Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Apache Subscribe
Total 1977 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2009-1956 2 Apache, Canonical 3 Apr-util, Http Server, Ubuntu Linux 2023-03-03 6.4 MEDIUM N/A
Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.
CVE-2015-7559 2 Apache, Redhat 3 Activemq, Jboss A-mq, Jboss Fuse 2023-03-03 4.0 MEDIUM 2.7 LOW
It was found that the Apache ActiveMQ client before 5.15.5 exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client.
CVE-2023-25621 1 Apache 1 Sling I18n 2023-03-03 N/A 6.5 MEDIUM
Privilege Escalation vulnerability in Apache Software Foundation Apache Sling. Any content author is able to create i18n dictionaries in the repository in a location the author has write access to. As these translations are used across the whole product, it allows an author to change any text or dialog in the product. For example an attacker might fool someone by changing the text on a delete button to "Info". This issue affects the i18n module of Apache Sling up to version 2.5.18. Version 2.6.2 and higher limit by default i18m dictionaries to certain paths in the repository (/libs and /apps). Users of the module are advised to update to version 2.6.2 or higher, check the configuration for resource loading and then adjust the access permissions for the configured path accordingly.
CVE-2019-13990 4 Apache, Netapp, Oracle and 1 more 30 Tomee, Active Iq Unified Manager, Cloud Secure Agent and 27 more 2023-03-03 7.5 HIGH 9.8 CRITICAL
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
CVE-2022-24697 1 Apache 1 Kylin 2023-03-03 N/A 9.8 CRITICAL
Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters. This vulnerability affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier.
CVE-2023-25613 1 Apache 1 Kerby 2023-03-01 N/A 9.8 CRITICAL
An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3.
CVE-2022-42889 2 Apache, Netapp 2 Commons Text, Bluexp 2023-03-01 N/A 9.8 CRITICAL
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
CVE-2023-24998 1 Apache 1 Commons Fileupload 2023-03-01 N/A 7.5 HIGH
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
CVE-2014-0048 2 Apache, Docker 2 Geode, Docker 2023-02-28 7.5 HIGH 9.8 CRITICAL
An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways.
CVE-2022-45378 1 Apache 1 Soap 2023-02-28 N/A 9.8 CRITICAL
** UNSUPPPORTED WHEN ASSIGNED **In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2019-0207 1 Apache 1 Tapestry 2023-02-28 5.0 MEDIUM 7.5 HIGH
Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter the character `\`, so attacker can perform a path traversal attack to read any files on Windows platform.
CVE-2019-12422 1 Apache 1 Shiro 2023-02-28 5.0 MEDIUM 7.5 HIGH
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2019-12401 1 Apache 1 Solr 2023-02-28 5.0 MEDIUM 7.5 HIGH
Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
CVE-2021-36090 3 Apache, Netapp, Oracle 34 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 31 more 2023-02-28 5.0 MEDIUM 7.5 HIGH
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
CVE-2021-36374 2 Apache, Oracle 36 Ant, Agile Engineering Data Management, Agile Plm and 33 more 2023-02-28 4.3 MEDIUM 5.5 MEDIUM
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
CVE-2021-36373 2 Apache, Oracle 32 Ant, Agile Plm, Banking Trade Finance and 29 more 2023-02-28 4.3 MEDIUM 5.5 MEDIUM
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
CVE-2021-35516 3 Apache, Netapp, Oracle 24 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 21 more 2023-02-28 5.0 MEDIUM 7.5 HIGH
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVE-2021-35517 3 Apache, Netapp, Oracle 27 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 24 more 2023-02-28 5.0 MEDIUM 7.5 HIGH
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CVE-2019-14439 6 Apache, Debian, Fasterxml and 3 more 18 Drill, Debian Linux, Jackson-databind and 15 more 2023-02-28 5.0 MEDIUM 7.5 HIGH
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
CVE-2021-35515 3 Apache, Netapp, Oracle 26 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 23 more 2023-02-28 5.0 MEDIUM 7.5 HIGH
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.