Search Results (Refine Search)
- Keyword (text search): Apache
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-25197 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Authorized users may be able to exploit this for limited impact on components. This issue affects apache fineract: from 1.4 through 1.8.2. Published: March 28, 2023; 8:15:07 AM -0400 |
V3.1: 6.3 MEDIUM V2.0:(not available) |
CVE-2023-25196 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized users may be able to change or add data in certain components. This issue affects Apache Fineract: from 1.4 through 1.8.2. Published: March 28, 2023; 8:15:07 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-25195 |
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic. This issue affects Apache Fineract: from 1.4 through 1.8.3. Published: March 28, 2023; 8:15:07 AM -0400 |
V3.1: 8.1 HIGH V2.0:(not available) |
CVE-2023-27296 |
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it. [1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422 Published: March 27, 2023; 11:15:08 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-47502 |
Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. In the affected versions of OpenOffice, approval for certain links is not requested; when activated, such links could therefore result in arbitrary script execution. Published: March 24, 2023; 12:15:08 PM -0400 |
V3.1: 7.8 HIGH V2.0:(not available) |
CVE-2022-38745 |
Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory. Published: March 24, 2023; 12:15:08 PM -0400 |
V3.1: 7.8 HIGH V2.0:(not available) |
CVE-2023-28708 |
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Published: March 22, 2023; 7:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-26513 |
Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2. Published: March 20, 2023; 9:15:11 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-25804 |
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a limited path traversal vulnerability. An SSH key can be saved into an unintended location, for example the `/tmp` folder using a payload `../../../../../tmp/test111_dev`. This issue has been fixed in version 6.3.5.0. Published: March 15, 2023; 2:15:10 PM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-0100 |
In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.com/report.rptdesign). If the host indicated in the __report parameter matched the HTTP Host header value, the report would be retrieved. However, the Host header can be tampered with on some configurations where no virtual hosts are put in place (e.g. in the default configuration of Apache Tomcat) or when the default host points to the BIRT server. This vulnerability was patched on Eclipse BIRT 4.13. Published: March 15, 2023; 11:15:09 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-25695 |
Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. Published: March 15, 2023; 6:15:09 AM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-23408 |
Azure Apache Ambari Spoofing Vulnerability Published: March 14, 2023; 1:15:14 PM -0400 |
V3.1: 4.5 MEDIUM V2.0:(not available) |
CVE-2023-25803 |
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a directory traversal vulnerability that allows the inclusion of server-side files. This issue is fixed in version 6.3.5.0. Published: March 13, 2023; 4:15:15 PM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-25802 |
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.6.0 don't correctly neutralize `dir/../filename` sequences, such as `/etc/nginx/../passwd`, allowing an actor to gain information about a server. Version 6.3.6.0 has a patch for this issue. Published: March 13, 2023; 4:15:14 PM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-27901 |
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service. Published: March 10, 2023; 4:15:15 PM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-27900 |
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service. Published: March 10, 2023; 4:15:15 PM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-26464 |
** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Published: March 10, 2023; 9:15:10 AM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-23638 |
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. Published: March 08, 2023; 6:15:10 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-27522 |
HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. Published: March 07, 2023; 11:15:09 AM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-25690 |
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server. Published: March 07, 2023; 11:15:09 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |