National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • Keyword (text search): Apache
There are 1,666 matching records.
Displaying matches 41 through 60.
Vuln ID Summary CVSS Severity
CVE-2019-9514

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

Published: August 13, 2019; 05:15:12 PM -04:00
V3.0: 7.5 HIGH
    V2: 7.8 HIGH
CVE-2019-9512

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Published: August 13, 2019; 05:15:12 PM -04:00
V3.0: 7.5 HIGH
    V2: 7.8 HIGH
CVE-2019-12397

Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix.

Published: August 08, 2019; 02:15:10 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-10099

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

Published: August 07, 2019; 01:15:12 PM -04:00
V3.0: 7.5 HIGH
    V2: 4.3 MEDIUM
CVE-2016-10796

cPanel before 58.0.4 initially uses weak permissions for Apache HTTP Server log files (SEC-130).

Published: August 06, 2019; 10:15:11 AM -04:00
V3.0: 3.3 LOW
    V2: 2.1 LOW
CVE-2016-10786

cPanel before 60.0.25 allows members of the nobody group to read Apache HTTP Server SSL keys (SEC-186).

Published: August 06, 2019; 09:15:11 AM -04:00
V3.0: 6.5 MEDIUM
    V2: 4.0 MEDIUM
CVE-2019-10094

A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.

Published: August 02, 2019; 03:15:11 PM -04:00
V3.0: 7.8 HIGH
    V2: 6.8 MEDIUM
CVE-2019-10093

In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.

Published: August 02, 2019; 03:15:11 PM -04:00
V3.0: 6.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-10088

A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later.

Published: August 02, 2019; 03:15:11 PM -04:00
V3.0: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2017-18429

In cPanel before 66.0.2, Apache HTTP Server SSL domain logs can persist on disk after an account termination (SEC-291).

Published: August 02, 2019; 12:15:12 PM -04:00
V3.1: 3.3 LOW
    V2: 2.1 LOW
CVE-2017-18428

In cPanel before 66.0.2, Apache HTTP Server domlogs become temporarily world-readable during log processing (SEC-290).

Published: August 02, 2019; 12:15:12 PM -04:00
V3.0: 2.5 LOW
    V2: 1.9 LOW
CVE-2017-18424

In cPanel before 66.0.2, the Apache HTTP Server configuration file is changed to world-readable when rebuilt (SEC-274).

Published: August 02, 2019; 12:15:12 PM -04:00
V3.0: 3.3 LOW
    V2: 2.1 LOW
CVE-2017-18422

In cPanel before 66.0.2, EasyApache 4 conversion sets weak domlog ownership and permissions (SEC-272).

Published: August 02, 2019; 12:15:12 PM -04:00
V3.0: 3.3 LOW
    V2: 2.1 LOW
CVE-2017-18412

cPanel before 67.9999.103 allows Apache HTTP Server log files to become world-readable because of mishandling on an account rename (SEC-296).

Published: August 02, 2019; 10:15:13 AM -04:00
V3.0: 2.5 LOW
    V2: 1.9 LOW
CVE-2018-20952

cPanel before 68.0.27 creates world-readable files during use of WHM Apache Includes Editor (SEC-388).

Published: August 01, 2019; 01:15:13 PM -04:00
V3.0: 6.5 MEDIUM
    V2: 4.0 MEDIUM
CVE-2018-20949

cPanel before 68.0.27 allows self XSS in WHM Apache Configuration Include Editor (SEC-385).

Published: August 01, 2019; 01:15:13 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2018-20932

cPanel before 70.0.23 exposes Apache HTTP Server logs after creation of certain domains (SEC-406).

Published: August 01, 2019; 12:15:13 PM -04:00
V3.0: 2.7 LOW
    V2: 4.0 MEDIUM
CVE-2019-0193

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.

Published: August 01, 2019; 10:15:13 AM -04:00
V3.0: 7.2 HIGH
    V2: 9.0 HIGH
CVE-2015-7559

It was found that the Apache ActiveMQ client before 5.15.5 exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client.

Published: August 01, 2019; 10:15:10 AM -04:00
V3.0: 4.9 MEDIUM
    V2: 4.0 MEDIUM
CVE-2018-20885

cPanel before 74.0.0 allows Apache HTTP Server configuration injection because of DocumentRoot variable interpolation (SEC-416).

Published: August 01, 2019; 09:15:13 AM -04:00
V3.0: 5.3 MEDIUM
    V2: 5.0 MEDIUM