Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL whitelist protection mechanism in an app and load arbitrary resources by leveraging unspecified methods.
Max CVSS
7.5
EPSS Score
0.14%
Published
2016-05-09
Updated
2018-10-09
The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0 and 1.2.1, on clusters protected by Ranger and SqlStdHiveAuthorization, allows attackers to bypass intended parent table access restrictions via unspecified partition-level operations.
Max CVSS
8.3
EPSS Score
0.38%
Published
2016-01-29
Updated
2018-10-09
The File Browser View in Apache Ambari before 2.2.1 allows remote authenticated administrators to read arbitrary files via a file: URL in the WebHDFS URL configuration.
Max CVSS
4.9
EPSS Score
0.08%
Published
2016-05-18
Updated
2016-05-18
The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which allows remote attackers to bypass authentication by leveraging knowledge of a valid username.
Max CVSS
9.8
EPSS Score
0.32%
Published
2016-04-12
Updated
2016-04-19
Multiple incomplete blacklist vulnerabilities in Apache Sentry before 1.7.0 allow remote authenticated users to execute arbitrary code via the (1) reflect, (2) reflect2, or (3) java_method Hive builtin functions.
Max CVSS
8.8
EPSS Score
0.25%
Published
2016-08-19
Updated
2016-08-22
The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string.
Max CVSS
6.8
EPSS Score
0.13%
Published
2016-05-05
Updated
2020-10-20
Apache CloudStack 4.5.x before 4.5.2.1, 4.6.x before 4.6.2.1, 4.7.x before 4.7.1.1, and 4.8.x before 4.8.0.1, when SAML-based authentication is enabled and used, allow remote attackers to bypass authentication and access the user interface via vectors related to the SAML plugin.
Max CVSS
6.5
EPSS Score
0.06%
Published
2016-06-10
Updated
2018-10-09
PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception.
Max CVSS
5.9
EPSS Score
1.37%
Published
2016-06-01
Updated
2023-05-22
The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging.
Max CVSS
9.1
EPSS Score
0.23%
Published
2016-06-01
Updated
2022-12-07

CVE-2016-4437

Known exploited
Public exploit
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Max CVSS
8.1
EPSS Score
97.48%
Published
2016-06-07
Updated
2018-10-09
CISA KEV Added
2021-11-03
The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.
Max CVSS
9.8
EPSS Score
2.03%
Published
2016-09-21
Updated
2021-06-16
The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.
Max CVSS
7.5
EPSS Score
0.21%
Published
2016-07-06
Updated
2021-06-06
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Max CVSS
8.1
EPSS Score
94.82%
Published
2016-07-19
Updated
2023-02-12
In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.
Max CVSS
8.8
EPSS Score
0.09%
Published
2016-11-29
Updated
2016-12-01
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
Max CVSS
7.5
EPSS Score
0.30%
Published
2016-09-20
Updated
2018-10-09
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Max CVSS
9.8
EPSS Score
5.87%
Published
2016-10-25
Updated
2022-07-25
16 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!