Filtered by vendor Apache
Subscriptions
Total
2637 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-17527 | 5 Apache, Debian, Netapp and 2 more | 15 Tomcat, Debian Linux, Element Plug-in and 12 more | 2025-02-13 | 7.5 High |
| While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. | ||||
| CVE-2020-17526 | 1 Apache | 1 Airflow | 2025-02-13 | 7.7 High |
| Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config. | ||||
| CVE-2020-17525 | 3 Apache, Debian, Redhat | 4 Subversion, Debian Linux, Enterprise Linux and 1 more | 2025-02-13 | 7.5 High |
| Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. This issue was fixed in mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers 1.10.7 | ||||
| CVE-2020-17518 | 2 Apache, Redhat | 4 Flink, Camel Quarkus, Integration and 1 more | 2025-02-13 | 7.5 High |
| Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master. | ||||
| CVE-2020-17515 | 1 Apache | 1 Airflow | 2025-02-13 | 6.1 Medium |
| The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely. | ||||
| CVE-2020-17513 | 1 Apache | 1 Airflow | 2025-02-13 | 5.3 Medium |
| In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. | ||||
| CVE-2020-17511 | 1 Apache | 1 Airflow | 2025-02-13 | 6.5 Medium |
| In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field. | ||||
| CVE-2020-13959 | 2 Apache, Debian | 2 Velocity Tools, Debian Linux | 2025-02-13 | 6.1 Medium |
| The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks. | ||||
| CVE-2020-13954 | 4 Apache, Netapp, Oracle and 1 more | 8 Cxf, Snap Creator Framework, Vasa Provider For Clustered Data Ontap and 5 more | 2025-02-13 | 6.1 Medium |
| By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573. | ||||
| CVE-2020-13942 | 1 Apache | 1 Unomi | 2025-02-13 | 9.8 Critical |
| It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem. | ||||
| CVE-2020-13936 | 4 Apache, Debian, Oracle and 1 more | 22 Velocity Engine, Wss4j, Debian Linux and 19 more | 2025-02-13 | 8.8 High |
| An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. | ||||
| CVE-2020-13924 | 1 Apache | 1 Ambari | 2025-02-13 | 7.5 High |
| In Apache Ambari versions 2.6.2.2 and earlier, malicious users can construct file names for directory traversal and traverse to other directories to download files. | ||||
| CVE-2020-13922 | 1 Apache | 1 Dolphinscheduler | 2025-02-13 | 6.5 Medium |
| Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface. | ||||
| CVE-2020-11995 | 1 Apache | 1 Dubbo | 2025-02-13 | 9.8 Critical |
| A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo 2.6.9 and 2.7.8. | ||||
| CVE-2019-0231 | 2 Apache, Redhat | 6 Mina, Jboss Enterprise Bpms Platform, Jboss Enterprise Brms Platform and 3 more | 2025-02-13 | 7.5 High |
| Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA. | ||||
| CVE-2012-5639 | 3 Apache, Debian, Libreoffice | 3 Openoffice, Debian Linux, Libreoffice | 2025-02-13 | 6.5 Medium |
| LibreOffice and OpenOffice automatically open embedded content | ||||
| CVE-2023-25695 | 1 Apache | 1 Airflow | 2025-02-13 | 5.3 Medium |
| Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. | ||||
| CVE-2023-25693 | 1 Apache | 1 Apache-airflow-providers-apache-sqoop | 2025-02-13 | 9.8 Critical |
| Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1. | ||||
| CVE-2022-38745 | 2 Apache, Redhat | 2 Openoffice, Enterprise Linux | 2025-02-13 | 7.8 High |
| Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory. | ||||
| CVE-2023-26513 | 1 Apache | 1 Sling Resource Merger | 2025-02-13 | 7.5 High |
| Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2. | ||||