Vulnerabilities > Apache

DATE CVE VULNERABILITY TITLE RISK
2019-04-23 CVE-2019-0223 While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0.
network
high complexity
apache redhat
7.4
2019-04-23 CVE-2018-1328 Cross-site Scripting vulnerability in Apache Zeppelin
Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions.
network
low complexity
apache CWE-79
6.1
2019-04-23 CVE-2018-1317 Improper Authentication vulnerability in Apache Zeppelin
In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.
network
low complexity
apache CWE-287
8.8
2019-04-23 CVE-2017-12619 Session Fixation vulnerability in Apache Zeppelin
Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session.
network
low complexity
apache CWE-384
8.1
2019-04-22 CVE-2019-0218 Cross-site Scripting vulnerability in Apache Pony Mail
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
network
low complexity
apache CWE-79
6.1
2019-04-22 CVE-2019-10241 Cross-site Scripting vulnerability in multiple products
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
network
low complexity
eclipse debian apache oracle CWE-79
6.1
2019-04-17 CVE-2019-0228 XXE vulnerability in multiple products
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.
network
low complexity
apache fedoraproject oracle CWE-611
critical
9.8
2019-04-15 CVE-2019-0232 OS Command Injection vulnerability in Apache Tomcat
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows.
network
high complexity
apache CWE-78
8.1
2019-04-10 CVE-2019-0229 Cross-Site Request Forgery (CSRF) vulnerability in Apache Airflow
A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.
network
low complexity
apache CWE-352
8.8
2019-04-10 CVE-2019-0216 Cross-site Scripting vulnerability in Apache Airflow
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
network
low complexity
apache CWE-79
4.8