National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • Keyword (text search): Apache
There are 1,610 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2019-10081

HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.

Published: August 15, 2019; 06:15:12 PM -04:00
(not available)
CVE-2019-9517

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

Published: August 13, 2019; 05:15:12 PM -04:00
(not available)
CVE-2019-9515

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Published: August 13, 2019; 05:15:12 PM -04:00
(not available)
CVE-2019-9514

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

Published: August 13, 2019; 05:15:12 PM -04:00
(not available)
CVE-2019-9512

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Published: August 13, 2019; 05:15:12 PM -04:00
(not available)
CVE-2019-12397

Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix.

Published: August 08, 2019; 02:15:10 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-10099

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

Published: August 07, 2019; 01:15:12 PM -04:00
V3: 7.5 HIGH
V2: 4.3 MEDIUM
CVE-2016-10796

cPanel before 58.0.4 initially uses weak permissions for Apache HTTP Server log files (SEC-130).

Published: August 06, 2019; 10:15:11 AM -04:00
V3: 3.3 LOW
V2: 2.1 LOW
CVE-2016-10786

cPanel before 60.0.25 allows members of the nobody group to read Apache HTTP Server SSL keys (SEC-186).

Published: August 06, 2019; 09:15:11 AM -04:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2019-10094

A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.

Published: August 02, 2019; 03:15:11 PM -04:00
V3: 7.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-10093

In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.

Published: August 02, 2019; 03:15:11 PM -04:00
V3: 6.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-10088

A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later.

Published: August 02, 2019; 03:15:11 PM -04:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2017-18429

In cPanel before 66.0.2, Apache HTTP Server SSL domain logs can persist on disk after an account termination (SEC-291).

Published: August 02, 2019; 12:15:12 PM -04:00
V3: 3.3 LOW
V2: 2.1 LOW
CVE-2017-18428

In cPanel before 66.0.2, Apache HTTP Server domlogs become temporarily world-readable during log processing (SEC-290).

Published: August 02, 2019; 12:15:12 PM -04:00
V3: 2.5 LOW
V2: 1.9 LOW
CVE-2017-18424

In cPanel before 66.0.2, the Apache HTTP Server configuration file is changed to world-readable when rebuilt (SEC-274).

Published: August 02, 2019; 12:15:12 PM -04:00
V3: 3.3 LOW
V2: 2.1 LOW
CVE-2017-18422

In cPanel before 66.0.2, EasyApache 4 conversion sets weak domlog ownership and permissions (SEC-272).

Published: August 02, 2019; 12:15:12 PM -04:00
V3: 3.3 LOW
V2: 2.1 LOW
CVE-2017-18412

cPanel before 67.9999.103 allows Apache HTTP Server log files to become world-readable because of mishandling on an account rename (SEC-296).

Published: August 02, 2019; 10:15:13 AM -04:00
V3: 2.5 LOW
V2: 1.9 LOW
CVE-2018-20952

cPanel before 68.0.27 creates world-readable files during use of WHM Apache Includes Editor (SEC-388).

Published: August 01, 2019; 01:15:13 PM -04:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2018-20949

cPanel before 68.0.27 allows self XSS in WHM Apache Configuration Include Editor (SEC-385).

Published: August 01, 2019; 01:15:13 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-20932

cPanel before 70.0.23 exposes Apache HTTP Server logs after creation of certain domains (SEC-406).

Published: August 01, 2019; 12:15:13 PM -04:00
V3: 2.7 LOW
V2: 4.0 MEDIUM