Search Results (Refine Search)
- Keyword (text search): Apache
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-28708 |
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Published: March 22, 2023; 7:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-26513 |
Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2. Published: March 20, 2023; 9:15:11 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-25804 |
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a limited path traversal vulnerability. An SSH key can be saved into an unintended location, for example the `/tmp` folder using a payload `../../../../../tmp/test111_dev`. This issue has been fixed in version 6.3.5.0. Published: March 15, 2023; 2:15:10 PM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-0100 |
In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.com/report.rptdesign). If the host indicated in the __report parameter matched the HTTP Host header value, the report would be retrieved. However, the Host header can be tampered with on some configurations where no virtual hosts are put in place (e.g. in the default configuration of Apache Tomcat) or when the default host points to the BIRT server. This vulnerability was patched on Eclipse BIRT 4.13. Published: March 15, 2023; 11:15:09 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-25695 |
Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. Published: March 15, 2023; 6:15:09 AM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-23408 |
Azure Apache Ambari Spoofing Vulnerability Published: March 14, 2023; 1:15:14 PM -0400 |
V3.1: 4.5 MEDIUM V2.0:(not available) |
CVE-2023-25803 |
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a directory traversal vulnerability that allows the inclusion of server-side files. This issue is fixed in version 6.3.5.0. Published: March 13, 2023; 4:15:15 PM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-25802 |
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.6.0 don't correctly neutralize `dir/../filename` sequences, such as `/etc/nginx/../passwd`, allowing an actor to gain information about a server. Version 6.3.6.0 has a patch for this issue. Published: March 13, 2023; 4:15:14 PM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-27901 |
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service. Published: March 10, 2023; 4:15:15 PM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-27900 |
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service. Published: March 10, 2023; 4:15:15 PM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-26464 |
** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Published: March 10, 2023; 9:15:10 AM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-23638 |
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. Published: March 08, 2023; 6:15:10 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-27522 |
HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. Published: March 07, 2023; 11:15:09 AM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-25690 |
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server. Published: March 07, 2023; 11:15:09 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-25956 |
Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1. Published: February 24, 2023; 7:15:30 AM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-25696 |
Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3. Published: February 24, 2023; 7:15:30 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-25693 |
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1. Published: February 24, 2023; 7:15:30 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-25692 |
Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0. Published: February 24, 2023; 7:15:30 AM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-25691 |
Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0. Published: February 24, 2023; 7:15:30 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-25824 |
Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Versions from 0.9.0 to 0.12.0 (including) did not properly fail blocking read operations on TLS connections when the transport hit timeouts. Instead it entered an endless loop retrying the read operation, consuming CPU resources. This could be exploited for denial of service attacks. If trace level logging was enabled, it would also produce an excessive amount of log output during the loop, consuming disk space. The problem has been fixed in commit d7eec4e598158ab6a98bf505354e84352f9715ec, please update to version 0.12.1. There are no workarounds, users who cannot update should apply the errno fix detailed in the security advisory. Published: February 23, 2023; 5:15:11 PM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |