ReportizFlow
Filtered by vendor
Subscriptions
Total
322438 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-11767 | 1 Apache | 1 Hadoop | 2024-11-21 | N/A |
| In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. | ||||
| CVE-2018-11766 | 1 Apache | 1 Hadoop | 2024-11-21 | N/A |
| In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. | ||||
| CVE-2018-11765 | 1 Apache | 1 Hadoop | 2024-11-21 | 7.5 High |
| In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled. | ||||
| CVE-2018-11764 | 1 Apache | 1 Hadoop | 2024-11-21 | 8.8 High |
| Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured. | ||||
| CVE-2018-11763 | 5 Apache, Canonical, Netapp and 2 more | 11 Http Server, Ubuntu Linux, Storage Automation Store and 8 more | 2024-11-21 | N/A |
| In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. | ||||
| CVE-2018-11762 | 1 Apache | 1 Tika | 2024-11-21 | N/A |
| In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file. | ||||
| CVE-2018-11761 | 2 Apache, Oracle | 2 Tika, Business Process Management Suite | 2024-11-21 | N/A |
| In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack. | ||||
| CVE-2018-11760 | 1 Apache | 1 Spark | 2024-11-21 | N/A |
| When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1. | ||||
| CVE-2018-11759 | 3 Apache, Debian, Redhat | 3 Tomcat Jk Connector, Debian Linux, Jboss Core Services | 2024-11-21 | N/A |
| The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical. | ||||
| CVE-2018-11758 | 1 Apache | 1 Cayenne | 2024-11-21 | N/A |
| This affects Apache Cayenne 4.1.M1, 3.2.M1, 4.0.M2 to 4.0.M5, 4.0.B1, 4.0.B2, 4.0.RC1, 3.1, 3.1.1, 3.1.2. CayenneModeler is a desktop GUI tool shipped with Apache Cayenne and intended for editing Cayenne ORM models stored as XML files. If an attacker tricks a user of CayenneModeler into opening a malicious XML file, the attacker will be able to instruct the XML parser built into CayenneModeler to transfer files from a local machine to a remote machine controlled by the attacker. The cause of the issue is XML parser processing XML External Entity (XXE) declarations included in XML. The vulnerability is addressed in Cayenne by disabling XXE processing in all operations that require XML parsing. | ||||
| CVE-2018-11757 | 1 Apache | 1 Openwhisk | 2024-11-21 | N/A |
| In Docker Skeleton Runtime for Apache OpenWhisk, a Docker action inheriting the Docker tag openwhisk/dockerskeleton:1.3.0 (or earlier) may allow an attacker to replace the user function inside the container if the user code is vulnerable to code exploitation. | ||||
| CVE-2018-11756 | 2 Apache, Php | 2 Openwhisk, Php | 2024-11-21 | N/A |
| In PHP Runtime for Apache OpenWhisk, a Docker action inheriting one of the Docker tags openwhisk/action-php-v7.2:1.0.0 or openwhisk/action-php-v7.1:1.0.1 (or earlier) may allow an attacker to replace the user function inside the container if the user code is vulnerable to code exploitation. | ||||
| CVE-2018-11752 | 1 Puppet | 1 Cisco Ios | 2024-11-21 | 5.5 Medium |
| Previous releases of the Puppet cisco_ios module output SSH session debug information including login credentials to a world readable file on every run. These issues have been resolved in the 0.4.0 release. | ||||
| CVE-2018-11751 | 2 Puppet, Redhat | 3 Puppet Server, Satellite, Satellite Capsule | 2024-11-21 | 5.4 Medium |
| Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0. | ||||
| CVE-2018-11750 | 1 Puppet | 1 Cisco Ios Module | 2024-11-21 | N/A |
| Previous releases of the Puppet cisco_ios module did not validate a host's identity before starting a SSH connection. As of the 0.4.0 release of cisco_ios, host key checking is enabled by default. | ||||
| CVE-2018-11749 | 1 Puppet | 1 Puppet Enterprise | 2024-11-21 | N/A |
| When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet Enterprise 2018.1.3, 2017.3.9, and 2016.4.14, and is fixed in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. It scored an 8.5 CVSS score. | ||||
| CVE-2018-11748 | 1 Puppet | 1 Device Manager | 2024-11-21 | N/A |
| Previous releases of the Puppet device_manager module creates configuration files containing credentials that are world readable. This issue has been resolved as of device_manager 2.7.0. | ||||
| CVE-2018-11747 | 1 Puppet | 1 Discovery | 2024-11-21 | N/A |
| Previously, Puppet Discovery was shipped with a default generated TLS certificate in the nginx container. In version 1.4.0, a unique certificate will be generated on installation or the user will be able to provide their own TLS certificate for ingress. | ||||
| CVE-2018-11746 | 1 Puppet | 1 Discovery | 2024-11-21 | N/A |
| In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppet Discovery. | ||||
| CVE-2018-11744 | 1 Cloudera | 1 Cloudera Manager | 2024-11-21 | N/A |
| Cloudera Manager through 5.15 has Incorrect Access Control. | ||||