Filtered by vendor Apache
Subscribe
Total
2746 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-1768 | 1 Apache | 1 Openjpa | 2025-04-11 | 7.5 HIGH | N/A |
|
The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.
|
|||||
| CVE-2013-4558 | 1 Apache | 2 Mod Dav Svn, Subversion | 2025-04-11 | 3.5 LOW | N/A |
|
The get_parent_resource function in repos.c in mod_dav_svn Apache HTTPD server module in Subversion 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4, when built with assertions enabled and SVNAutoversioning is enabled, allows remote attackers to cause a denial of service (assertion failure and Apache process abort) via a non-canonical URL in a request, as demonstrated using a trailing /.
|
|||||
| CVE-2012-1181 | 1 Apache | 2 Http Server, Mod Fcgid | 2025-04-11 | 5.0 MEDIUM | N/A |
|
fcgid_spawn_ctl.c in the mod_fcgid module 2.3.6 for the Apache HTTP Server does not recognize the FcgidMaxProcessesPerClass directive for a virtual host, which makes it easier for remote attackers to cause a denial of service (memory consumption) via a series of HTTP requests that triggers a process count higher than the intended limit.
|
|||||
| CVE-2010-1151 | 1 Apache | 1 Apache Http Server | 2025-04-11 | 6.8 MEDIUM | N/A |
|
Race condition in the mod_auth_shadow module for the Apache HTTP Server allows remote attackers to bypass authentication, and read and possibly modify data, via vectors related to improper interaction with an external helper application for validation of credentials.
|
|||||
| CVE-2012-3376 | 1 Apache | 1 Hadoop | 2025-04-11 | 7.5 HIGH | N/A |
|
DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have read access, and have other unspecified impacts.
|
|||||
| CVE-2011-4858 | 1 Apache | 1 Tomcat | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
|
|||||
| CVE-2012-0047 | 1 Apache | 1 Wicket | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the wicket:pageMapName parameter.
|
|||||
| CVE-2012-4501 | 2 Apache, Citrix | 2 Cloudstack, Cloudstack | 2025-04-11 | 10.0 HIGH | N/A |
|
Citrix Cloud.com CloudStack, and Apache CloudStack pre-release, allows remote attackers to make arbitrary API calls by leveraging the system user account, as demonstrated by API calls to delete VMs.
|
|||||
| CVE-2012-2378 | 1 Apache | 1 Cxf | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies.
|
|||||
| CVE-2011-1928 | 1 Apache | 2 Apr-util, Http Server | 2025-04-11 | 4.3 MEDIUM | N/A |
|
The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.
|
|||||
| CVE-2010-3451 | 3 Apache, Canonical, Debian | 3 Openoffice, Ubuntu Linux, Debian Linux | 2025-04-11 | 9.3 HIGH | N/A |
|
Use-after-free vulnerability in oowriter in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via malformed tables in an RTF document.
|
|||||
| CVE-2010-0432 | 1 Apache | 1 Ofbiz | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to control/exportProductListing, (2) the partyId parameter to partymgr/control/viewprofile (aka partymgr/control/login), (3) the start parameter to myportal/control/showPortalPage, (4) an invalid URI beginning with /facility/control ...
Show More |
|||||
| CVE-2013-1896 | 4 Apache, Canonical, Opensuse and 1 more | 10 Http Server, Ubuntu Linux, Opensuse and 7 more | 2025-04-11 | 4.3 MEDIUM | N/A |
|
mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
|
|||||
| CVE-2011-2688 | 3 Apache, Debian, Mod Authnz External Project | 3 Http Server, Debian Linux, Mod Authnz External | 2025-04-11 | 7.5 HIGH | N/A |
|
SQL injection vulnerability in mysql/mysql-auth.pl in the mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the user field.
|
|||||
| CVE-2010-2234 | 1 Apache | 1 Couchdb | 2025-04-11 | 6.8 MEDIUM | N/A |
|
Cross-site request forgery (CSRF) vulnerability in Apache CouchDB 0.8.0 through 0.11.0 allows remote attackers to hijack the authentication of administrators for direct requests to an installation URL.
|
|||||
| CVE-2010-4253 | 3 Apache, Canonical, Debian | 3 Openoffice, Ubuntu Linux, Debian Linux | 2025-04-11 | 9.3 HIGH | N/A |
|
Heap-based buffer overflow in Impress in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file in an ODF or Microsoft Office document, as demonstrated by a PowerPoint (aka PPT) document.
|
|||||
| CVE-2011-1176 | 3 Apache, Debian, Mpm-itk Project | 3 Http Server, Debian Linux, Mpm-itk | 2025-04-11 | 4.3 MEDIUM | N/A |
|
The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers to gain privileges by leveraging the root uid and root gid of an mpm-itk process.
|
|||||
| CVE-2013-5697 | 2 Apache, Simone Tellini | 2 Http Server, Mod Accounting | 2025-04-11 | 7.5 HIGH | N/A |
|
SQL injection vulnerability in mod_accounting.c in the mod_accounting module 0.5 and earlier for Apache allows remote attackers to execute arbitrary SQL commands via a Host header.
|
|||||
| CVE-2009-4269 | 1 Apache | 1 Derby | 2025-04-11 | 2.1 LOW | N/A |
|
The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.
|
|||||
| CVE-2013-1849 | 1 Apache | 1 Subversion | 2025-04-11 | 4.3 MEDIUM | N/A |
|
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a PROPFIND request for an activity URL.
|
|||||
| CVE-2011-0533 | 1 Apache | 2 Archiva, Continuum | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in Apache Continuum 1.1 through 1.2.3.1, 1.3.6, and 1.4.0 Beta; and Archiva 1.3.0 through 1.3.3 and 1.0 through 1.22 allows remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to the autoIncludeParameters setting for the extremecomponents table.
|
|||||
| CVE-2012-6612 | 1 Apache | 1 Solr | 2025-04-11 | 7.5 HIGH | N/A |
|
The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, different vectors than CVE-2013-6407.
|
|||||
| CVE-2012-4387 | 1 Apache | 1 Struts | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.
|
|||||
| CVE-2010-2057 | 1 Apache | 1 Myfaces | 2025-04-11 | 5.0 MEDIUM | N/A |
|
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.
|
|||||
| CVE-2012-1007 | 1 Apache | 1 Struts | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do.
|
|||||
| CVE-2012-6092 | 1 Apache | 1 Activemq | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.
|
|||||
| CVE-2013-4212 | 1 Apache | 1 Roller | 2025-04-11 | 6.8 MEDIUM | N/A |
|
Certain getText methods in the ActionSupport controller in Apache Roller before 5.0.2 allow remote attackers to execute arbitrary OGNL expressions via the first or second parameter, as demonstrated by the pageTitle parameter in the !getPageTitle sub-URL to roller-ui/login.rol, which uses a subclass of UIAction, aka "OGNL Injection."
|
|||||
| CVE-2009-3301 | 3 Apache, Canonical, Debian | 3 Openoffice, Ubuntu Linux, Debian Linux | 2025-04-11 | 9.3 HIGH | N/A |
|
Integer underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTDefTable table property modifier in a Word document.
|
|||||
| CVE-2012-2665 | 5 Apache, Canonical, Debian and 2 more | 11 Openoffice, Ubuntu Linux, Debian Linux and 8 more | 2025-04-11 | 7.5 HIGH | N/A |
|
Multiple heap-based buffer overflows in the XML manifest encryption tag parsing functionality in OpenOffice.org and LibreOffice before 3.5.5 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Open Document Text (.odt) file with (1) a child tag within an incorrect parent tag, (2) duplicate tags, or (3) a Base64 ChecksumAttribute whose length is not evenly divisible by four.
|
|||||
| CVE-2012-5351 | 1 Apache | 1 Axis2 | 2025-04-11 | 6.4 MEDIUM | N/A |
|
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.
|
|||||
| CVE-2013-2154 | 1 Apache | 1 Xml Security For C\+\+ | 2025-04-11 | 7.5 HIGH | N/A |
|
Stack-based buffer overflow in the XML Signature Reference functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via malformed XPointer expressions, probably related to the DSIGReference::getURIBaseTXFM function.
|
|||||
| CVE-2013-2172 | 1 Apache | 1 Santuario Xml Security For Java | 2025-04-11 | 4.3 MEDIUM | N/A |
|
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
|
|||||
| CVE-2010-3854 | 1 Apache | 1 Couchdb | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in the web administration interface (aka Futon) in Apache CouchDB 0.8.0 through 1.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2011-5063 | 1 Apache | 1 Tomcat | 2025-04-11 | 4.3 MEDIUM | N/A |
|
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.
|
|||||
| CVE-2010-0010 | 1 Apache | 1 Http Server | 2025-04-11 | 6.8 MEDIUM | N/A |
|
Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow.
|
|||||
| CVE-2012-4459 | 1 Apache | 1 Qpid | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Integer overflow in the qpid::framing::Buffer::checkAvailable function in Apache Qpid 0.20 and earlier allows remote attackers to cause a denial of service (crash) via a crafted message, which triggers an out-of-bounds read.
|
|||||
| CVE-2011-2712 | 1 Apache | 1 Wicket | 2025-04-11 | 2.6 LOW | N/A |
|
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.18, when setAutomaticMultiWindowSupport is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
|
|||||
| CVE-2013-2088 | 3 Apache, Collabnet, Opensuse | 3 Subversion, Subversion, Opensuse | 2025-04-11 | 7.1 HIGH | N/A |
|
contrib/hook-scripts/svn-keyword-check.pl in Subversion before 1.6.23 allows remote authenticated users with commit permissions to execute arbitrary commands via shell metacharacters in a filename.
|
|||||
| CVE-2012-4458 | 1 Apache | 1 Qpid | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The AMQP type decoder in Apache Qpid 0.20 and earlier allows remote attackers to cause a denial of service (memory consumption and server crash) via a large number of zero width elements in the client-properties map in a connection.start-ok message.
|
|||||
| CVE-2013-4365 | 4 Apache, Debian, Opensuse and 1 more | 6 Http Server, Mod Fcgid, Debian Linux and 3 more | 2025-04-11 | 7.5 HIGH | N/A |
|
Heap-based buffer overflow in the fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3.9 for the Apache HTTP Server allows remote attackers to have an unspecified impact via unknown vectors.
|
|||||