Export limit exceeded: 351332 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (2906 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2015-0226 | 2 Apache, Redhat | 7 Wss4j, Jboss Amq, Jboss Data Grid and 4 more | 2025-04-20 | N/A |
| Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487. | ||||
| CVE-2016-3083 | 1 Apache | 1 Hive | 2025-04-20 | N/A |
| Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) but issued to xyz.com, the client will accept that as a valid certificate and the SSL handshake will go through. | ||||
| CVE-2014-3582 | 1 Apache | 1 Ambari | 2025-04-20 | N/A |
| In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster. | ||||
| CVE-2014-3250 | 3 Apache, Puppet, Redhat | 3 Http Server, Puppet, Linux | 2025-04-20 | N/A |
| The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4. | ||||
| CVE-2014-3600 | 2 Apache, Redhat | 6 Activemq, Fuse Esb Enterprise, Fuse Management Console and 3 more | 2025-04-20 | N/A |
| XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. | ||||
| CVE-2014-3579 | 1 Apache | 1 Activemq Apollo | 2025-04-20 | N/A |
| XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. | ||||
| CVE-2014-0072 | 1 Apache | 2 Cordova, Cordova File Transfer | 2025-04-20 | N/A |
| ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the trustAllHosts option. | ||||
| CVE-2014-9634 | 2 Apache, Jenkins | 2 Tomcat, Jenkins | 2025-04-20 | N/A |
| Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session. | ||||
| CVE-2016-4434 | 2 Apache, Redhat | 4 Tika, Jboss Bpms, Jboss Data Virtualization and 1 more | 2025-04-20 | N/A |
| Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175. | ||||
| CVE-2016-8741 | 1 Apache | 1 Qpid Broker-j | 2025-04-20 | 7.5 High |
| The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256. | ||||
| CVE-2012-0880 | 1 Apache | 1 Xerces-c\+\+ | 2025-04-20 | N/A |
| Apache Xerces-C++ allows remote attackers to cause a denial of service (CPU consumption) via a crafted message sent to an XML service that causes hash table collisions. | ||||
| CVE-2012-4449 | 1 Apache | 1 Hadoop | 2025-04-20 | N/A |
| Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack. | ||||
| CVE-2013-4246 | 1 Apache | 1 Subversion | 2025-04-20 | N/A |
| libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing packed revision properties. | ||||
| CVE-2014-0043 | 1 Apache | 1 Wicket | 2025-04-20 | N/A |
| In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use. | ||||
| CVE-2016-8745 | 2 Apache, Redhat | 3 Tomcat, Enterprise Linux, Jboss Enterprise Web Server | 2025-04-20 | N/A |
| A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions. | ||||
| CVE-2016-8751 | 1 Apache | 1 Ranger | 2025-04-20 | N/A |
| Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies. | ||||
| CVE-2014-0073 | 1 Apache | 2 Cordova, Cordova In-app-browser | 2025-04-20 | N/A |
| The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI. | ||||
| CVE-2014-0030 | 1 Apache | 1 Roller | 2025-04-20 | N/A |
| The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. | ||||
| CVE-2012-0803 | 1 Apache | 1 Cxf | 2025-04-20 | N/A |
| The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty UsernameToken as part of a SOAP request. | ||||
| CVE-2012-1622 | 1 Apache | 1 Ofbiz | 2025-04-20 | N/A |
| Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors. | ||||