ReportizFlow
Filtered by vendor Apache
Subscriptions
Total
2404 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-21234 | 2 Apache, Jodd | 2 Hive, Jodd | 2024-11-21 | 9.8 Critical |
| Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set. | ||||
| CVE-2018-20245 | 1 Apache | 1 Airflow | 2024-11-21 | N/A |
| The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking. | ||||
| CVE-2018-20244 | 1 Apache | 1 Airflow | 2024-11-21 | N/A |
| In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. | ||||
| CVE-2018-20243 | 1 Apache | 1 Fineract | 2024-11-21 | 7.5 High |
| The implementation of POST with the username and password in the URL parameters exposed the credentials. More infomration is available in fineract jira issues 726 and 629. | ||||
| CVE-2018-20242 | 1 Apache | 1 Jspwiki | 2024-11-21 | N/A |
| A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking. | ||||
| CVE-2018-1340 | 1 Apache | 1 Guacamole | 2024-11-21 | N/A |
| Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain. | ||||
| CVE-2018-1339 | 2 Apache, Redhat | 2 Tika, Jboss Fuse | 2024-11-21 | N/A |
| A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18. | ||||
| CVE-2018-1338 | 2 Apache, Redhat | 2 Tika, Jboss Fuse | 2024-11-21 | N/A |
| A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18. | ||||
| CVE-2018-1337 | 1 Apache | 1 Directory Ldap Api | 2024-11-21 | N/A |
| In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request). | ||||
| CVE-2018-1336 | 4 Apache, Canonical, Debian and 1 more | 12 Tomcat, Ubuntu Linux, Debian Linux and 9 more | 2024-11-21 | 7.5 High |
| An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. | ||||
| CVE-2018-1335 | 2 Apache, Redhat | 2 Tika, Jboss Data Virtualization | 2024-11-21 | N/A |
| From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18. | ||||
| CVE-2018-1334 | 1 Apache | 1 Spark | 2024-11-21 | N/A |
| In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. | ||||
| CVE-2018-1333 | 4 Apache, Canonical, Netapp and 1 more | 7 Http Server, Ubuntu Linux, Cloud Backup and 4 more | 2024-11-21 | N/A |
| By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.18-2.4.30,2.4.33). | ||||
| CVE-2018-1332 | 1 Apache | 1 Storm | 2024-11-21 | N/A |
| Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons. | ||||
| CVE-2018-1331 | 1 Apache | 1 Storm | 2024-11-21 | N/A |
| In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user. | ||||
| CVE-2018-1330 | 1 Apache | 1 Mesos | 2024-11-21 | N/A |
| When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. | ||||
| CVE-2018-1328 | 1 Apache | 1 Zeppelin | 2024-11-21 | N/A |
| Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by "Josna Joseph". | ||||
| CVE-2018-1327 | 1 Apache | 1 Struts | 2024-11-21 | N/A |
| The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16. | ||||
| CVE-2018-1324 | 2 Apache, Oracle | 3 Commons Compress, Mysql Cluster, Weblogic Server | 2024-11-21 | 5.5 Medium |
| A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package. | ||||
| CVE-2018-1323 | 2 Apache, Redhat | 2 Tomcat Jk Connector, Jboss Core Services | 2024-11-21 | N/A |
| The IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing Tomcat via the reverse proxy. | ||||