Filtered by vendor Apache
Subscribe
Total
2223 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-20244 | 1 Apache | 1 Airflow | 2023-11-07 | 3.5 LOW | 5.5 MEDIUM |
| In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. | |||||
| CVE-2018-20242 | 1 Apache | 1 Jspwiki | 2023-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking. | |||||
| CVE-2018-1340 | 1 Apache | 1 Guacamole | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain. | |||||
| CVE-2018-1339 | 1 Apache | 1 Tika | 2023-11-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18. | |||||
| CVE-2018-1338 | 1 Apache | 1 Tika | 2023-11-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18. | |||||
| CVE-2018-1337 | 1 Apache | 1 Directory Ldap Api | 2023-11-07 | 5.0 MEDIUM | 9.8 CRITICAL |
| In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request). | |||||
| CVE-2018-1335 | 1 Apache | 1 Tika | 2023-11-07 | 9.3 HIGH | 8.1 HIGH |
| From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18. | |||||
| CVE-2018-1334 | 1 Apache | 1 Spark | 2023-11-07 | 1.9 LOW | 4.7 MEDIUM |
| In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. | |||||
| CVE-2018-1333 | 4 Apache, Canonical, Netapp and 1 more | 6 Http Server, Ubuntu Linux, Cloud Backup and 3 more | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.18-2.4.30,2.4.33). | |||||
| CVE-2018-1332 | 1 Apache | 1 Storm | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons. | |||||
| CVE-2018-1330 | 1 Apache | 1 Mesos | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. | |||||
| CVE-2018-1328 | 1 Apache | 1 Zeppelin | 2023-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by "Josna Joseph". | |||||
| CVE-2018-1327 | 1 Apache | 1 Struts | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16. | |||||
| CVE-2018-1324 | 2 Apache, Oracle | 3 Commons Compress, Mysql Cluster, Weblogic Server | 2023-11-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package. | |||||
| CVE-2018-1323 | 1 Apache | 1 Tomcat Jk Connector | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing Tomcat via the reverse proxy. | |||||
| CVE-2018-1320 | 4 Apache, Debian, F5 and 1 more | 5 Thrift, Debian Linux, Traffix Signaling Delivery Controller and 2 more | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete. | |||||
| CVE-2018-1319 | 1 Apache | 1 Allura | 2023-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache Allura prior to 1.8.1, attackers may craft URLs that cause HTTP response splitting. If a victim goes to a maliciously crafted URL, unwanted results may occur including XSS or service denial for the victim's browsing session. | |||||
| CVE-2018-1318 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| Adding method ACLs in remap.config can cause a segfault when the user makes a carefully crafted request. This affects versions Apache Traffic Server (ATS) 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions. | |||||
| CVE-2018-1317 | 1 Apache | 1 Zeppelin | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication. | |||||
| CVE-2018-1316 | 1 Apache | 1 Ode | 2023-11-07 | 6.4 MEDIUM | 7.5 HIGH |
| The ODE process deployment web service was sensible to deployment messages with forged names. Using a path for the name was allowing directory traversal, resulting in the potential writing of files under unwanted locations, the overwriting of existing files or their deletion. This issue was addressed in Apache ODE 1.3.3 which was released in 2009, however the incorrect name CVE-2008-2370 was used on the advisory by mistake. | |||||