ReportizFlow
Filtered by vendor Apache
Subscriptions
Total
2349 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-3166 | 1 Apache | 1 Hadoop | 2024-11-21 | N/A |
| In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file. | ||||
| CVE-2017-3165 | 1 Apache | 1 Brooklyn | 2024-11-21 | N/A |
| In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability. | ||||
| CVE-2017-3164 | 1 Apache | 1 Solr | 2024-11-21 | N/A |
| Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL. | ||||
| CVE-2017-3163 | 2 Apache, Redhat | 2 Solr, Jboss Enterprise Application Platform | 2024-11-21 | N/A |
| When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access. | ||||
| CVE-2017-3162 | 1 Apache | 1 Hadoop | 2024-11-21 | N/A |
| HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0. | ||||
| CVE-2017-3161 | 1 Apache | 1 Hadoop | 2024-11-21 | N/A |
| The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter. | ||||
| CVE-2017-3160 | 1 Apache | 1 Cordova | 2024-11-21 | N/A |
| After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android. If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip | ||||
| CVE-2017-3159 | 2 Apache, Redhat | 3 Camel, Jboss Amq, Jboss Fuse | 2024-11-21 | N/A |
| Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. | ||||
| CVE-2017-3158 | 1 Apache | 1 Guacamole | 2024-11-21 | N/A |
| A race condition in Guacamole's terminal emulator in versions 0.9.5 through 0.9.10-incubating could allow writes of blocks of printed data to overlap. Such overlapping writes could cause packet data to be misread as the packet length, resulting in the remaining data being written beyond the end of a statically-allocated buffer. | ||||
| CVE-2017-3157 | 3 Apache, Debian, Redhat | 9 Openoffice, Debian Linux, Enterprise Linux and 6 more | 2024-11-21 | N/A |
| By exploiting the way Apache OpenOffice before 4.1.4 renders embedded objects, an attacker could craft a document that allows reading in a file from the user's filesystem. Information could be retrieved by the attacker by, e.g., using hidden sections to store the information, tricking the user into saving the document and convincing the user to send the document back to the attacker. The vulnerability is mitigated by the need for the attacker to know the precise file path in the target system, and the need to trick the user into saving the document and sending it back. | ||||
| CVE-2017-3156 | 2 Apache, Redhat | 3 Cxf, Jboss Amq, Jboss Fuse | 2024-11-21 | N/A |
| The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks. | ||||
| CVE-2017-3155 | 1 Apache | 1 Atlas | 2024-11-21 | N/A |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to cross frame scripting. | ||||
| CVE-2017-3154 | 1 Apache | 1 Atlas | 2024-11-21 | N/A |
| Error responses from Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating included stack trace, exposing excessive information. | ||||
| CVE-2017-3153 | 1 Apache | 1 Atlas | 2024-11-21 | N/A |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Reflected XSS in the search functionality. | ||||
| CVE-2017-3152 | 1 Apache | 1 Atlas | 2024-11-21 | N/A |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to DOM XSS in the edit-tag functionality. | ||||
| CVE-2017-3151 | 1 Apache | 1 Atlas | 2024-11-21 | 6.1 Medium |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Stored Cross-Site Scripting in the edit-tag functionality. | ||||
| CVE-2017-3150 | 1 Apache | 1 Atlas | 2024-11-21 | N/A |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating use cookies that could be accessible to client-side script. | ||||
| CVE-2017-17837 | 1 Apache | 1 Deltaspike | 2024-11-21 | 6.1 Medium |
| The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. The default size of the windowId get's cut off after 10 characters (by default), so the impact might be limited. A fix got applied and released in Apache deltaspike-1.8.1. | ||||
| CVE-2017-17836 | 1 Apache | 1 Airflow | 2024-11-21 | N/A |
| In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, whether it be via XSS or by leaving a machine unlocked can exfiltrate all credentials from the system. | ||||
| CVE-2017-17835 | 1 Apache | 1 Airflow | 2024-11-21 | N/A |
| In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow. | ||||