Filtered by vendor Apache
Subscribe
Total
1977 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1286 | 1 Apache | 1 Openmeetings | 2019-10-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users. | |||||
| CVE-2018-11792 | 1 Apache | 1 Impala | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Impala before 3.0.1, ALTER TABLE/VIEW RENAME required ALTER on the old table. This may pose a potential security risk, such as having ALTER on a table and ALL on a particular database allows a user to move the table to a database with ALL, which will automatically grant that user with ALL privilege on that table due to the privilege inherited from the database. | |||||
| CVE-2018-11786 | 1 Apache | 1 Karaf | 2019-10-02 | 9.0 HIGH | 8.8 HIGH |
| In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to protect files outside of the Karaf install directory; it can be further locked down by defining a security manager policy that limits file system access to those directories beneath the Karaf home that are necessary for the system to run. However, this still allows anyone with ssh access to the Karaf process to read and write a large number of files as the Karaf process user. | |||||
| CVE-2018-11785 | 1 Apache | 1 Impala | 2019-10-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing authorization check in Apache Impala before 3.0.1 allows a Kerberos-authenticated but unauthorized user to inject random data into a running query, leading to wrong results for a query. | |||||
| CVE-2018-11777 | 1 Apache | 1 Hive | 2019-10-02 | 5.5 MEDIUM | 8.1 HIGH |
| In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use. | |||||
| CVE-2018-11769 | 1 Apache | 1 Couchdb | 2019-10-02 | 9.0 HIGH | 7.2 HIGH |
| CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user under which CouchDB runs, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows a CouchDB admin user to gain arbitrary remote code execution, bypassing CVE-2017-12636 and CVE-2018-8007. | |||||
| CVE-2018-11767 | 1 Apache | 1 Hadoop | 2019-10-02 | 5.8 MEDIUM | 7.4 HIGH |
| In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. | |||||
| CVE-2018-11766 | 1 Apache | 1 Hadoop | 2019-10-02 | 9.0 HIGH | 8.8 HIGH |
| In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. | |||||
| CVE-2018-11760 | 1 Apache | 1 Spark | 2019-10-02 | 2.1 LOW | 5.5 MEDIUM |
| When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1. | |||||
| CVE-2018-11757 | 1 Apache | 1 Openwhisk | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| In Docker Skeleton Runtime for Apache OpenWhisk, a Docker action inheriting the Docker tag openwhisk/dockerskeleton:1.3.0 (or earlier) may allow an attacker to replace the user function inside the container if the user code is vulnerable to code exploitation. | |||||
| CVE-2018-11756 | 2 Apache, Php | 2 Openwhisk, Php | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| In PHP Runtime for Apache OpenWhisk, a Docker action inheriting one of the Docker tags openwhisk/action-php-v7.2:1.0.0 or openwhisk/action-php-v7.1:1.0.1 (or earlier) may allow an attacker to replace the user function inside the container if the user code is vulnerable to code exploitation. | |||||
| CVE-2018-1000420 | 1 Apache | 1 Mesos | 2019-10-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins. | |||||
| CVE-2017-9804 | 1 Apache | 1 Struts | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672. | |||||
| CVE-2017-9799 | 1 Apache | 1 Storm | 2019-10-02 | 4.3 MEDIUM | 8.8 HIGH |
| It was found that under some situations and configurations of Apache Storm 1.x before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised. | |||||
| CVE-2017-9792 | 1 Apache | 1 Impala | 2019-10-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Apache Impala (incubating) before 2.10.0, a malicious user with "ALTER" permissions on an Impala table can access any other Kudu table data by altering the table properties to make it "external" and then changing the underlying table mapping to point to other Kudu tables. This violates and works around the authorization requirement that creating a Kudu external table via Impala requires an "ALL" privilege at the server scope. This privilege requirement for "CREATE" commands is enforced to precisely avoid this scenario where a malicious user can change the underlying Kudu table mapping. The fix is to enforce the same privilege requirement for "ALTER" commands that would make existing non-external Kudu tables external. | |||||
| CVE-2017-9790 | 1 Apache | 1 Mesos | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. | |||||
| CVE-2017-9787 | 1 Apache | 1 Struts | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. | |||||
| CVE-2017-9797 | 1 Apache | 1 Geode | 2019-10-02 | 5.8 MEDIUM | 6.5 MEDIUM |
| When an Apache Geode cluster before v1.2.1 is operating in secure mode, an unauthenticated client can enter multi-user authentication mode and send metadata messages. These metadata operations could leak information about application data types. In addition, an attacker could perform a denial of service attack on the cluster. | |||||
| CVE-2017-7688 | 1 Apache | 1 Openmeetings | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Apache OpenMeetings 1.0.0 updates user password in insecure manner. | |||||
| CVE-2017-7687 | 1 Apache | 1 Mesos | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. | |||||