Vulnerabilities > Apache > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-07-23 CVE-2018-8031 Cross-site Scripting vulnerability in Apache Tomee
The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL.
network
low complexity
apache CWE-79
6.1
2018-07-12 CVE-2018-8024 Information Exposure vulnerability in multiple products
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI.
network
low complexity
apache mozilla CWE-200
5.4
2018-07-12 CVE-2018-1334 Information Exposure vulnerability in Apache Spark
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.
local
high complexity
apache CWE-200
4.7
2018-07-05 CVE-2018-8026 XXE vulnerability in multiple products
This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr config files (currency.xml, enumsConfig.xml referred from schema.xml, TIKA parsecontext config file).
local
low complexity
apache netapp CWE-611
5.5
2018-07-03 CVE-2018-8036 Infinite Loop vulnerability in Apache Pdfbox
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
network
low complexity
apache CWE-835
6.5
2018-06-08 CVE-2018-1281 Information Exposure vulnerability in Apache Mxnet
The clustered setup of Apache MXNet allows users to specify which IP address and port the scheduler will listen on via the DMLC_PS_ROOT_URI and DMLC_PS_ROOT_PORT env variables.
network
low complexity
apache CWE-200
6.5
2018-06-05 CVE-2018-8008 Path Traversal vulnerability in Apache Storm
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames.
local
low complexity
apache CWE-22
5.5
2018-06-05 CVE-2018-1332 Information Exposure vulnerability in Apache Storm
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons.
network
low complexity
apache CWE-200
6.5
2018-05-21 CVE-2018-8010 XXE vulnerability in Apache Solr
This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema).
local
low complexity
apache CWE-611
5.5
2018-05-07 CVE-2018-1313 In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control.
network
high complexity
apache oracle
5.3