Filtered by vendor Apache Subscriptions
Total 2549 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-17518 2 Apache, Redhat 4 Flink, Camel Quarkus, Integration and 1 more 2025-02-13 7.5 High
Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master.
CVE-2020-17515 1 Apache 1 Airflow 2025-02-13 6.1 Medium
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.
CVE-2020-17513 1 Apache 1 Airflow 2025-02-13 5.3 Medium
In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.
CVE-2020-17511 1 Apache 1 Airflow 2025-02-13 6.5 Medium
In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.
CVE-2020-13959 2 Apache, Debian 2 Velocity Tools, Debian Linux 2025-02-13 6.1 Medium
The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.
CVE-2020-13954 4 Apache, Netapp, Oracle and 1 more 8 Cxf, Snap Creator Framework, Vasa Provider For Clustered Data Ontap and 5 more 2025-02-13 6.1 Medium
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
CVE-2020-13942 1 Apache 1 Unomi 2025-02-13 9.8 Critical
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.
CVE-2020-13936 4 Apache, Debian, Oracle and 1 more 22 Velocity Engine, Wss4j, Debian Linux and 19 more 2025-02-13 8.8 High
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
CVE-2020-13924 1 Apache 1 Ambari 2025-02-13 7.5 High
In Apache Ambari versions 2.6.2.2 and earlier, malicious users can construct file names for directory traversal and traverse to other directories to download files.
CVE-2020-13922 1 Apache 1 Dolphinscheduler 2025-02-13 6.5 Medium
Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.
CVE-2020-11995 1 Apache 1 Dubbo 2025-02-13 9.8 Critical
A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo 2.6.9 and 2.7.8.
CVE-2019-0231 2 Apache, Redhat 6 Mina, Jboss Enterprise Bpms Platform, Jboss Enterprise Brms Platform and 3 more 2025-02-13 7.5 High
Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA.
CVE-2012-5639 3 Apache, Debian, Libreoffice 3 Openoffice, Debian Linux, Libreoffice 2025-02-13 6.5 Medium
LibreOffice and OpenOffice automatically open embedded content
CVE-2023-28708 2 Apache, Redhat 3 Tomcat, Enterprise Linux, Jboss Enterprise Web Server 2025-02-13 4.3 Medium
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
CVE-2023-25695 1 Apache 1 Airflow 2025-02-13 5.3 Medium
Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2.
CVE-2023-25693 1 Apache 1 Apache-airflow-providers-apache-sqoop 2025-02-13 9.8 Critical
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.
CVE-2022-38745 2 Apache, Redhat 2 Openoffice, Enterprise Linux 2025-02-13 7.8 High
Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory.
CVE-2023-26513 1 Apache 1 Sling Resource Merger 2025-02-13 7.5 High
Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2.
CVE-2024-45626 1 Apache 1 James Server 2025-02-12 6.5 Medium
Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue.
CVE-2024-55633 1 Apache 1 Superset 2025-02-12 6.5 Medium
Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable.  This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.