Vulnerabilities > Apache > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-05-03 CVE-2018-8003 Path Traversal vulnerability in Apache Ambari
Apache Ambari, versions 1.4.0 to 2.6.1, is susceptible to a directory traversal attack allowing an unauthenticated user to craft an HTTP request which provides read-only access to any file on the filesystem of the host the Ambari Server runs on that is accessible by the user the Ambari Server is running as.
network
low complexity
apache CWE-22
5.3
2018-04-26 CVE-2017-15691 XXE vulnerability in Apache products
In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers.
network
low complexity
apache CWE-611
6.5
2018-04-25 CVE-2018-1339 Infinite Loop vulnerability in Apache Tika
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.
local
low complexity
apache CWE-835
5.5
2018-04-25 CVE-2018-1338 Infinite Loop vulnerability in Apache Tika
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.
local
low complexity
apache CWE-835
5.5
2018-04-19 CVE-2018-2799 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). 5.3
2018-03-26 CVE-2018-1302 NULL Pointer Dereference vulnerability in multiple products
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory.
network
high complexity
apache canonical netapp CWE-476
5.9
2018-03-26 CVE-2018-1301 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header.
network
high complexity
apache debian canonical netapp redhat CWE-119
5.9
2018-03-26 CVE-2018-1283 In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header.
network
high complexity
apache debian canonical netapp redhat
5.3
2018-03-20 CVE-2018-1322 Information Exposure vulnerability in Apache Syncope
An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.
network
low complexity
apache CWE-200
4.9
2018-03-16 CVE-2018-1324 Infinite Loop vulnerability in multiple products
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15.
local
low complexity
apache oracle CWE-835
5.5