Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.8

    HIGH
    CVE-2018-11789

    When accessing the heron-ui webpage, people can modify the file paths outside of the current container to access any file on the host. Example woule be modifying the parameter path= to go to the directory you would like to view. i.e. ..%2F..%2F..%2F..%2F.... Read more

    Affected Products : heron
    • Published: Mar. 21, 2019
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2018-11788

    Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mi... Read more

    Affected Products : karaf
    • Published: Jan. 07, 2019
    • Modified: Nov. 21, 2024

  • 8.1

    HIGH
    CVE-2018-11787

    In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to t... Read more

    Affected Products : karaf
    • Published: Sep. 18, 2018
    • Modified: Nov. 21, 2024

  • 9.0

    HIGH
    CVE-2018-11786

    In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process ... Read more

    Affected Products : karaf
    • Published: Sep. 18, 2018
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2018-11785

    Missing authorization check in Apache Impala before 3.0.1 allows a Kerberos-authenticated but unauthorized user to inject random data into a running query, leading to wrong results for a query.... Read more

    Affected Products : impala
    • Published: Oct. 24, 2018
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2018-11784

    When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the ... Read more

    • Published: Oct. 04, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2018-11783

    sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. This problem was discovered in versions 6... Read more

    Affected Products : traffic_server
    • Published: Mar. 07, 2019
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2018-11782

    In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer. This can lead to disruption for users of the server.... Read more

    • Published: Sep. 26, 2019
    • Modified: Nov. 21, 2024

  • 7.8

    HIGH
    CVE-2018-11781

    Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax.... Read more

    • Published: Sep. 17, 2018
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2018-11780

    A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.... Read more

    • Published: Sep. 17, 2018
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2018-11779

    In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.... Read more

    Affected Products : storm
    • Published: Jul. 26, 2019
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2018-11778

    UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0... Read more

    Affected Products : ranger
    • Published: Oct. 05, 2018
    • Modified: Nov. 21, 2024

  • 8.1

    HIGH
    CVE-2018-11777

    In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use.... Read more

    Affected Products : hive
    • Published: Nov. 08, 2018
    • Modified: Nov. 21, 2024

  • 7.4

    HIGH
    CVE-2018-11775

    TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.... Read more

    • Published: Sep. 10, 2018
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2018-11774

    Apache VCL versions 2.1 through 2.5 do not properly validate form input when adding and removing VMs to and from hosts. The form data is then used in SQL statements. This allows for an SQL injection attack. Access to this portion of a VCL system requires ... Read more

    Affected Products : virtual_computing_lab
    • Published: Jul. 29, 2019
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2018-11773

    Apache VCL versions 2.1 through 2.5 do not properly validate form input when processing a submitted block allocation. The form data is then used as an argument to the php built in function strtotime. This allows for an attack against the underlying implem... Read more

    Affected Products : virtual_computing_lab
    • Published: Jul. 29, 2019
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2018-11772

    Apache VCL versions 2.1 through 2.5 do not properly validate cookie input when determining what node (if any) was previously selected in the privilege tree. The cookie data is then used in an SQL statement. This allows for an SQL injection attack. Access ... Read more

    Affected Products : virtual_computing_lab
    • Published: Jul. 29, 2019
    • Modified: Nov. 21, 2024

  • 5.5

    MEDIUM
    CVE-2018-11771

    When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStre... Read more

    • Published: Aug. 16, 2018
    • Modified: Nov. 21, 2024

  • 4.9

    MEDIUM
    CVE-2018-11770

    From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for... Read more

    Affected Products : spark
    • Published: Aug. 13, 2018
    • Modified: Nov. 21, 2024

  • 9.0

    HIGH
    CVE-2018-11769

    CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their pr... Read more

    Affected Products : couchdb
    • Published: Aug. 08, 2018
    • Modified: Nov. 21, 2024
Showing 20 of 294449 Results