CVE-2000-0868Nov 14, 2000risk 0.04cvss —epss 0.45
The default configuration of Apache 1.3.12 in SuSE Linux 6.4 allows remote attackers to read source code for CGI scripts by replacing the /cgi-bin/ in the requested URL with /cgi-bin-sdb/.
- CVE-1999-0926Sep 3, 1999risk 0.04cvss —epss 0.09
Apache allows remote attackers to conduct a denial of service via a large number of MIME headers.
- CVE-2023-50386Feb 9, 2024risk 0.03cvss —epss 0.84
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In…
- CVE-2023-6710Dec 12, 2023risk 0.03cvss —epss 0.02
A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds…
- CVE-2014-5329Sep 8, 2023risk 0.03cvss —epss 0.02
GIGAPOD file servers (Appliance model and Software model) provide two web interfaces, 80/tcp and 443/tcp for user operation, and 8001/tcp for administrative operation. 8001/tcp is served by a version of Apache HTTP server containing a flaw in handling HTTP requests…
- CVE-2022-35741Jul 18, 2022risk 0.03cvss —epss 0.07
Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the…
- CVE-2022-26377Jun 8, 2022risk 0.03cvss —epss 0.19
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version…
- CVE-2022-29266Apr 20, 2022risk 0.03cvss —epss 0.08
In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.
- CVE-2021-39275Sep 16, 2021risk 0.03cvss —epss 0.36
ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.
- CVE-2021-30641Jun 10, 2021risk 0.03cvss —epss 0.52
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
- CVE-2020-9483Jun 30, 2020risk 0.03cvss —epss 0.35
**Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use…
- CVE-2019-0235Apr 30, 2020risk 0.03cvss —epss 0.33
Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks.
- CVE-2019-10082Sep 26, 2019risk 0.03cvss —epss 0.17
In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.
- CVE-2019-12401Sep 10, 2019risk 0.03cvss —epss 0.08
Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the…
- CVE-2019-10081Aug 15, 2019risk 0.03cvss —epss 0.15
HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the…
- CVE-2019-0217Apr 8, 2019risk 0.03cvss —epss 0.18
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
- CVE-2015-1830Aug 19, 2015risk 0.03cvss —epss 0.84
Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.
- CVE-2014-0118Jul 20, 2014risk 0.03cvss —epss 0.37
The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses…
- CVE-2014-0117Jul 20, 2014risk 0.03cvss —epss 0.36
The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header.
Page 19 of 51