Filtered by vendor Apache
Subscribe
Total
2746 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2010-3689 | 3 Apache, Canonical, Debian | 3 Openoffice, Ubuntu Linux, Debian Linux | 2025-04-11 | 6.9 MEDIUM | N/A |
|
soffice in OpenOffice.org (OOo) 3.x before 3.3 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.
|
|||||
| CVE-2012-1006 | 1 Apache | 1 Struts | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/orders.
|
|||||
| CVE-2013-0177 | 1 Apache | 1 Ofbiz | 2025-04-11 | 3.5 LOW | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/ModelScreenWidget.java in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.05, 11.04.01, and possibly 09.04.x allow remote authenticated users to inject arbitrary web script or HTML via the (1) Screenlet.title or (2) Image.alt Widget attribute, as demonstrated by the parentPortalPageId parameter to exampleext/control/ManagePortalPages.
|
|||||
| CVE-2009-2693 | 1 Apache | 1 Tomcat | 2025-04-11 | 5.8 MEDIUM | N/A |
|
Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry.
|
|||||
| CVE-2010-4494 | 10 Apache, Apple, Debian and 7 more | 17 Openoffice, Iphone Os, Itunes and 14 more | 2025-04-11 | 7.5 HIGH | N/A |
|
Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling.
|
|||||
| CVE-2011-1088 | 1 Apache | 1 Tomcat | 2025-04-11 | 5.8 MEDIUM | N/A |
|
Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application.
|
|||||
| CVE-2012-2733 | 1 Apache | 1 Tomcat | 2025-04-11 | 5.0 MEDIUM | N/A |
|
java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which allows remote attackers to cause a denial of service (memory consumption) via a large amount of header data.
|
|||||
| CVE-2011-2329 | 1 Apache | 1 Rampart\/c | 2025-04-11 | 6.5 MEDIUM | N/A |
|
The rampart_timestamp_token_validate function in util/rampart_timestamp_token.c in Apache Rampart/C 1.3.0 does not properly calculate the expiration of timestamp tokens, which allows remote attackers to bypass intended access restrictions by leveraging an expired token, a different vulnerability than CVE-2011-0730.
|
|||||
| CVE-2012-6551 | 1 Apache | 1 Activemq | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The default configuration of Apache ActiveMQ before 5.8.0 enables a sample web application, which allows remote attackers to cause a denial of service (broker resource consumption) via HTTP requests.
|
|||||
| CVE-2012-2098 | 1 Apache | 1 Commons Compress | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.
|
|||||
| CVE-2012-0053 | 5 Apache, Debian, Opensuse and 2 more | 12 Http Server, Debian Linux, Opensuse and 9 more | 2025-04-11 | 4.3 MEDIUM | N/A |
|
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
|
|||||
| CVE-2011-3375 | 1 Apache | 1 Tomcat | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data.
|
|||||
| CVE-2010-2953 | 1 Apache | 1 Couchdb | 2025-04-11 | 6.9 MEDIUM | N/A |
|
Untrusted search path vulnerability in a certain Debian GNU/Linux patch for the couchdb script in CouchDB 0.8.0 allows local users to gain privileges via a crafted shared library in the current working directory.
|
|||||
| CVE-2010-4539 | 1 Apache | 1 Subversion | 2025-04-11 | 6.8 MEDIUM | N/A |
|
The walk function in repos.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.15, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger the walking of SVNParentPath collections.
|
|||||
| CVE-2012-2149 | 3 Apache, Libwpd, Redhat | 4 Openoffice.org, Libwpd, Enterprise Linux Optional Productivity Applications and 1 more | 2025-04-11 | 7.5 HIGH | N/A |
|
The WPXContentListener::_closeTableRow function in WPXContentListener.cpp in libwpd 0.8.8, as used by OpenOffice.org (OOo) before 3.4, allows remote attackers to execute arbitrary code via a crafted Wordperfect .WPD document that causes a negative array index to be used. NOTE: some sources report this issue as an integer overflow.
|
|||||
| CVE-2011-3639 | 1 Apache | 10 Http Server, Http Server2.0a1, Http Server2.0a2 and 7 more | 2025-04-11 | 4.3 MEDIUM | N/A |
|
The mod_proxy module in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x before 2.2.18, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers by using the HTTP/0.9 protocol with a malformed URI containing an initial @ (at sign) character. NOTE: this vulnerability exists because of an incomplete fix for ...
Show More |
|||||
| CVE-2012-4431 | 1 Apache | 1 Tomcat | 2025-04-11 | 4.3 MEDIUM | N/A |
|
org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier.
|
|||||
| CVE-2010-1870 | 1 Apache | 1 Struts | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation ...
Show More |
|||||
| CVE-2010-2068 | 4 Apache, Ibm, Microsoft and 1 more | 4 Http Server, Os2, Windows and 1 more | 2025-04-11 | 5.0 MEDIUM | N/A |
|
mod_proxy_http.c in mod_proxy_http in the Apache HTTP Server 2.2.9 through 2.2.15, 2.3.4-alpha, and 2.3.5-alpha on Windows, NetWare, and OS/2, in certain configurations involving proxy worker pools, does not properly detect timeouts, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request.
|
|||||
| CVE-2010-1623 | 1 Apache | 2 Apr-util, Http Server | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket.
|
|||||
| CVE-2013-2136 | 1 Apache | 1 Cloudstack | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in Apache CloudStack before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Physical network name to the Zone wizard; (2) New network name, (3) instance name, or (4) group to the Instance wizard; (5) unspecified "multi-edit fields;" and (6) unspecified "list view" edit fields related to global settings.
|
|||||
| CVE-2011-5057 | 1 Apache | 1 Struts | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance ...
Show More |
|||||
| CVE-2013-6408 | 1 Apache | 1 Solr | 2025-04-11 | 6.4 MEDIUM | N/A |
|
The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
|
|||||
| CVE-2010-2952 | 1 Apache | 1 Traffic Server | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Apache Traffic Server before 2.0.1, and 2.1.x before 2.1.2-unstable, does not properly choose DNS source ports and transaction IDs, and does not properly use DNS query fields to validate responses, which makes it easier for man-in-the-middle attackers to poison the internal DNS cache via a crafted response.
|
|||||
| CVE-2012-1089 | 1 Apache | 1 Wicket | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Directory traversal vulnerability in Apache Wicket 1.4.x before 1.4.20 and 1.5.x before 1.5.5 allows remote attackers to read arbitrary web-application files via a relative pathname in a URL for a Wicket resource that corresponds to a null package.
|
|||||
| CVE-2012-0022 | 1 Apache | 1 Tomcat | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.
|
|||||
| CVE-2012-0037 | 6 Apache, Debian, Fedoraproject and 3 more | 13 Openoffice, Debian Linux, Fedora and 10 more | 2025-04-11 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x before 3.5.1, and other products, allows user-assisted remote attackers to read arbitrary files via a crafted XML external entity (XXE) declaration and reference in an RDF document.
|
|||||
| CVE-2013-0942 | 3 Apache, Emc, Microsoft | 3 Http Server, Rsa Authentication Agent, Internet Information Server | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Agent 7.1 before 7.1.1 for Web for Internet Information Services, and 7.1 before 7.1.1 for Web for Apache, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2011-3348 | 2 Apache, Redhat | 3 Http Server, Enterprise Linux, Jboss Enterprise Web Server | 2025-04-11 | 4.3 MEDIUM | N/A |
|
The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request.
|
|||||
| CVE-2012-2145 | 1 Apache | 1 Qpid | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Apache Qpid 0.17 and earlier does not properly restrict incoming client connections, which allows remote attackers to cause a denial of service (file descriptor consumption) via a large number of incomplete connections.
|
|||||
| CVE-2010-1157 | 1 Apache | 1 Tomcat | 2025-04-11 | 2.6 LOW | N/A |
|
Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply.
|
|||||
| CVE-2012-3544 | 1 Apache | 1 Tomcat | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.
|
|||||
| CVE-2010-1452 | 1 Apache | 1 Http Server | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path.
|
|||||
| CVE-2010-1244 | 1 Apache | 1 Activemq | 2025-04-11 | 6.8 MEDIUM | N/A |
|
Cross-site request forgery (CSRF) vulnerability in createDestination.action in Apache ActiveMQ before 5.3.1 allows remote attackers to hijack the authentication of unspecified victims for requests that create queues via the JMSDestination parameter in a queue action.
|
|||||
| CVE-2012-4557 | 1 Apache | 1 Http Server | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request.
|
|||||
| CVE-2007-6750 | 1 Apache | 1 Http Server | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15.
|
|||||
| CVE-2010-4408 | 1 Apache | 1 Archiva | 2025-04-11 | 6.8 MEDIUM | N/A |
|
Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1 does not require entry of the administrator's password at the time of modifying a user account, which makes it easier for context-dependent attackers to gain privileges by leveraging a (1) unattended workstation or (2) cross-site request forgery (CSRF) vulnerability, a related issue to CVE-2010-3449.
|
|||||
| CVE-2009-5005 | 2 Apache, Redhat | 2 Qpid, Enterprise Mrg | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The Cluster::deliveredEvent function in cluster/Cluster.cpp in Apache Qpid, as used in Red Hat Enterprise MRG before 1.3 and other products, allows remote attackers to cause a denial of service (daemon crash and cluster outage) via invalid AMQP data.
|
|||||
| CVE-2011-2516 | 2 Apache, Shibboleth | 2 Xml Security For C\+\+, Shibboleth-sp | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Off-by-one error in the XML signature feature in Apache XML Security for C++ 1.6.0, as used in Shibboleth before 2.4.3 and possibly other products, allows remote attackers to cause a denial of service (crash) via a signature using a large RSA key, which triggers a buffer overflow.
|
|||||
| CVE-2012-0393 | 1 Apache | 1 Struts | 2025-04-11 | 6.4 MEDIUM | N/A |
|
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
|
|||||