Vulnerabilities (CVE)

Vendor filter

Apache Subscribe


1086 total CVE
CVE Vendors Products Updated CVSS
CVE-2018-8039 2 Apache, Redhat 2 Cxf, Jboss Enterprise Application Platform 2018-12-12 6.8
It is possible to configure Apache CXF to use the implementation via 'System.setProperty("java.protocol.handler.pkgs", "");'. When this system property is set, CXF uses some reflection to try...
CVE-2018-11804 1 Apache 1 Spark 2018-12-11 5.0
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept...
CVE-2017-15705 4 Apache, Canonical, Debian and 1 more 7 Spamassassin, Ubuntu Linux, Debian Linux and 4 more 2018-12-07 5.0
A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache...
CVE-2012-0838 1 Apache 1 Struts 2018-12-07 10.0
Apache Struts 2 before evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
CVE-2018-11787 1 Apache 1 Karaf 2018-12-06 6.8
In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives...
CVE-2018-11781 4 Apache, Canonical, Debian and 1 more 7 Spamassassin, Ubuntu Linux, Debian Linux and 4 more 2018-12-06 4.6
Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax.
CVE-2018-11780 4 Apache, Pdfinfo Project, Canonical and 1 more 4 Spamassassin, Pdfinfo, Ubuntu Linux and 1 more 2018-12-06 7.5
A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.
CVE-2018-8041 1 Apache 1 Camel 2018-12-05 5.0
Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.
CVE-2018-8018 1 Apache 1 Ignite 2018-12-05 7.5
In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are...
CVE-2018-8014 2 Apache, Canonical 2 Tomcat, Ubuntu Linux 2018-12-05 7.5
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS...
CVE-2018-1336 4 Apache, Redhat, Canonical and 1 more 5 Tomcat, Jboss Enterprise Application Platform, Jboss Enterprise Web Server and 2 more 2018-12-05 5.0
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51,...
CVE-2018-1288 1 Apache 1 Kafka 2018-12-05 5.5
In Apache Kafka to, to, to, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.
CVE-2016-5003 1 Apache 1 Ws-xmlrpc 2018-12-05 7.5
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
CVE-2016-5002 1 Apache 1 Xml-rpc 2018-12-05 9.3
XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD.
CVE-2012-3451 1 Apache 1 Cxf 2018-12-04 4.3
Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by sending a header with a SOAP Action String that is inconsistent with the message body.
CVE-2011-3192 1 Apache 1 Http Server 2018-11-30 7.8
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges,...
CVE-2018-8006 1 Apache 1 Activemq 2018-11-30 4.3
An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the queue.jsp page of Apache ActiveMQ versions 5.0.0 to 5.15.5. The root cause of this issue is improper data filtering of...
CVE-2006-0042 3 Libapreq2, Apache, Debian 3 Libapreq2, Libapreq2, Debian Linux 2018-11-29 5.0
Unspecified vulnerability in (1) apreq_parse_headers and (2) apreq_parse_urlencoded functions in Apache2::Request (Libapreq2) before 2.07 allows remote attackers to cause a denial of service (CPU consumption) via unknown attack vectors that...
CVE-2016-5019 1 Apache 1 Myfaces 2018-11-28 7.5
CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string.
CVE-2012-0393 1 Apache 1 Struts 2018-11-28 6.4
The ParameterInterceptor component in Apache Struts before does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.