Vulnerabilities > Apache > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-04-10 CVE-2019-0216 Cross-site Scripting vulnerability in Apache Airflow
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
network
low complexity
apache CWE-79
4.8
2019-03-28 CVE-2019-0224 Cross-site Scripting vulnerability in Apache Jspwiki
In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session.
network
low complexity
apache CWE-79
6.1
2019-03-21 CVE-2019-0191 Path Traversal vulnerability in Apache Karaf
Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file.
network
low complexity
apache CWE-22
6.5
2019-02-27 CVE-2018-20244 Cross-site Scripting vulnerability in Apache Airflow
In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.
network
low complexity
apache CWE-79
5.5
2019-02-11 CVE-2018-20242 Cross-site Scripting vulnerability in Apache Jspwiki
A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking.
network
low complexity
apache CWE-79
6.1
2019-02-04 CVE-2018-11760 Unspecified vulnerability in Apache Spark
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
local
low complexity
apache
5.5
2019-01-31 CVE-2019-6111 Path Traversal vulnerability in multiple products
An issue was discovered in OpenSSH 7.9.
5.9
2019-01-30 CVE-2018-17189 Resource Exhaustion vulnerability in multiple products
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data.
5.3
2019-01-09 CVE-2018-1000421 Server-Side Request Forgery (SSRF) vulnerability in Apache Mesos
An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
network
low complexity
apache CWE-918
6.5
2019-01-09 CVE-2018-1000420 Incorrect Authorization vulnerability in Apache Mesos
An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins.
network
low complexity
apache CWE-863
6.5