VYPR

Vendor CVEs

Apache

All CVEs

2,550 total · sorted by risk
  • CVE-2018-1340Feb 7, 2019
    risk 0.00cvss epss 0.02

    Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the…

  • CVE-2018-11790Jan 31, 2019
    risk 0.00cvss epss 0.01

    When loading a document with Apache Open Office 4.1.5 and earlier with smaller end line termination than the operating system uses, the defect occurs. In this case OpenOffice runs into an Arithmetic Overflow at a string length calculation.

  • CVE-2018-20245Jan 23, 2019
    risk 0.00cvss epss 0.01

    The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking.

  • CVE-2017-17835Jan 23, 2019
    risk 0.00cvss epss 0.01

    In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow.

  • CVE-2017-17836Jan 23, 2019
    risk 0.00cvss epss 0.02

    In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, whether it be via XSS or by leaving a machine unlocked can exfiltrate all…

  • CVE-2017-15720Jan 23, 2019
    risk 0.00cvss epss 0.02

    In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.

  • CVE-2018-17188Jan 2, 2019
    risk 0.00cvss epss 0.03

    Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of the database. In some cases, this lead to vulnerabilities where CouchDB admin users could access the underlying operating system as the CouchDB user. Together with other…

  • CVE-2018-20578Dec 28, 2018
    risk 0.00cvss epss 0.02

    An issue was discovered in NuttX before 7.27. The function netlib_parsehttpurl() in apps/netutils/netlib/netlib_parsehttpurl.c mishandles URLs longer than hostlen bytes (in the webclient, this is set by default to 40), leading to an Infinite Loop. The attack vector is the…

  • CVE-2018-17197Dec 24, 2018
    risk 0.00cvss epss 0.06

    A carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika's SQLite3Parser in versions 1.8-1.19.1 of Apache Tika.

  • CVE-2018-17195Dec 19, 2018
    risk 0.00cvss epss 0.01

    The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication,…

  • CVE-2018-17192Dec 19, 2018
    risk 0.00cvss epss 0.03

    The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security…

  • CVE-2018-17193Dec 19, 2018
    risk 0.00cvss epss 0.03

    The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release.…

  • CVE-2018-17194Dec 19, 2018
    risk 0.00cvss epss 0.03

    When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait…

  • CVE-2018-17187Nov 13, 2018
    risk 0.00cvss epss 0.03

    The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer…

  • CVE-2018-1314Nov 8, 2018
    risk 0.00cvss epss 0.02

    In Apache Hive 2.3.3, 3.1.0 and earlier, Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do "EXPLAIN" on arbitrary table or view and expose table metadata and statistics.

  • CVE-2018-11777Nov 8, 2018
    risk 0.00cvss epss 0.02

    In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use.

  • CVE-2018-11792Oct 24, 2018
    risk 0.00cvss epss 0.02

    In Apache Impala before 3.0.1, ALTER TABLE/VIEW RENAME required ALTER on the old table. This may pose a potential security risk, such as having ALTER on a table and ALL on a particular database allows a user to move the table to a database with ALL, which will automatically…

  • CVE-2018-11785Oct 24, 2018
    risk 0.00cvss epss 0.01

    Missing authorization check in Apache Impala before 3.0.1 allows a Kerberos-authenticated but unauthorized user to inject random data into a running query, leading to wrong results for a query.

  • CVE-2018-1281MedJun 8, 2018
    risk 0.00cvss 6.5epss 0.02

    The clustered setup of Apache MXNet allows users to specify which IP address and port the scheduler will listen on via the DMLC_PS_ROOT_URI and DMLC_PS_ROOT_PORT env variables. In versions older than 1.0.0, however, the MXNet framework will listen on 0.0.0.0 rather than user…

  • CVE-2015-5204Dec 17, 2015
    risk 0.00cvss epss 0.03

    CRLF injection vulnerability in the Apache Cordova File Transfer Plugin (cordova-plugin-file-transfer) for Android before 1.3.0 allows remote attackers to inject arbitrary headers via CRLF sequences in the filename of an uploaded file.

  • CVE-2015-8320Nov 23, 2015
    risk 0.00cvss epss 0.04

    Apache Cordova-Android before 3.7.0 improperly generates random values for BridgeSecret data, which makes it easier for attackers to conduct bridge hijacking attacks by predicting a value.

  • CVE-2015-5256Nov 23, 2015
    risk 0.00cvss epss 0.04

    Apache Cordova-Android before 4.1.0, when an application relies on a remote server, improperly implements a JavaScript whitelist protection mechanism, which allows attackers to bypass intended access restrictions via a crafted URI.

  • CVE-2015-5255Nov 18, 2015
    risk 0.00cvss epss 0.04

    Adobe BlazeDS, as used in ColdFusion 10 before Update 18 and 11 before Update 7 and LiveCycle Data Services 3.0.x before 3.0.0.354175, 3.1.x before 3.1.0.354180, 4.5.x before 4.5.1.354177, 4.6.2.x before 4.6.2.354178, and 4.7.x before 4.7.0.354178, allows remote attackers to…

  • CVE-2015-5253Nov 18, 2015
    risk 0.00cvss epss 0.06

    The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."

  • CVE-2015-4940Nov 8, 2015
    risk 0.00cvss epss 0.01

    Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x before 4.1, stores a cleartext BigSheets password in a configuration file, which allows local users to obtain sensitive information by reading this file.

  • CVE-2015-4928Nov 8, 2015
    risk 0.00cvss epss 0.03

    Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x before 4.1, includes cleartext passwords on a Configs screen, which allows physically proximate attackers to obtain sensitive information by reading password fields.

  • CVE-2015-5210Nov 2, 2015
    risk 0.00cvss epss 0.04

    Open redirect vulnerability in Apache Ambari before 2.1.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the targetURI parameter.

  • CVE-2015-3270Nov 2, 2015
    risk 0.00cvss epss 0.03

    Apache Ambari before 2.0.2 or 2.1.x before 2.1.1 allows remote authenticated users to gain administrative privileges via unspecified vectors, possibly related to changing passwords.

  • CVE-2015-3186Nov 2, 2015
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Apache Ambari before 2.1.0 allows remote authenticated cluster operator users to inject arbitrary web script or HTML via the note field in a configuration change.

  • CVE-2015-1775Nov 2, 2015
    risk 0.00cvss epss 0.03

    Server-side request forgery (SSRF) vulnerability in the proxy endpoint (api/v1/proxy) in Apache Ambari before 2.1.0 allows remote authenticated users to conduct port scans and access unsecured services via a crafted REST call.

  • CVE-2015-6524Aug 24, 2015
    risk 0.00cvss epss 0.08

    The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote attackers to obtain credentials via a brute force attack. NOTE: this identifier was…

  • CVE-2014-3612Aug 24, 2015
    risk 0.00cvss epss 0.07

    The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.…

  • CVE-2014-1972Aug 22, 2015
    risk 0.00cvss epss 0.10

    Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an object, which allows remote attackers to cause a denial of service (resource consumption) or execute arbitrary code via crafted serialized data.

  • CVE-2015-3185Jul 20, 2015
    risk 0.00cvss epss 0.19

    The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended…

  • CVE-2015-3183Jul 20, 2015
    risk 0.00cvss epss 0.73

    The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid…

  • CVE-2015-0253Jul 20, 2015
    risk 0.00cvss epss 0.15

    The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a…

  • CVE-2015-1831Jul 16, 2015
    risk 0.00cvss epss 0.06

    The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.

  • CVE-2014-0230Jun 7, 2015
    risk 0.00cvss epss 0.20

    Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a…

  • CVE-2015-0264Jun 3, 2015
    risk 0.00cvss epss 0.07

    Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath…

  • CVE-2015-0263Jun 3, 2015
    risk 0.00cvss epss 0.08

    XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.

  • CVE-2015-1833May 29, 2015
    risk 0.00cvss epss 0.51

    XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a…

  • CVE-2015-0252Mar 24, 2015
    risk 0.00cvss epss 0.40

    internal/XMLReader.cpp in Apache Xerces-C before 3.1.2 allows remote attackers to cause a denial of service (segmentation fault and crash) via crafted XML data.

  • CVE-2015-2091Mar 13, 2015
    risk 0.00cvss epss 0.03

    The authentication hook (mgs_hook_authz) in mod-gnutls 0.5.10 and earlier does not validate client certificates when "GnuTLSClientVerify require" is set, which allows remote attackers to spoof clients via a crafted certificate.

  • CVE-2015-0228Mar 8, 2015
    risk 0.00cvss epss 0.19

    The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade…

  • CVE-2014-0227Feb 16, 2015
    risk 0.00cvss epss 0.21

    java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request…

  • CVE-2014-8110Feb 12, 2015
    risk 0.00cvss epss 0.07

    Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2014-8152Jan 21, 2015
    risk 0.00cvss epss 0.06

    Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.

  • CVE-2014-9593Jan 15, 2015
    risk 0.00cvss epss 0.03

    Apache CloudStack before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to obtain private keys via a listSslCerts API call.

  • CVE-2014-10022Jan 13, 2015
    risk 0.00cvss epss 0.06

    Apache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to internal buffer sizing.

  • CVE-2014-3628Jan 6, 2015
    risk 0.00cvss epss 0.05

    Cross-site scripting (XSS) vulnerability in the Admin UI Plugin / Stats page in Apache Solr 4.x before 4.10.3 allows remote attackers to inject arbitrary web script or HTML via the fieldvaluecache object.

Page 45 of 51