Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Apache Subscribe
Total 1977 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-4430 1 Apache 1 Struts 2017-10-30 6.8 MEDIUM 8.8 HIGH
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.
CVE-2010-2232 1 Apache 1 Derby 2017-10-26 5.0 MEDIUM 7.5 HIGH
In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file.
CVE-2016-6806 1 Apache 1 Wicket 2017-10-23 6.8 MEDIUM 8.8 HIGH
Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.
CVE-2003-1418 1 Apache 1 Http Server 2017-10-19 4.3 MEDIUM N/A
Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which reveals child process IDs (PID).
CVE-2014-0043 1 Apache 1 Wicket 2017-10-11 5.0 MEDIUM 5.3 MEDIUM
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
CVE-2007-0451 1 Apache 1 Spamassassin 2017-10-10 4.3 MEDIUM N/A
Apache SpamAssassin before 3.1.8 allows remote attackers to cause a denial of service via long URLs in malformed HTML, which triggers "massive memory usage."
CVE-2005-3351 1 Apache 1 Spamassassin 2017-10-10 5.0 MEDIUM N/A
SpamAssassin 3.0.4 allows attackers to bypass spam detection via an e-mail with a large number of recipients ("To" addresses), which triggers a bus error in Perl.
CVE-2003-0973 1 Apache 1 Mod Python 2017-10-10 5.0 MEDIUM N/A
Unknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string.
CVE-2003-0045 1 Apache 1 Tomcat 2017-10-09 5.0 MEDIUM N/A
Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.
CVE-2003-0043 1 Apache 1 Tomcat 2017-10-09 5.0 MEDIUM N/A
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.
CVE-2004-0263 2 Apache, Ibm 2 Http Server, Http Server 2017-10-09 5.0 MEDIUM N/A
PHP 4.3.4 and earlier in Apache 1.x and 2.x (mod_php) can leak global variables between virtual hosts that are handled by the same Apache child process but have different settings, which could allow remote attackers to obtain sensitive information.
CVE-2004-0173 1 Apache 1 Http Server 2017-10-09 5.0 MEDIUM N/A
Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences.
CVE-2000-0869 2 Apache, Suse 2 Http Server, Suse Linux 2017-10-09 5.0 MEDIUM N/A
The default configuration of Apache 1.3.12 in SuSE Linux 6.4 enables WebDAV, which allows remote attackers to list arbitrary directories via the PROPFIND HTTP request method.
CVE-2000-0868 2 Apache, Suse 2 Http Server, Suse Linux 2017-10-09 5.0 MEDIUM N/A
The default configuration of Apache 1.3.12 in SuSE Linux 6.4 allows remote attackers to read source code for CGI scripts by replacing the /cgi-bin/ in the requested URL with /cgi-bin-sdb/.
CVE-2001-0590 1 Apache 1 Tomcat 2017-10-09 5.0 MEDIUM N/A
Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).
CVE-2001-1072 1 Apache 1 Http Server 2017-10-09 5.0 MEDIUM N/A
Apache with mod_rewrite enabled on most UNIX systems allows remote attackers to bypass RewriteRules by inserting extra / (slash) characters into the requested path, which causes the regular expression in the RewriteRule to fail.
CVE-2001-0042 1 Apache 1 Http Server 2017-10-09 5.0 MEDIUM N/A
PHP 3.x (PHP3) on Apache 1.3.6 allows remote attackers to read arbitrary files via a modified .. (dot dot) attack containing "%5c" (encoded backslash) sequences.
CVE-2017-9794 1 Apache 1 Geode 2017-10-06 4.0 MEDIUM 4.3 MEDIUM
When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view.
CVE-2016-8744 1 Apache 1 Brooklyn 2017-09-29 9.0 HIGH 8.8 HIGH
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability.
CVE-2007-5731 1 Apache 1 Jakarta Slide 2017-09-28 3.5 LOW N/A
Absolute path traversal vulnerability in Apache Jakarta Slide 2.1 and earlier allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag, a related issue to CVE-2007-5461.