Filtered by vendor Apache Subscriptions
Total 2404 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2018-21234 2 Apache, Jodd 2 Hive, Jodd 2024-11-21 9.8 Critical
Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set.
CVE-2018-20245 1 Apache 1 Airflow 2024-11-21 N/A
The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking.
CVE-2018-20244 1 Apache 1 Airflow 2024-11-21 N/A
In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
CVE-2018-20243 1 Apache 1 Fineract 2024-11-21 7.5 High
The implementation of POST with the username and password in the URL parameters exposed the credentials. More infomration is available in fineract jira issues 726 and 629.
CVE-2018-20242 1 Apache 1 Jspwiki 2024-11-21 N/A
A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking.
CVE-2018-1340 1 Apache 1 Guacamole 2024-11-21 N/A
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain.
CVE-2018-1339 2 Apache, Redhat 2 Tika, Jboss Fuse 2024-11-21 N/A
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.
CVE-2018-1338 2 Apache, Redhat 2 Tika, Jboss Fuse 2024-11-21 N/A
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.
CVE-2018-1337 1 Apache 1 Directory Ldap Api 2024-11-21 N/A
In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request).
CVE-2018-1336 4 Apache, Canonical, Debian and 1 more 12 Tomcat, Ubuntu Linux, Debian Linux and 9 more 2024-11-21 7.5 High
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.
CVE-2018-1335 2 Apache, Redhat 2 Tika, Jboss Data Virtualization 2024-11-21 N/A
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
CVE-2018-1334 1 Apache 1 Spark 2024-11-21 N/A
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
CVE-2018-1333 4 Apache, Canonical, Netapp and 1 more 7 Http Server, Ubuntu Linux, Cloud Backup and 4 more 2024-11-21 N/A
By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.18-2.4.30,2.4.33).
CVE-2018-1332 1 Apache 1 Storm 2024-11-21 N/A
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons.
CVE-2018-1331 1 Apache 1 Storm 2024-11-21 N/A
In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.
CVE-2018-1330 1 Apache 1 Mesos 2024-11-21 N/A
When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
CVE-2018-1328 1 Apache 1 Zeppelin 2024-11-21 N/A
Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by "Josna Joseph".
CVE-2018-1327 1 Apache 1 Struts 2024-11-21 N/A
The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.
CVE-2018-1324 2 Apache, Oracle 3 Commons Compress, Mysql Cluster, Weblogic Server 2024-11-21 5.5 Medium
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
CVE-2018-1323 2 Apache, Redhat 2 Tomcat Jk Connector, Jboss Core Services 2024-11-21 N/A
The IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing Tomcat via the reverse proxy.