Filtered by vendor Apache
Subscribe
Total
2223 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-17530 | 2 Apache, Oracle | 8 Struts, Business Intelligence, Communications Diameter Intelligence Hub and 5 more | 2022-06-03 | 7.5 HIGH | 9.8 CRITICAL |
| Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. | |||||
| CVE-2021-24117 | 1 Apache | 1 Teaclave Sgx Sdk | 2022-05-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| In Apache Teaclave Rust SGX SDK 1.1.3, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX. | |||||
| CVE-2022-24112 | 1 Apache | 1 Apisix | 2022-05-11 | 7.5 HIGH | 9.8 CRITICAL |
| An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. | |||||
| CVE-2022-29265 | 1 Apache | 1 Nifi | 2022-05-10 | 5.0 MEDIUM | 7.5 HIGH |
| Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services. | |||||
| CVE-2022-23942 | 1 Apache | 1 Doris | 2022-05-06 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure. | |||||
| CVE-2021-41973 | 2 Apache, Oracle | 9 Mina, Banking Payments, Banking Trade Finance Process Management and 6 more | 2022-05-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater. | |||||
| CVE-2022-29266 | 1 Apache | 1 Apisix | 2022-04-29 | 5.0 MEDIUM | 7.5 HIGH |
| In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information. | |||||
| CVE-2019-17561 | 2 Apache, Oracle | 2 Netbeans, Graalvm | 2022-04-27 | 5.0 MEDIUM | 7.5 HIGH |
| The "Apache NetBeans" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. "Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability. | |||||
| CVE-2021-42250 | 1 Apache | 1 Superset | 2022-04-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs. | |||||
| CVE-2022-27479 | 1 Apache | 1 Superset | 2022-04-21 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue. | |||||
| CVE-2012-5351 | 1 Apache | 1 Axis2 | 2022-04-20 | 6.4 MEDIUM | N/A |
| Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418. | |||||
| CVE-2020-13945 | 1 Apache | 1 Apisix | 2022-04-19 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5. | |||||
| CVE-2019-0233 | 2 Apache, Oracle | 5 Struts, Communications Policy Management, Financial Services Data Integration Hub and 2 more | 2022-04-18 | 5.0 MEDIUM | 7.5 HIGH |
| An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload. | |||||
| CVE-2022-23974 | 1 Apache | 1 Pinot | 2022-04-15 | 5.0 MEDIUM | 7.5 HIGH |
| In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service. Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0 | |||||
| CVE-2022-25757 | 1 Apache | 1 Apisix | 2022-04-04 | 6.8 MEDIUM | 9.8 CRITICAL |
| In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{"string_payload":"bad","string_payload":"good"}` can be used to hide the "bad" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions. | |||||
| CVE-2021-40525 | 1 Apache | 1 James | 2022-03-29 | 6.4 MEDIUM | 9.1 CRITICAL |
| Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted. | |||||
| CVE-2022-26779 | 1 Apache | 1 Cloudstack | 2022-03-22 | 4.6 MEDIUM | 7.5 HIGH |
| Apache CloudStack prior to 4.16.1.0 used insecure random number generation for project invitation tokens. If a project invite is created based only on an email address, a random token is generated. An attacker with knowledge of the project ID and the fact that the invite is sent, could generate time deterministic tokens and brute force attempt to use them prior to the legitimate receiver accepting the invite. This feature is not enabled by default, the attacker is required to know or guess the project ID for the invite in addition to the invitation token, and the attacker would need to be an existing authorized user of CloudStack. | |||||
| CVE-2022-25312 | 1 Apache | 1 Any23 | 2022-03-12 | 6.4 MEDIUM | 9.1 CRITICAL |
| An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Any23 2.7. | |||||
| CVE-2021-45229 | 1 Apache | 1 Airflow | 2022-03-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below. | |||||
| CVE-2022-24288 | 1 Apache | 1 Airflow | 2022-03-04 | 6.5 MEDIUM | 8.8 HIGH |
| In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. | |||||