Vulnerabilities > Apache
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-06-24 | CVE-2020-9494 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread. | 5.0 |
2020-06-23 | CVE-2020-9480 | Missing Authentication for Critical Function vulnerability in multiple products In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. | 9.8 |
2020-06-22 | CVE-2020-11989 | Unspecified vulnerability in Apache Shiro Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. | 9.8 |
2020-06-19 | CVE-2020-9495 | Injection vulnerability in Apache Archiva Apache Archiva login service before 2.2.5 is vulnerable to LDAP injection. | 5.3 |
2020-06-15 | CVE-2020-11969 | Missing Authentication for Critical Function vulnerability in Apache Tomee If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. | 9.8 |
2020-06-12 | CVE-2020-11980 | Server-Side Request Forgery (SSRF) vulnerability in Apache Karaf In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. | 6.5 |
2020-06-05 | CVE-2020-11975 | Unspecified vulnerability in Apache Unomi 1.3.0/1.4.0/1.5.0 Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process. | 9.8 |
2020-06-03 | CVE-2020-1963 | Missing Authorization vulnerability in Apache Ignite Apache Ignite uses H2 database to build SQL distributed execution engine. | 9.1 |
2020-05-22 | CVE-2020-1956 | OS Command Injection vulnerability in Apache Kylin Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation. | 8.8 |
2020-05-21 | CVE-2018-21234 | Deserialization of Untrusted Data vulnerability in multiple products Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set. | 9.8 |