U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): Apache
There are 2,422 matching records.
Displaying matches 1,561 through 1,580.
Vuln ID Summary CVSS Severity
CVE-2015-5208

Apache Cordova iOS before 4.0.0 allows remote attackers to execute arbitrary plugins via a link.

Published: May 09, 2016; 4:59:02 PM -0400
V3.0: 4.4 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2015-5207

Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL whitelist protection mechanism in an app and load arbitrary resources by leveraging unspecified methods.

Published: May 09, 2016; 4:59:00 PM -0400
V3.0: 5.3 MEDIUM
V2.0: 7.5 HIGH
CVE-2016-2009

HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 10.01 allows remote authenticated users to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Published: May 07, 2016; 6:59:05 AM -0400
V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2016-2168

The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check.

Published: May 05, 2016; 2:59:01 PM -0400
V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2016-2167

The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string.

Published: May 05, 2016; 2:59:00 PM -0400
V3.0: 6.8 MEDIUM
V2.0: 4.9 MEDIUM
CVE-2016-3082

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

Published: April 26, 2016; 10:59:03 AM -0400
V3.0: 9.8 CRITICAL
V2.0: 10.0 HIGH
CVE-2016-3081

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Published: April 26, 2016; 10:59:02 AM -0400
V3.0: 8.1 HIGH
V2.0: 9.3 HIGH
CVE-2016-2003

HPE P9000 Command View Advanced Edition Software (CVAE) 7.x and 8.x before 8.4.0-00 and XP7 CVAE 7.x and 8.x before 8.4.0-00 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Published: April 20, 2016; 1:59:02 PM -0400
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2015-1776

Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file.

Published: April 19, 2016; 5:59:02 PM -0400
V3.0: 6.2 MEDIUM
V2.0: 2.1 LOW
CVE-2015-5348

Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.

Published: April 15, 2016; 11:59:00 AM -0400
V3.0: 8.1 HIGH
V2.0: 6.8 MEDIUM
CVE-2015-5343

Integer overflow in util.c in mod_dav_svn in Apache Subversion 1.7.x, 1.8.x before 1.8.15, and 1.9.x before 1.9.3 allows remote authenticated users to cause a denial of service (subversion server crash or memory consumption) and possibly execute arbitrary code via a skel-encoded request body, which triggers an out-of-bounds read and heap-based buffer overflow.

Published: April 14, 2016; 10:59:01 AM -0400
V3.0: 7.6 HIGH
V2.0: 8.0 HIGH
CVE-2015-7520

Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script or HTML via a crafted "value" attribute in a <input> element.

Published: April 12, 2016; 1:59:01 PM -0400
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2015-5347

Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 might allow remote attackers to inject arbitrary web script or HTML via a ModalWindow title.

Published: April 12, 2016; 1:59:00 PM -0400
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2016-4003

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.

Published: April 12, 2016; 12:59:04 PM -0400
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2016-2162

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.

Published: April 12, 2016; 12:59:01 PM -0400
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2016-0785

Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

Published: April 12, 2016; 12:59:00 PM -0400
V3.0: 8.8 HIGH
V2.0: 9.0 HIGH
CVE-2016-2170

Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.

Published: April 12, 2016; 10:59:12 AM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2016-2166

The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.

Published: April 12, 2016; 10:59:11 AM -0400
V3.0: 6.5 MEDIUM
V2.0: 5.8 MEDIUM
CVE-2016-0733

The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which allows remote attackers to bypass authentication by leveraging knowledge of a valid username.

Published: April 12, 2016; 10:59:08 AM -0400
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2015-5167

The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrictions via the REST API.

Published: April 12, 2016; 10:59:01 AM -0400
V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM