Vulnerabilities > Apache > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-04-26 CVE-2017-3161 Cross-site Scripting vulnerability in Apache Hadoop
The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.
network
low complexity
apache CWE-79
6.1
2017-04-18 CVE-2017-5653 Improper Certificate Validation vulnerability in Apache CXF
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.
network
low complexity
apache CWE-295
5.3
2017-04-07 CVE-2016-6805 XXE vulnerability in Apache Ignite
Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents.
network
high complexity
apache CWE-611
5.9
2017-03-29 CVE-2016-4976 Information Exposure vulnerability in Apache Ambari
Apache Ambari 2.x before 2.4.0 includes KDC administrator passwords on the kadmin command line, which allows local users to obtain sensitive information via a process listing.
local
low complexity
apache CWE-200
5.5
2017-03-24 CVE-2017-5644 XML Entity Expansion vulnerability in Apache POI
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
local
low complexity
apache CWE-776
5.5
2017-03-23 CVE-2014-0229 Permissions, Privileges, and Access Controls vulnerability in multiple products
Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.
network
low complexity
cloudera apache CWE-264
6.5
2017-02-02 CVE-2016-1566 Cross-site Scripting vulnerability in Apache Guacamole 0.9.8/0.9.9
Cross-site scripting (XSS) vulnerability in the file browser in Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location shared by multiple users, allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename.
network
low complexity
apache CWE-79
5.4
2016-12-15 CVE-2015-3271 Information Exposure vulnerability in Apache Tika 1.9
Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitrary files via the HTTP fileUrl header.
network
low complexity
apache CWE-200
5.3
2016-09-26 CVE-2016-5395 Cross-site Scripting vulnerability in Apache Ranger
Cross-site scripting (XSS) vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web script or HTML via vectors related to policies.
network
low complexity
apache CWE-79
4.8
2016-08-19 CVE-2016-3089 Cross-site Scripting vulnerability in Apache Openmeetings
Cross-site scripting (XSS) vulnerability in the SWF panel in Apache OpenMeetings before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the swf parameter.
network
low complexity
apache CWE-79
6.1