apache

apache/activemq Vulnerability Summary Vendor name: apache Product name: activemq Total vulnerabilities: 40 (as 2023-05-04) apache/activemq Vulnerability List CVE-2022-23913: In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt… Published: 2022-02-04T23:15:00 Last Modified: 2022-02-10T13:28:00 Summary In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory. Common Weakness Enumeration (CWE): CWE-400: Uncontrolled Resource Consumption CWE Description: The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

apache/apr-util Vulnerability Summary Vendor name: apache Product name: apr-util Total vulnerabilities: 6 (as 2023-05-04) apache/apr-util Vulnerability List CVE-2011-1928: The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3… Published: 2011-05-24T23:55:00 Last Modified: 2018-01-06T02:29:00 Summary The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used.

apache/apr Vulnerability Summary Vendor name: apache Product name: apr Total vulnerabilities: 7 (as 2023-05-04) apache/apr Vulnerability List CVE-2011-1928: The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3… Published: 2011-05-24T23:55:00 Last Modified: 2018-01-06T02:29:00 Summary The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used.

apache/groovy Vulnerability Summary Vendor name: apache Product name: groovy Total vulnerabilities: 4 (as 2023-05-04) apache/groovy Vulnerability List CVE-2020-17521: Apache Groovy provides extension methods to aid with creating temporary directories. Prior to… Published: 2020-12-07T20:15:00 Last Modified: 2022-02-07T16:15:00 Summary Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy’s implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts.

apache/hadoop Vulnerability Summary Vendor name: apache Product name: hadoop Total vulnerabilities: 29 (as 2023-05-04) apache/hadoop Vulnerability List CVE-2020-9492: In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client… Published: 2021-01-26T18:16:00 Last Modified: 2021-11-30T22:21:00 Summary In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. Common Weakness Enumeration (CWE): CWE-863: Incorrect Authorization CWE Description: The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

apache/harmony Vulnerability Summary Vendor name: apache Product name: harmony Total vulnerabilities: 1 (as 2023-05-04) apache/harmony Vulnerability List CVE-2013-7372: The engineNextBytes function in… Published: 2014-04-29T20:55:00 Last Modified: 2014-04-30T14:23:00 Summary The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013.

apache/hbase Vulnerability Summary Vendor name: apache Product name: hbase Total vulnerabilities: 5 (as 2023-05-04) apache/hbase Vulnerability List CVE-2019-15544: An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all… Published: 2019-08-26T18:15:00 Last Modified: 2021-09-14T12:25:00 Summary An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls. Common Weakness Enumeration (CWE): CWE-770: Allocation of Resources Without Limits or Throttling CWE Description: The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

apache/hive Vulnerability Summary Vendor name: apache Product name: hive Total vulnerabilities: 14 (as 2023-05-04) apache/hive Vulnerability List CVE-2020-1926: Apache Hive cookie signature verification used a non constant time comparison which is known to… Published: 2021-03-16T13:15:00 Last Modified: 2021-03-22T20:21:00 Summary Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.

apache/http_server Vulnerability Summary Vendor name: apache Product name: http_server Total vulnerabilities: 249 (as 2023-05-04) apache/http_server Vulnerability List CVE-2021-44224: A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash… Published: 2021-12-20T12:15:00 Last Modified: 2022-02-07T16:16:00 Summary A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).

apache/log4j Vulnerability Summary Vendor name: apache Product name: log4j Total vulnerabilities: 11 (as 2023-05-04) apache/log4j Vulnerability List CVE-2022-23302: JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the… Published: 2022-01-18T16:15:00 Last Modified: 2022-01-27T16:21:00 Summary JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to.

apache/log4net Vulnerability Summary Vendor name: apache Product name: log4net Total vulnerabilities: 2 (as 2023-05-04) apache/log4net Vulnerability List CVE-2018-1285: Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net… Published: 2020-05-11T17:15:00 Last Modified: 2021-09-21T17:10:00 Summary Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files. Common Weakness Enumeration (CWE): CWE-611: Improper Restriction of XML External Entity Reference CWE Description: The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

apache/lucene Vulnerability Summary Vendor name: apache Product name: lucene Total vulnerabilities: 0 (as 2023-05-04) apache/lucene Vulnerability List

apache/maven Vulnerability Summary Vendor name: apache Product name: maven Total vulnerabilities: 2 (as 2023-05-04) apache/maven Vulnerability List CVE-2021-26291: Apache Maven will follow repositories that are defined in a dependency’s Project Object Model… Published: 2021-04-23T15:15:00 Last Modified: 2021-10-20T14:35:00 Summary Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository.

apache/mod_fcgid Vulnerability Summary Vendor name: apache Product name: mod_fcgid Total vulnerabilities: 4 (as 2023-05-04) apache/mod_fcgid Vulnerability List CVE-2016-1000104: A security Bypass vulnerability exists in the FcgidPassHeader Proxy in mod_fcgid through 2016-07-07. Published: 2019-12-03T22:15:00 Last Modified: 2020-02-03T18:15:00 Summary A security Bypass vulnerability exists in the FcgidPassHeader Proxy in mod_fcgid through 2016-07-07. Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

apache/mod_imap Vulnerability Summary Vendor name: apache Product name: mod_imap Total vulnerabilities: 1 (as 2023-05-04) apache/mod_imap Vulnerability List CVE-2005-3352: Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev… Published: 2005-12-13T20:03:00 Last Modified: 2021-06-06T11:15:00 Summary Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps.

apache/mod_jk Vulnerability Summary Vendor name: apache Product name: mod_jk Total vulnerabilities: 2 (as 2023-05-04) apache/mod_jk Vulnerability List CVE-2008-5519: The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to… Published: 2009-04-09T15:08:00 Last Modified: 2019-04-15T16:29:00 Summary The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol’s requirements for requests containing Content-Length headers.

apache/mod_perl Vulnerability Summary Vendor name: apache Product name: mod_perl Total vulnerabilities: 3 (as 2023-05-04) apache/mod_perl Vulnerability List CVE-2011-2767: mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a… Published: 2018-08-26T16:29:00 Last Modified: 2019-09-24T18:15:00 Summary mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator’s control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.

apache/mod_python Vulnerability Summary Vendor name: apache Product name: mod_python Total vulnerabilities: 6 (as 2023-05-04) apache/mod_python Vulnerability List CVE-2006-1095: Directory traversal vulnerability in the FileSession object in Mod_python module 3.2.7 for Apache… Published: 2006-03-09T13:06:00 Last Modified: 2017-07-20T01:30:00 Summary Directory traversal vulnerability in the FileSession object in Mod_python module 3.2.7 for Apache allows local users to execute arbitrary code via a crafted session cookie. Common Weakness Enumeration (CWE): CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) CWE Description: The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

apache/rocketmq Vulnerability Summary Vendor name: apache Product name: rocketmq Total vulnerabilities: 1 (as 2023-05-04) apache/rocketmq Vulnerability List CVE-2019-17572: In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on… Published: 2020-05-14T17:15:00 Last Modified: 2020-05-15T18:17:00 Summary In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on by default, an evil topic like “../../../../topic2020” is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability.

apache/sentry Vulnerability Summary Vendor name: apache Product name: sentry Total vulnerabilities: 2 (as 2023-05-04) apache/sentry Vulnerability List CVE-2018-8028: An authenticated user can execute ALTER TABLE EXCHANGE PARTITIONS without being authorized by… Published: 2018-08-23T15:29:00 Last Modified: 2019-10-03T00:03:00 Summary An authenticated user can execute ALTER TABLE EXCHANGE PARTITIONS without being authorized by Apache Sentry before 2.0.1. This can allow an attacker unauthorized access to the partitioned data of a Sentry protected table and can allow an attacker to remove data from a Sentry protected table.

apache/tomcat Vulnerability Summary Vendor name: apache Product name: tomcat Total vulnerabilities: 201 (as 2023-05-04) apache/tomcat Vulnerability List CVE-2022-23181: The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache… Published: 2022-01-27T13:15:00 Last Modified: 2022-02-02T17:04:00 Summary The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using.

apache/xerces-c Vulnerability Summary Vendor name: apache Product name: xerces-c Total vulnerabilities: 10 (as 2023-05-04) apache/xerces-c Vulnerability List CVE-2018-1311: The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during… Published: 2019-12-18T20:15:00 Last Modified: 2022-02-07T16:15:00 Summary The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing.

apache/zookeeper Vulnerability Summary Vendor name: apache Product name: zookeeper Total vulnerabilities: 9 (as 2023-05-04) apache/zookeeper Vulnerability List CVE-2021-34429: For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted… Published: 2021-07-15T17:15:00 Last Modified: 2022-02-07T16:16:00 Summary For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

The latest CVE Vulnerability list for popular products of apache apache/http_server apache/hadoop apache/harmony apache/groovy apache/activemq apache/apr apache/apr-util apache/maven apache/log4j apache/log4net apache/lucene apache/mod_fcgid apache/mod_imap apache/mod_jk apache/mod_perl apache/mod_python apache/rocketmq apache/sentry apache/tomcat apache/xerces-c apache/zookeeper apache/hbase apache/hive See also: All the last popular products CVE vulnerabilities