Filtered by vendor Apache
Subscribe
Total
2616 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-30129 | 2 Apache, Oracle | 9 Sshd, Banking Payments, Banking Trade Finance and 6 more | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0 | |||||
| CVE-2021-27906 | 3 Apache, Fedoraproject, Oracle | 19 Pdfbox, Fedora, Banking Corporate Lending Process Management and 16 more | 2023-11-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions. | |||||
| CVE-2021-28125 | 1 Apache | 1 Superset | 2023-11-07 | 5.8 MEDIUM | 6.1 MEDIUM |
| Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link. | |||||
| CVE-2021-30128 | 1 Apache | 1 Ofbiz | 2023-11-07 | 10.0 HIGH | 9.8 CRITICAL |
| Apache OFBiz has unsafe deserialization prior to 17.12.07 version | |||||
| CVE-2021-23937 | 1 Apache | 1 Wicket | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions. | |||||
| CVE-2021-23926 | 4 Apache, Debian, Netapp and 1 more | 7 Xmlbeans, Debian Linux, Oncommand Unified Manager Core Package and 4 more | 2023-11-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0. | |||||
| CVE-2021-26690 | 4 Apache, Debian, Fedoraproject and 1 more | 6 Http Server, Debian Linux, Fedora and 3 more | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service | |||||
| CVE-2021-27644 | 1 Apache | 1 Dolphinscheduler | 2023-11-07 | 6.0 MEDIUM | 8.8 HIGH |
| In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password) | |||||
| CVE-2021-26691 | 5 Apache, Debian, Fedoraproject and 2 more | 8 Http Server, Debian Linux, Fedora and 5 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow | |||||
| CVE-2021-25122 | 3 Apache, Debian, Oracle | 12 Tomcat, Debian Linux, Agile Plm and 9 more | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. | |||||
| CVE-2021-25640 | 1 Apache | 1 Dubbo | 2023-11-07 | 5.8 MEDIUM | 6.1 MEDIUM |
| In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability. | |||||
| CVE-2021-26697 | 1 Apache | 1 Airflow | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0. | |||||
| CVE-2021-26559 | 1 Apache | 1 Airflow | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0. | |||||
| CVE-2021-26118 | 2 Apache, Netapp | 2 Activemq Artemis, Oncommand Workflow Automation | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error. | |||||
| CVE-2021-23901 | 2 Apache, Netapp | 2 Nutch, Snap Creator Framework | 2023-11-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18. | |||||
| CVE-2021-26920 | 1 Apache | 1 Druid | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. | |||||
| CVE-2021-26919 | 1 Apache | 1 Druid | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2 | |||||
| CVE-2021-26291 | 3 Apache, Oracle, Quarkus | 4 Maven, Financial Services Analytical Applications Infrastructure, Goldengate Big Data And Application Adapters and 1 more | 2023-11-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html | |||||
| CVE-2021-25329 | 3 Apache, Debian, Oracle | 12 Tomcat, Debian Linux, Agile Plm and 9 more | 2023-11-07 | 4.4 MEDIUM | 7.0 HIGH |
| The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. | |||||
| CVE-2021-26295 | 1 Apache | 1 Ofbiz | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. | |||||