Search Results (Refine Search)
- Keyword (text search): Apache
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2012-0394 |
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself. Published: January 08, 2012; 10:55:01 AM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2012-0393 |
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object. Published: January 08, 2012; 10:55:01 AM -0500 |
V3.x:(not available) V2.0: 6.4 MEDIUM |
CVE-2012-0392 |
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. Published: January 08, 2012; 10:55:01 AM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2012-0391 |
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. Published: January 08, 2012; 10:55:01 AM -0500 |
V3.x:(not available) V2.0: 9.3 HIGH |
CVE-2011-4858 |
Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. Published: January 05, 2012; 2:55:01 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2011-4905 |
Apache ActiveMQ before 5.6.0 allows remote attackers to cause a denial of service (file-descriptor exhaustion and broker crash or hang) by sending many openwire failover:tcp:// connection requests. Published: January 05, 2012; 11:55:00 AM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2011-5034 |
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461. Published: December 29, 2011; 8:55:01 PM -0500 |
V3.x:(not available) V2.0: 7.8 HIGH |
CVE-2007-6750 |
The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15. Published: December 27, 2011; 1:55:00 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2011-4668 |
IBM Tivoli Netcool/Reporter 2.2 before 2.2.0.8 allows remote attackers to execute arbitrary code via vectors related to an unspecified CGI program used with the Apache HTTP Server. Published: December 02, 2011; 6:55:05 AM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2011-4317 |
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368. Published: November 29, 2011; 11:05:58 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2011-3639 |
The mod_proxy module in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x before 2.2.18, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers by using the HTTP/0.9 protocol with a malformed URI containing an initial @ (at sign) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368. Published: November 29, 2011; 11:05:58 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2011-3376 |
org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality. Published: November 11, 2011; 4:55:01 PM -0500 |
V3.x:(not available) V2.0: 4.4 MEDIUM |
CVE-2011-4415 |
The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the "len +=" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE-2011-3607. Published: November 08, 2011; 6:55:05 AM -0500 |
V3.x:(not available) V2.0: 1.2 LOW |
CVE-2011-3607 |
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. Published: November 08, 2011; 6:55:05 AM -0500 |
V3.x:(not available) V2.0: 4.4 MEDIUM |
CVE-2011-3368 |
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. Published: October 05, 2011; 6:55:02 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2000-1247 |
The default configuration of the jserv-status handler in jserv.conf in Apache JServ 1.1.2 includes an "allow from 127.0.0.1" line, which allows local users to discover JDBC passwords or other sensitive information via a direct request to the jserv/ URI. Published: October 04, 2011; 10:56:24 PM -0400 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2011-3348 |
The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request. Published: September 20, 2011; 1:55:02 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2011-3190 |
Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request. Published: August 31, 2011; 7:55:03 PM -0400 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2011-3192 |
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086. Published: August 29, 2011; 11:55:02 AM -0400 |
V3.x:(not available) V2.0: 7.8 HIGH |
CVE-2011-2712 |
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.18, when setAutomaticMultiWindowSupport is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. Published: August 29, 2011; 11:55:01 AM -0400 |
V3.x:(not available) V2.0: 2.6 LOW |