National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • Keyword (text search): Apache
There are 1,635 matching records.
Displaying matches 81 through 100.
Vuln ID Summary CVSS Severity
CVE-2018-17202

Certain input files could make the code to enter into an infinite loop when Apache Sanselan 0.97-incubator was used to parse them, which could be used in a DoS attack. Note that Apache Sanselan (incubating) was renamed to Apache Commons Imaging.

Published: May 06, 2019; 02:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2018-17201

Certain input files could make the code hang when Apache Sanselan 0.97-incubator was used to parse them, which could be used in a DoS attack. Note that Apache Sanselan (incubating) was renamed to Apache Commons Imaging.

Published: May 06, 2019; 02:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2019-0227

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.

Published: May 01, 2019; 05:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.4 MEDIUM
CVE-2018-8035

This vulnerability relates to the user's browser processing of DUCC webpage input data.The javascript comprising Apache UIMA DUCC (<= 2.2.2) which runs in the user's browser does not sufficiently filter user supplied inputs, which may result in unintended execution of user supplied javascript code.

Published: May 01, 2019; 05:29:00 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-0214

In Apache Archiva 2.0.0 - 2.2.3, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

Published: April 30, 2019; 06:29:01 PM -04:00
V3.0: 6.5 MEDIUM
    V2: 5.5 MEDIUM
CVE-2019-0213

In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.

Published: April 30, 2019; 06:29:00 PM -04:00
V3.0: 6.5 MEDIUM
    V2: 5.5 MEDIUM
CVE-2019-0194

Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected.

Published: April 30, 2019; 06:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2019-0186

The input fields of the Apache Pluto "Chat Room" demo portlet 3.0.0 and 3.0.1 are vulnerable to Cross-Site Scripting (XSS) attacks. Mitigation: * Uninstall the ChatRoomDemo war file - or - * migrate to version 3.1.0 of the chat-room-demo war file

Published: April 26, 2019; 12:29:00 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-0223

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

Published: April 23, 2019; 12:29:00 PM -04:00
V3.0: 7.4 HIGH
    V2: 4.0 MEDIUM
CVE-2018-1328

Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by "Josna Joseph".

Published: April 23, 2019; 11:29:00 AM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2018-1317

In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.

Published: April 23, 2019; 11:29:00 AM -04:00
V3.0: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2017-12619

Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by "stone lone".

Published: April 23, 2019; 11:29:00 AM -04:00
V3.0: 8.1 HIGH
    V2: 5.8 MEDIUM
CVE-2019-0218

A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.

Published: April 22, 2019; 06:29:00 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-10247

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

Published: April 22, 2019; 04:29:00 PM -04:00
V3.0: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2019-10241

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Published: April 22, 2019; 04:29:00 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-11358

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Published: April 19, 2019; 08:29:00 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-0228

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.

Published: April 17, 2019; 11:29:00 AM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-0232

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

Published: April 15, 2019; 11:29:00 AM -04:00
V3.0: 8.1 HIGH
    V2: 9.3 HIGH
CVE-2019-0229

A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.

Published: April 10, 2019; 04:29:01 PM -04:00
V3.0: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2019-0216

A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.

Published: April 10, 2019; 04:29:01 PM -04:00
V3.0: 4.8 MEDIUM
    V2: 3.5 LOW