CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Apache : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-8581 20 Exec Code 2015-12-16 2015-12-17
7.5
None Remote Low Not required Partial Partial Partial
The EjbObjectInputStream class in Apache TomEE allows remote attackers to execute arbitrary commands via a serialized Java stream.
2 CVE-2015-8320 2015-11-23 2015-11-23
5.0
None Remote Low Not required Partial None None
Apache Cordova-Android before 3.7.0 improperly generates random values for BridgeSecret data, which makes it easier for attackers to conduct bridge hijacking attacks by predicting a value.
3 CVE-2015-7430 264 2016-01-02 2016-01-07
4.6
None Local Low Not required Partial Partial Partial
The Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 before 2.7.0-3 for IBM Spectrum Scale and General Parallel File System (GPFS) allows local users to read or write to arbitrary GPFS data via unspecified vectors.
4 CVE-2015-6524 255 2015-08-24 2015-08-25
5.0
None Remote Low Not required Partial None None
The LDAPLoginModule implementation the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote attackers to obtain credentials via a brute force attack. NOTE: this identifier was SPLIT from CVE-2014-3612 per ADT2 due to different vulnerability types.
5 CVE-2015-6420 Exec Code 2015-12-15 2015-12-15
7.5
None Remote Low Not required Partial Partial Partial
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
6 CVE-2015-5262 399 DoS 2015-10-27 2015-10-28
4.3
None Remote Medium Not required None None Partial
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
7 CVE-2015-5259 119 Exec Code Overflow 2016-01-08 2016-01-11
9.0
None Remote Low Not required Partial Partial Complete
Integer overflow in the read_string function in libsvn_ra_svn/marshal.c in Apache Subversion 1.9.x before 1.9.3 allows remote attackers to execute arbitrary code via an svn:// protocol string, which triggers a heap-based buffer overflow and an out-of-bounds read.
8 CVE-2015-5256 264 Bypass 2015-11-23 2015-11-23
4.3
None Remote Medium Not required None Partial None
Apache Cordova-Android before 4.1.0, when an application relies on a remote server, improperly implements a JavaScript whitelist protection mechanism, which allows attackers to bypass intended access restrictions via a crafted URI.
9 CVE-2015-5254 20 Exec Code 2016-01-08 2016-01-11
7.5
None Remote Low Not required Partial Partial Partial
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
10 CVE-2015-5253 264 Bypass 2015-11-18 2015-11-19
4.0
None Remote Low Single system None Partial None
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."
11 CVE-2015-5214 119 DoS Exec Code Overflow Mem. Corr. 2015-11-10 2015-11-12
6.8
None Remote Medium Not required Partial Partial Partial
LibreOffice before 4.4.6 and 5.x before 5.0.1 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via an index to a non-existent bookmark in a DOC file.
12 CVE-2015-5213 189 DoS Exec Code Overflow Mem. Corr. 2015-11-10 2015-11-12
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a long DOC file, which triggers a buffer overflow.
13 CVE-2015-5212 189 DoS Exec Code Mem. Corr. 2015-11-10 2015-11-12
6.8
None Remote Medium Not required Partial Partial Partial
Integer underflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2, when the configuration setting "Load printer settings with the document" is enabled, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via crafted PrinterSetup data in an ODF document.
14 CVE-2015-5210 2015-11-02 2015-11-03
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in Apache Ambari before 2.1.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the targetURI parameter.
15 CVE-2015-5204 2015-12-17 2015-12-18
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in the Apache Cordova File Transfer Plugin (cordova-plugin-file-transfer) for Android before 1.3.0 allows remote attackers to inject arbitrary headers via CRLF sequences in the filename of an uploaded file.
16 CVE-2015-4940 200 +Info 2015-11-08 2015-11-09
2.1
None Local Low Not required Partial None None
Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x before 4.1, stores a cleartext BigSheets password in a configuration file, which allows local users to obtain sensitive information by reading this file.
17 CVE-2015-4928 200 +Info 2015-11-08 2015-11-09
4.3
None Remote Medium Not required Partial None None
Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x before 4.1, includes cleartext passwords on a Configs screen, which allows physically proximate attackers to obtain sensitive information by reading password fields.
18 CVE-2015-4551 200 +Info 2015-11-10 2015-11-12
4.3
None Remote Medium Not required Partial None None
LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 uses the stored LinkUpdateMode configuration information in OpenDocument Format files and templates when handling links, which might allow remote attackers to obtain sensitive information via a crafted document, which embeds data from local files into (1) Calc or (2) Writer.
19 CVE-2015-3270 264 +Priv 2015-11-02 2015-11-03
6.5
None Remote Low Single system Partial Partial Partial
Apache Ambari before 2.0.2 or 2.1.x before 2.1.1 allows remote authenticated users to gain administrative privileges via unspecified vectors, possibly related to changing passwords.
20 CVE-2015-3253 74 DoS Exec Code 2015-08-13 2015-10-29
7.5
None Remote Low Not required Partial Partial Partial
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.
21 CVE-2015-3187 200 +Info 2015-08-12 2015-08-25
4.0
None Remote Low Single system Partial None None
The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.
22 CVE-2015-3186 79 XSS 2015-11-02 2015-11-03
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Apache Ambari before 2.1.0 allows remote authenticated cluster operator users to inject arbitrary web script or HTML via the note field in a configuration change.
23 CVE-2015-3185 264 Bypass 2015-07-20 2015-09-18
4.3
None Remote Medium Not required None Partial None
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
24 CVE-2015-3184 200 +Info 2015-08-12 2015-08-25
5.0
None Remote Low Not required Partial None None
mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read hidden files via the path name.
25 CVE-2015-3183 20 2015-07-20 2016-01-21
5.0
None Remote Low Not required None Partial None
The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.
26 CVE-2015-2944 79 XSS 2015-06-02 2015-06-03
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.
27 CVE-2015-2091 310 2015-03-13 2015-03-13
5.0
None Remote Low Not required None Partial None
The authentication hook (mgs_hook_authz) in mod-gnutls 0.5.10 and earlier does not validate client certificates when "GnuTLSClientVerify require" is set, which allows remote attackers to spoof clients via a crafted certificate.
28 CVE-2015-1836 284 DoS +Info 2015-12-21 2015-12-22
7.5
None Remote Low Not required Partial Partial Partial
Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before 1.1.0.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, uses incorrect ACLs for ZooKeeper coordination state, which allows remote attackers to cause a denial of service (daemon outage), obtain sensitive information, or modify data via unspecified client traffic.
29 CVE-2015-1833 20 2015-05-29 2015-06-01
6.4
None Remote Low Not required Partial Partial None
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
30 CVE-2015-1831 2015-07-16 2015-07-21
7.5
None Remote Low Not required Partial Partial Partial
The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.
31 CVE-2015-1830 22 Dir. Trav. 2015-08-19 2015-09-10
5.0
None Remote Low Not required None Partial None
Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.
32 CVE-2015-1775 2015-11-02 2015-11-03
5.5
None Remote Low Single system Partial Partial None
Server-side request forgery (SSRF) vulnerability in the proxy endpoint (api/v1/proxy) in Apache Ambari before 2.1.0 allows remote authenticated users to conduct port scans and access unsecured services via a crafted REST call.
33 CVE-2015-1774 119 DoS Exec Code Overflow 2015-04-28 2015-08-25
6.8
None Remote Medium Not required Partial Partial Partial
The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.
34 CVE-2015-1773 79 XSS 2015-04-07 2015-10-05
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in asdoc/templates/index.html in Apache Flex before 4.14.1 allows remote attackers to inject arbitrary web script or HTML by providing a crafted URI to JavaScript code generated by the asdoc component.
35 CVE-2015-1772 287 Bypass 2015-12-21 2015-12-22
4.3
None Remote Medium Not required None Partial None
The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.
36 CVE-2015-0264 2015-06-03 2015-11-19
5.0
None Remote Low Not required Partial None None
Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query.
37 CVE-2015-0263 2015-06-03 2015-08-25
5.0
None Remote Low Not required Partial None None
XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.
38 CVE-2015-0254 Exec Code 2015-03-09 2015-04-02
7.5
None Remote Low Not required Partial Partial Partial
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.
39 CVE-2015-0253 DoS 2015-07-20 2015-09-18
5.0
None Remote Low Not required None None Partial
The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method to an installation that enables the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI.
40 CVE-2015-0252 20 DoS 2015-03-24 2015-05-11
5.0
None Remote Low Not required None None Partial
internal/XMLReader.cpp in Apache Xerces-C before 3.1.2 allows remote attackers to cause a denial of service (segmentation fault and crash) via crafted XML data.
41 CVE-2015-0251 345 2015-04-08 2015-09-18
4.0
None Remote Low Single system None Partial None
The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences.
42 CVE-2015-0250 DoS 2015-03-24 2016-02-04
6.4
None Remote Low Not required Partial None Partial
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
43 CVE-2015-0248 399 DoS 2015-04-08 2015-09-18
5.0
None Remote Low Not required None None Partial
The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 through 1.7.19 and 1.8.0 through 1.8.11 allow remote attackers to cause a denial of service (assertion failure and abort) via crafted parameter combinations related to dynamically evaluated revision numbers.
44 CVE-2015-0228 20 DoS 2015-03-07 2015-09-18
5.0
None Remote Low Not required None None Partial
The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function.
45 CVE-2015-0227 264 Bypass 2015-02-12 2015-07-09
5.0
None Remote Low Not required None Partial None
Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."
46 CVE-2015-0225 77 Exec Code 2015-04-03 2015-04-09
7.5
None Remote Low Not required Partial Partial Partial
The default configuration in Apache Cassandra 1.2.0 through 1.2.19, 2.0.0 through 2.0.13, and 2.1.0 through 2.1.3 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request.
47 CVE-2015-0223 264 Bypass 2015-02-02 2015-02-04
5.0
None Remote Low Not required None Partial None
Unspecified vulnerability in Apache Qpid 0.30 and earlier allows remote attackers to bypass access restrictions on qpidd via unknown vectors, related to 0-10 connection handling.
48 CVE-2015-0202 399 DoS 2015-04-08 2015-09-02
7.8
None Remote Low Not required None None Complete
The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes.
49 CVE-2014-10022 119 DoS Overflow 2015-01-13 2015-01-13
5.0
None Remote Low Not required None None Partial
Apache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to internal buffer sizing.
50 CVE-2014-9593 200 +Info 2015-01-15 2015-01-16
5.0
None Remote Low Not required Partial None None
Apache CloudStack before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to obtain private keys via a listSslCerts API call.
Total number of vulnerabilities : 640   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.