Filtered by vendor Apache Subscriptions
Total 2404 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-17567 4 Apache, Fedoraproject, Oracle and 1 more 6 Http Server, Fedora, Enterprise Manager Ops Center and 3 more 2024-11-21 5.3 Medium
Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.
CVE-2019-17566 3 Apache, Oracle, Redhat 21 Batik, Api Gateway, Business Intelligence and 18 more 2024-11-21 7.5 High
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CVE-2019-17565 2 Apache, Debian 2 Traffic Server, Debian Linux 2024-11-21 9.8 Critical
There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and chunked encoding. Upgrade to versions 7.1.9 and 8.0.6 or later versions.
CVE-2019-17564 1 Apache 1 Dubbo 2024-11-21 9.8 Critical
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.
CVE-2019-17563 6 Apache, Canonical, Debian and 3 more 14 Tomcat, Ubuntu Linux, Debian Linux and 11 more 2024-11-21 7.5 High
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
CVE-2019-17562 1 Apache 1 Cloudstack 2024-11-21 9.8 Critical
A buffer overflow vulnerability has been found in the baremetal component of Apache CloudStack. This applies to all versions prior to 4.13.1. The vulnerability is due to the lack of validation of the mac parameter in baremetal virtual router. If you insert an arbitrary shell command into the mac parameter, v-router will process the command. For example: Normal: http://{GW}:10086/baremetal/provisiondone/{mac}, Abnormal: http://{GW}:10086/baremetal/provisiondone/#';whoami;#. Mitigation of this issue is an upgrade to Apache CloudStack 4.13.1.0 or beyond.
CVE-2019-17561 2 Apache, Oracle 2 Netbeans, Graalvm 2024-11-21 7.5 High
The "Apache NetBeans" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. "Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability.
CVE-2019-17560 2 Apache, Oracle 2 Netbeans, Graalvm 2024-11-21 9.1 Critical
The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. “Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability.
CVE-2019-17559 2 Apache, Debian 2 Traffic Server, Debian Linux 2024-11-21 9.8 Critical
There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and scheme parsing. Upgrade to versions 7.1.9 and 8.0.6 or later versions.
CVE-2019-17557 1 Apache 1 Syncope 2024-11-21 5.4 Medium
It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.
CVE-2019-17556 1 Apache 1 Olingo 2024-11-21 9.8 Critical
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
CVE-2019-17555 1 Apache 1 Olingo 2024-11-21 7.5 High
The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack.
CVE-2019-17554 1 Apache 1 Olingo 2024-11-21 5.5 Medium
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
CVE-2019-17359 4 Apache, Bouncycastle, Netapp and 1 more 21 Tomee, Legion-of-the-bouncy-castle-java-crytography-api, Active Iq Unified Manager and 18 more 2024-11-21 7.5 High
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
CVE-2019-17195 4 Apache, Connect2id, Oracle and 1 more 17 Hadoop, Nimbus Jose\+jwt, Communications Cloud Native Core Security Edge Protection Proxy and 14 more 2024-11-21 9.8 Critical
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.
CVE-2019-15544 2 Apache, Rust-protobuf Project 2 Hbase, Rust-protobuf 2024-11-21 7.5 High
An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls.
CVE-2019-14892 3 Apache, Fasterxml, Redhat 13 Geode, Jackson-databind, Decision Manager and 10 more 2024-11-21 9.8 Critical
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
CVE-2019-14439 6 Apache, Debian, Fasterxml and 3 more 20 Drill, Debian Linux, Jackson-databind and 17 more 2024-11-21 7.5 High
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
CVE-2019-13990 6 Apache, Atlassian, Netapp and 3 more 35 Tomee, Jira Service Management, Active Iq Unified Manager and 32 more 2024-11-21 9.8 Critical
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
CVE-2019-12426 1 Apache 1 Ofbiz 2024-11-21 5.3 Medium
an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06