Filtered by vendor Apache
Subscriptions
Total
2701 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2015-5206 | 1 Apache | 1 Traffic Server | 2025-04-20 | N/A |
| Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server before 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5168. | ||||
| CVE-2017-9792 | 1 Apache | 1 Impala | 2025-04-20 | N/A |
| In Apache Impala (incubating) before 2.10.0, a malicious user with "ALTER" permissions on an Impala table can access any other Kudu table data by altering the table properties to make it "external" and then changing the underlying table mapping to point to other Kudu tables. This violates and works around the authorization requirement that creating a Kudu external table via Impala requires an "ALL" privilege at the server scope. This privilege requirement for "CREATE" commands is enforced to precisely avoid this scenario where a malicious user can change the underlying Kudu table mapping. The fix is to enforce the same privilege requirement for "ALTER" commands that would make existing non-external Kudu tables external. | ||||
| CVE-2017-5642 | 1 Apache | 1 Ambari | 2025-04-20 | N/A |
| During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artifacts are not created with proper ACLs. | ||||
| CVE-2014-0072 | 1 Apache | 2 Cordova, Cordova File Transfer | 2025-04-20 | N/A |
| ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the trustAllHosts option. | ||||
| CVE-2017-7686 | 1 Apache | 1 Ignite | 2025-04-20 | N/A |
| Apache Ignite 1.0.0-RC3 to 2.0 uses an update notifier component to update the users about new project releases that include additional functionality, bug fixes and performance improvements. To do that the component communicates to an external PHP server (http://ignite.run) where it needs to send some system properties like Apache Ignite or Java version. Some of the properties might contain user sensitive information. | ||||
| CVE-2017-7676 | 1 Apache | 1 Ranger | 2025-04-20 | N/A |
| Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can result in unintended behavior. | ||||
| CVE-2017-5646 | 1 Apache | 1 Knox | 2025-04-20 | 6.8 Medium |
| For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release. | ||||
| CVE-2016-6815 | 1 Apache | 1 Ranger | 2025-04-20 | N/A |
| In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin" role. | ||||
| CVE-2017-5652 | 1 Apache | 1 Impala | 2025-04-20 | N/A |
| During a routine security analysis, it was found that one of the ports in Apache Impala (incubating) 2.7.0 to 2.8.0 sent data in plaintext even when the cluster was configured to use TLS. The port in question was used by the StatestoreSubscriber class which did not use the appropriate secure Thrift transport when TLS was turned on. It was therefore possible for an adversary, with access to the network, to eavesdrop on the packets going to and coming from that port and view the data in plaintext. | ||||
| CVE-2014-0043 | 1 Apache | 1 Wicket | 2025-04-20 | N/A |
| In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use. | ||||
| CVE-2017-5636 | 1 Apache | 1 Nifi | 2025-04-20 | N/A |
| In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node. | ||||
| CVE-2017-5640 | 1 Apache | 1 Impala | 2025-04-20 | N/A |
| It was noticed that a malicious process impersonating an Impala daemon in Apache Impala (incubating) 2.7.0 to 2.8.0 could cause Impala daemons to skip authentication checks when Kerberos is enabled (but TLS is not). If the malicious server responds with 'COMPLETE' before the SASL handshake has completed, the client will consider the handshake as completed even though no exchange of credentials has happened. | ||||
| CVE-2017-5654 | 1 Apache | 1 Ambari | 2025-04-20 | N/A |
| In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Ambari server executes. | ||||
| CVE-2017-3154 | 1 Apache | 1 Atlas | 2025-04-20 | N/A |
| Error responses from Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating included stack trace, exposing excessive information. | ||||
| CVE-2017-7685 | 1 Apache | 1 Openmeetings | 2025-04-20 | N/A |
| Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH. | ||||
| CVE-2017-12634 | 2 Apache, Redhat | 3 Camel, Jboss Amq, Jboss Fuse | 2025-04-20 | N/A |
| The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. | ||||
| CVE-2017-15708 | 2 Apache, Oracle | 3 Synapse, Financial Services Market Risk Measurement And Management, Peoplesoft Enterprise Peopletools | 2025-04-20 | 9.8 Critical |
| In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version. | ||||
| CVE-2017-5635 | 1 Apache | 1 Nifi | 2025-04-20 | N/A |
| In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user. | ||||
| CVE-2017-5655 | 1 Apache | 1 Ambari | 2025-04-20 | N/A |
| In Ambari 2.2.2 through 2.4.2 and Ambari 2.5.0, sensitive data may be stored on disk in temporary files on the Ambari Server host. The temporary files are readable by any user authenticated on the host. | ||||
| CVE-2017-3151 | 1 Apache | 1 Atlas | 2025-04-20 | 6.1 Medium |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Stored Cross-Site Scripting in the edit-tag functionality. | ||||