Vulnerabilities > Apache > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-04-23 | CVE-2018-1317 | Improper Authentication vulnerability in Apache Zeppelin In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication. | 8.8 |
| 2019-04-23 | CVE-2017-12619 | Session Fixation vulnerability in Apache Zeppelin Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. | 8.1 |
| 2019-04-15 | CVE-2019-0232 | OS Command Injection vulnerability in Apache Tomcat When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. | 8.1 |
| 2019-04-10 | CVE-2019-0229 | Cross-Site Request Forgery (CSRF) vulnerability in Apache Airflow A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks. | 8.8 |
| 2019-04-10 | CVE-2019-0199 | Resource Exhaustion vulnerability in Apache Tomcat The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. | 7.5 |
| 2019-04-08 | CVE-2019-0211 | Use After Free vulnerability in multiple products In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. | 7.8 |
| 2019-04-08 | CVE-2019-0217 | Race Condition vulnerability in multiple products In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. | 7.5 |
| 2019-04-08 | CVE-2019-0215 | In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions. | 7.5 |
| 2019-03-28 | CVE-2019-0225 | Path Traversal vulnerability in Apache Jspwiki A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users' details. | 7.5 |
| 2019-03-28 | CVE-2019-0222 | In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive. | 7.5 |