Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0. Users are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.
Source: Apache Software Foundation
Max CVSS
2.9
EPSS Score
0.04%
Published
2024-02-26
Updated
2024-02-26
Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x before 4.1, stores a cleartext BigSheets password in a configuration file, which allows local users to obtain sensitive information by reading this file.
Source: IBM Corporation
Max CVSS
2.1
EPSS Score
0.04%
Published
2015-11-08
Updated
2016-12-07
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions (ADT3).
Source: MITRE
Max CVSS
2.4
EPSS Score
0.04%
Published
2014-07-28
Updated
2016-10-18
Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.
Source: Red Hat, Inc.
Max CVSS
2.1
EPSS Score
0.05%
Published
2014-01-07
Updated
2018-10-09
The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request.
Source: Red Hat, Inc.
Max CVSS
2.8
EPSS Score
0.22%
Published
2014-01-15
Updated
2014-09-04
The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request.
Source: Red Hat, Inc.
Max CVSS
2.6
EPSS Score
0.28%
Published
2013-12-07
Updated
2013-12-20
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-2013-7393.
Source: Red Hat, Inc.
Max CVSS
2.4
EPSS Score
0.04%
Published
2014-07-28
Updated
2016-10-18
java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.
Source: Red Hat, Inc.
Max CVSS
2.6
EPSS Score
0.20%
Published
2013-06-01
Updated
2017-05-23
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory.
Source: Red Hat, Inc.
Max CVSS
2.1
EPSS Score
0.31%
Published
2013-05-02
Updated
2018-10-30
Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file. NOTE: One Tomcat distributor has stated "The tomcat log directory does not contain any sensitive information."
Source: Red Hat, Inc.
Max CVSS
2.1
EPSS Score
0.04%
Published
2014-02-15
Updated
2024-05-17
org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a response.
Source: Red Hat, Inc.
Max CVSS
2.6
EPSS Score
70.48%
Published
2012-12-19
Updated
2017-09-19
Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.
Source: Red Hat, Inc.
Max CVSS
2.6
EPSS Score
0.68%
Published
2012-08-22
Updated
2021-06-06
The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value.
Source: Red Hat, Inc.
Max CVSS
2.6
EPSS Score
92.39%
Published
2012-01-28
Updated
2021-06-06
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.18, when setAutomaticMultiWindowSupport is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
Source: Red Hat, Inc.
Max CVSS
2.6
EPSS Score
0.40%
Published
2011-08-29
Updated
2018-10-09
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.
Source: Red Hat, Inc.
Max CVSS
2.6
EPSS Score
0.43%
Published
2011-05-13
Updated
2012-01-19
Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply.
Source: Red Hat, Inc.
Max CVSS
2.6
EPSS Score
15.39%
Published
2010-04-23
Updated
2023-02-13
The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.
Source: Red Hat, Inc.
Max CVSS
2.1
EPSS Score
0.15%
Published
2010-08-16
Updated
2011-01-26
The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command.
Source: MITRE
Max CVSS
2.6
EPSS Score
0.15%
Published
2009-09-08
Updated
2022-09-19
Cross-site scripting (XSS) vulnerability in Status.pm in Apache::Status and Apache2::Status in mod_perl1 and mod_perl2 for the Apache HTTP Server, when /perl-status is accessible, allows remote attackers to inject arbitrary web script or HTML via the URI.
Source: Red Hat, Inc.
Max CVSS
2.6
EPSS Score
0.97%
Published
2009-04-07
Updated
2023-02-13
The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.
Source: Red Hat, Inc.
Max CVSS
2.6
EPSS Score
0.17%
Published
2009-04-09
Updated
2023-02-13
The doRead method in Apache Tomcat 4.1.32 through 4.1.34 and 5.5.10 through 5.5.20 does not return a -1 to indicate when a certain error condition has occurred, which can cause Tomcat to send POST content from one request to a different request.
Source: Red Hat, Inc.
Max CVSS
2.6
EPSS Score
0.11%
Published
2009-02-26
Updated
2023-02-13
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Source: MITRE
Max CVSS
2.1
EPSS Score
0.04%
Published
2008-02-12
Updated
2008-09-05
CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
Source: MITRE
Max CVSS
2.6
EPSS Score
0.68%
Published
2008-01-25
Updated
2022-09-21
The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts.
Source: Red Hat, Inc.
Max CVSS
2.6
EPSS Score
0.27%
Published
2007-05-10
Updated
2023-02-13
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
Source: Red Hat, Inc.
Max CVSS
2.6
EPSS Score
71.84%
Published
2007-05-10
Updated
2019-03-25
32 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!