VYPR

Vendor CVEs

Apache

All CVEs

2,550 total · sorted by risk
  • CVE-2014-0050Apr 1, 2014
    risk 0.03cvss epss 0.83

    MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended…

  • CVE-2013-6357Nov 13, 2013
    risk 0.03cvss epss 0.03

    Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a…

  • CVE-2012-0031Jan 18, 2012
    risk 0.03cvss epss 0.03

    scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an…

  • CVE-2011-4415Nov 8, 2011
    risk 0.03cvss epss 0.03

    The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory…

  • CVE-2011-3607Nov 8, 2011
    risk 0.03cvss epss 0.05

    Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in…

  • CVE-2010-3449Dec 6, 2010
    risk 0.03cvss epss 0.05

    Cross-site request forgery (CSRF) vulnerability in Redback before 1.2.4, as used in Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1; and Apache Continuum 1.3.6, 1.4.0, and 1.1 through 1.2.3.1; allows remote attackers to hijack the…

  • CVE-2010-0010Feb 2, 2010
    risk 0.03cvss epss 0.43

    Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size…

  • CVE-2009-4612Jan 13, 2010
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page in Mort Bay Jetty 6.1.x through 6.1.21 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) jspsnoop/, (2) jspsnoop/ERROR/, and (3)…

  • CVE-2009-4610Jan 13, 2010
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to jsp/dump.jsp in the JSP Dump feature, or the (2) Name or (3) Value parameter to the default URI for the…

  • CVE-2008-2939Aug 6, 2008
    risk 0.03cvss epss 0.39

    Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a…

  • CVE-2007-0450Mar 16, 2007
    risk 0.03cvss epss 0.91

    Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/"…

  • CVE-2005-1754Dec 31, 2005
    risk 0.03cvss epss 0.03

    JavaMail API 1.1.3 through 1.3, as used by Apache Tomcat 5.0.16, allows remote attackers to read arbitrary files via a full pathname in the argument to the Download parameter. NOTE: Sun and Apache dispute this issue. Sun states: "The report makes references to source code and…

  • CVE-2005-3747Nov 22, 2005
    risk 0.03cvss epss 0.04

    Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving requests for .jsp files with URL-encoded backslash ("%5C") characters. NOTE: this might be the same issue as CVE-2006-2758.

  • CVE-2004-2096Dec 31, 2004
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Mephistoles httpd 0.6.0 final allows remote attackers to execute arbitrary script as other users by injecting arbitrary HTML or script into the URL.

  • CVE-2004-0492Aug 6, 2004
    risk 0.03cvss epss 0.34

    Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be…

  • CVE-2003-1307Dec 31, 2003
    risk 0.03cvss epss 0.02

    The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's…

  • CVE-2003-1516Dec 31, 2003
    risk 0.03cvss epss 0.04

    The org.apache.xalan.processor.XSLProcessorVersion class in Java Plug-in 1.4.2_01 allows signed and unsigned applets to share variables, which violates the Java security model and could allow remote attackers to read or write data belonging to a signed applet.

  • CVE-2003-1138Oct 27, 2003
    risk 0.03cvss epss 0.05

    The default configuration of Apache 2.0.40, as shipped with Red Hat Linux 9.0, allows remote attackers to list directory contents, even if auto indexing is turned off and there is a default web page configured, via a GET request containing a double slash (//).

  • CVE-2003-0132Apr 11, 2003
    risk 0.03cvss epss 0.87

    A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.

  • CVE-2000-0913Dec 19, 2000
    risk 0.03cvss epss 0.35

    mod_rewrite in Apache 1.3.12 and earlier allows remote attackers to read arbitrary files if a RewriteRule directive is expanded to include a filename whose name contains a regular expression.

  • CVE-2025-22828Jan 13, 2025
    risk 0.02cvss epss 0.02

    CloudStack users can add and read comments (annotations) on resources they are authorised to access.  Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add…

  • CVE-2024-40725Jul 18, 2024
    risk 0.02cvss epss 0.04

    A partial fix for  CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code…

  • CVE-2022-40743Dec 19, 2022
    risk 0.02cvss epss 0.01

    Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later…

  • CVE-2022-29063Sep 2, 2022
    risk 0.02cvss epss 0.04

    The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. In version 18.12.05 and earlier, by hosting a malicious RMI server on localhost, an attacker may exploit this behavior, at server start-up or on a server…

  • CVE-2022-22728Aug 25, 2022
    risk 0.02cvss epss 0.05

    A flaw in Apache libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.

  • CVE-2022-22720Mar 14, 2022
    risk 0.02cvss epss 0.28

    Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

  • CVE-2022-22719Mar 14, 2022
    risk 0.02cvss epss 0.70

    A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.

  • CVE-2021-41826Sep 29, 2021
    risk 0.02cvss epss 0.12

    PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect.

  • CVE-2021-29262Apr 13, 2021
    risk 0.02cvss epss 0.08

    When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and…

  • CVE-2020-11993Aug 7, 2020
    risk 0.02cvss epss 0.59

    Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info"…

  • CVE-2020-13934Jul 14, 2020
    risk 0.02cvss epss 0.64

    An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial…

  • CVE-2020-1934Apr 1, 2020
    risk 0.02cvss epss 0.52

    In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.

  • CVE-2019-10097Sep 26, 2019
    risk 0.02cvss epss 0.53

    In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be…

  • CVE-2019-0220Jun 11, 2019
    risk 0.02cvss epss 0.18

    A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the…

  • CVE-2019-11356Jun 3, 2019
    risk 0.02cvss epss 0.08

    The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name.

  • CVE-2019-0190Jan 30, 2019
    risk 0.02cvss epss 0.60

    A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using…

  • CVE-2015-5262Oct 27, 2015
    risk 0.02cvss epss 0.19

    http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

  • CVE-2014-0098Mar 18, 2014
    risk 0.02cvss epss 0.26

    The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.

  • CVE-2013-6438Mar 18, 2014
    risk 0.02cvss epss 0.27

    The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE…

  • CVE-2013-2134Jul 16, 2013
    risk 0.02cvss epss 0.70

    Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.

  • CVE-2013-1896Jul 10, 2013
    risk 0.02cvss epss 0.29

    mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn…

  • CVE-2013-1966Jul 10, 2013
    risk 0.02cvss epss 0.72

    Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.

  • CVE-2013-1862Jun 10, 2013
    risk 0.02cvss epss 0.25

    mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a…

  • CVE-2013-1814Mar 14, 2013
    risk 0.02cvss epss 0.73

    The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.

  • CVE-2012-4558Feb 26, 2013
    risk 0.02cvss epss 0.23

    Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject…

  • CVE-2012-3499Feb 26, 2013
    risk 0.02cvss epss 0.23

    Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3)…

  • CVE-2012-2687Aug 22, 2012
    risk 0.02cvss epss 0.23

    Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or…

  • CVE-2012-0021Jan 28, 2012
    risk 0.02cvss epss 0.31

    The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a…

  • CVE-2012-0394Jan 8, 2012
    risk 0.02cvss epss 0.74

    The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.

  • CVE-2011-3348Sep 20, 2011
    risk 0.02cvss epss 0.22

    The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request.

Page 20 of 51