Vulnerabilities (CVE)

Vendor filter

Apache Subscribe

Product filter

Http Server Subscribe

Filter

1179 total CVE
CVE Vendors Products Updated CVSS
CVE-2019-10085 1 Apache 1 Allura 2019-06-19 4.3
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.
CVE-2019-0201 2 Apache, Debian 2 Zookeeper, Debian Linux 2019-06-19 4.3
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id...
CVE-2018-11798 1 Apache 1 Thrift 2019-06-19 4.0
The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.
CVE-2017-5645 4 Apache, Netapp, Oracle and 1 more 59 Log4j, Oncommand Api Services, Oncommand Insight and 56 more 2019-06-19 7.5
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
CVE-2017-15691 1 Apache 1 Uimaj 2019-06-19 4.0
In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE)...
CVE-2019-0197 1 Apache 1 Http Server 2019-06-17 4.9
A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection...
CVE-2019-0196 3 Apache, Canonical, Debian 3 Http Server, Ubuntu Linux, Debian Linux 2019-06-17 5.0
A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the...
CVE-2014-0114 1 Apache 2 Commons Beanutils, Struts 2019-06-15 7.5
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers...
CVE-2017-7675 1 Apache 1 Tomcat 2019-06-12 5.0
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.
CVE-2019-0220 5 Apache, Canonical, Debian and 2 more 5 Http Server, Ubuntu Linux, Debian Linux and 2 more 2019-06-12 5.0
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular...
CVE-2014-3526 1 Apache 1 Wicket 2019-06-12 5.0
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions.
CVE-2019-0211 5 Apache, Canonical, Debian and 2 more 5 Http Server, Ubuntu Linux, Debian Linux and 2 more 2019-06-11 7.2
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code...
CVE-2018-11784 6 Apache, Netapp, Canonical and 3 more 15 Tomcat, Snap Creator Framework, Ubuntu Linux and 12 more 2019-06-11 4.3
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to...
CVE-2018-11763 5 Apache, Oracle, Canonical and 2 more 9 Http Server, Secure Global Desktop, Ubuntu Linux and 6 more 2019-06-11 4.3
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible...
CVE-2012-5786 1 Apache 1 Cxf 2019-06-11 5.8
** DISPUTED ** The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF before 2.7.0 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or...
CVE-2018-17198 1 Apache 1 Roller 2019-06-11 7.5
Server-side Request Forgery (SSRF) and File Enumeration vulnerability in Apache Roller 5.2.1, 5.2.0 and earlier unsupported versions relies on Java SAX Parser to implement its XML-RPC interface and by default that parser supports external...
CVE-2018-11801 1 Apache 1 Fineract 2019-06-11 7.5
SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on a m_center data related table.
CVE-2018-11800 1 Apache 1 Fineract 2019-06-11 7.5
SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on the GroupSummaryCounts related table.
CVE-2018-1297 1 Apache 1 Jmeter 2019-06-09 7.5
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
CVE-2018-1287 1 Apache 1 Jmeter 2019-06-09 7.5
In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.