Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.5

    MEDIUM
    CVE-2018-11782

    In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer. This can lead to disruption for users of the server.... Read more

    • Published: Sep. 26, 2019
    • Modified: Nov. 21, 2024

  • 7.8

    HIGH
    CVE-2018-11781

    Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax.... Read more

    • Published: Sep. 17, 2018
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2018-11780

    A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.... Read more

    • Published: Sep. 17, 2018
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2018-11779

    In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.... Read more

    Affected Products : storm
    • Published: Jul. 26, 2019
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2018-11778

    UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0... Read more

    Affected Products : ranger
    • Published: Oct. 05, 2018
    • Modified: Nov. 21, 2024

  • 8.1

    HIGH
    CVE-2018-11777

    In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use.... Read more

    Affected Products : hive
    • Published: Nov. 08, 2018
    • Modified: Nov. 21, 2024

  • 7.4

    HIGH
    CVE-2018-11775

    TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.... Read more

    • Published: Sep. 10, 2018
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2018-11774

    Apache VCL versions 2.1 through 2.5 do not properly validate form input when adding and removing VMs to and from hosts. The form data is then used in SQL statements. This allows for an SQL injection attack. Access to this portion of a VCL system requires ... Read more

    Affected Products : virtual_computing_lab
    • Published: Jul. 29, 2019
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2018-11773

    Apache VCL versions 2.1 through 2.5 do not properly validate form input when processing a submitted block allocation. The form data is then used as an argument to the php built in function strtotime. This allows for an attack against the underlying implem... Read more

    Affected Products : virtual_computing_lab
    • Published: Jul. 29, 2019
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2018-11772

    Apache VCL versions 2.1 through 2.5 do not properly validate cookie input when determining what node (if any) was previously selected in the privilege tree. The cookie data is then used in an SQL statement. This allows for an SQL injection attack. Access ... Read more

    Affected Products : virtual_computing_lab
    • Published: Jul. 29, 2019
    • Modified: Nov. 21, 2024

  • 5.5

    MEDIUM
    CVE-2018-11771

    When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStre... Read more

    • Published: Aug. 16, 2018
    • Modified: Nov. 21, 2024

  • 4.9

    MEDIUM
    CVE-2018-11770

    From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for... Read more

    Affected Products : spark
    • Published: Aug. 13, 2018
    • Modified: Nov. 21, 2024

  • 9.0

    HIGH
    CVE-2018-11769

    CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their pr... Read more

    Affected Products : couchdb
    • Published: Aug. 08, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2018-11768

    In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.... Read more

    Affected Products : hadoop
    • Published: Oct. 04, 2019
    • Modified: Nov. 21, 2024

  • 7.4

    HIGH
    CVE-2018-11767

    In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.... Read more

    Affected Products : hadoop
    • Published: Mar. 21, 2019
    • Modified: Nov. 21, 2024

  • 9.0

    HIGH
    CVE-2018-11766

    In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.... Read more

    Affected Products : hadoop
    • Published: Nov. 27, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2018-11765

    In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.... Read more

    Affected Products : hadoop
    • Published: Sep. 30, 2020
    • Modified: Nov. 21, 2024

  • 9.0

    HIGH
    CVE-2018-11764

    Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.... Read more

    Affected Products : hadoop
    • Published: Oct. 21, 2020
    • Modified: Nov. 21, 2024

  • 5.9

    MEDIUM
    CVE-2018-11763

    In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation ... Read more

    • Published: Sep. 25, 2018
    • Modified: Nov. 21, 2024

  • 5.9

    MEDIUM
    CVE-2018-11762

    In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file... Read more

    Affected Products : tika
    • Published: Sep. 19, 2018
    • Modified: Nov. 21, 2024
Showing 20 of 294068 Results