Filtered by vendor Apache Subscriptions
Total 2404 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-0230 2 Apache, Oracle 5 Struts, Communications Policy Management, Financial Services Data Integration Hub and 2 more 2024-11-21 9.8 Critical
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
CVE-2019-0229 1 Apache 1 Airflow 2024-11-21 N/A
A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.
CVE-2019-0228 3 Apache, Fedoraproject, Oracle 14 James, Pdfbox, Fedora and 11 more 2024-11-21 9.8 Critical
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.
CVE-2019-0227 2 Apache, Oracle 37 Axis, Agile Engineering Data Management, Agile Product Lifecycle Management Framework and 34 more 2024-11-21 7.5 High
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
CVE-2019-0226 1 Apache 1 Karaf 2024-11-21 N/A
Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf version before 4.2.5 is impacted. User should upgrade to Apache Karaf 4.2.5 or later.
CVE-2019-0225 1 Apache 1 Jspwiki 2024-11-21 7.5 High
A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users' details.
CVE-2019-0224 1 Apache 1 Jspwiki 2024-11-21 N/A
In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on its own browser.
CVE-2019-0223 2 Apache, Redhat 17 Qpid, A Mq Clients, Cloudforms Managementengine and 14 more 2024-11-21 7.4 High
While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.
CVE-2019-0222 5 Apache, Debian, Netapp and 2 more 9 Activemq, Debian Linux, E-series Santricity Web Services and 6 more 2024-11-21 7.5 High
In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.
CVE-2019-0221 2 Apache, Redhat 2 Tomcat, Jboss Enterprise Web Server 2024-11-21 N/A
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
CVE-2019-0220 6 Apache, Canonical, Debian and 3 more 8 Http Server, Ubuntu Linux, Debian Linux and 5 more 2024-11-21 N/A
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
CVE-2019-0219 2 Apache, Oracle 3 Cordova Inappbrowser, Instantis Enterprisetrack, Retail Xstore Point Of Service 2024-11-21 9.8 Critical
A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI.
CVE-2019-0218 1 Apache 1 Pony Mail 2024-11-21 N/A
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
CVE-2019-0217 8 Apache, Canonical, Debian and 5 more 16 Http Server, Ubuntu Linux, Debian Linux and 13 more 2024-11-21 7.5 High
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
CVE-2019-0216 1 Apache 1 Airflow 2024-11-21 N/A
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
CVE-2019-0215 3 Apache, Fedoraproject, Redhat 3 Http Server, Fedora, Enterprise Linux 2024-11-21 N/A
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.
CVE-2019-0214 1 Apache 1 Archiva 2024-11-21 N/A
In Apache Archiva 2.0.0 - 2.2.3, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.
CVE-2019-0213 1 Apache 1 Archiva 2024-11-21 N/A
In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.
CVE-2019-0212 1 Apache 1 Hbase 2024-11-21 N/A
In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server.
CVE-2019-0210 3 Apache, Oracle, Redhat 9 Thrift, Communications Cloud Native Core Network Slice Selection Function, Enterprise Linux Server and 6 more 2024-11-21 7.5 High
In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.