33 matches found
CVE-2017-3167
CVE-2017-3167 affects Apache httpd 2.2.x prior to 2.2.33 and 2.4.x prior to 2.4.26. The issue is that third‑party modules using ap_get_basic_auth_pw() outside the authentication phase can bypass authentication requirements. Connected sources confirm the impact and upstream fixes: update to httpd ...
CVE-2017-7668
CVE-2017-7668: Apache httpd contains a buffer over-read in ap_find_token() caused by strict HTTP parsing changes in 2.2.32 and 2.4.24. A remote attacker can craft headers to crash the httpd process or have ap_find_token() return an incorrect value. Affected distributions have addressed this by up...
CVE-2021-40438
CVE-2021-40438 is an SSRF flaw in Apache HTTP Server 2.4.x through older revisions where a crafted request URI path can cause mod_proxy to forward the request to an origin server chosen by the remote user. The issue affects Apache httpd 2.4.48 and earlier; the CVSSv3.1 base score is 9.0 (CRITICAL...
CVE-2019-10092
The CVE-2019-10092 entry concerns Apache HTTP Server 2.4.0–2.4.39 with a limited cross-site scripting in the mod_proxy error page. The vulnerability lets an attacker craft a link on the error page that could mislead users by pointing to a page of the attacker’s choosing, but exploitation requires...
CVE-2017-9788
Apache httpd vulnerability CVE-2017-9788 stems from mod_auth_digest not initializing or resetting the value placeholder in Digest Proxy-Authorization headers between key=value assignments, which can leak previous memory data or cause a segfault/DoS. Affected: httpd 2.2.34 and 2.4.x prior to 2.4.2...
CVE-2014-0226
Apache HTTP Server CVE-2014-0226 is a race-condition vulnerability in the mod_status component that can cause a heap-based buffer overflow, denial of service, and potentially credential disclosure or code execution. Affects httpd before 2.4.10; the issue arises from improper scoreboard handling i...
CVE-2014-0098
CVE-2014-0098 affects the Apache HTTP Server (mod_log_config) prior to version 2.4.8. The vulnerability is caused by how log_cookie is handled during truncation, allowing remote attackers to trigger a denial-of-service (segmentation fault and daemon crash). Public advisories and vendor notes (e.g...
CVE-2018-11763
CVE-2018-11763 affects Apache HTTP Server 2.4.17–2.4.34 and targets the HTTP/2 implementation. The issue arises when a client sends continuous, large SETTINGS frames, allowing a single connection to occupy a server thread and CPU time without triggering a connection timeout. Impact is limited to ...
CVE-2019-1559
OpenSSL vulnerability CVE-2019-1559 describes a padding-oracle weakness where, if an application encounters a fatal protocol error and then calls SSL_shutdown() twice (to send close_notify and to receive one), the server may respond differently to a 0-byte record with invalid padding versus inval...
CVE-2021-3449
CVE-2021-3449 affects OpenSSL 1.1.1.x where a TLSv1.2 server may crash (DoS) if it receives a renegotiation ClientHello that omits the signature_algorithms extension but includes signature_algorithms_cert. The issue is a NULL pointer dereference leading to a denial of service; OpenSSL clients are...
CVE-2018-11784
CVE-2018-11784 affects Apache Tomcat: the default servlet could be tricked into generating redirects to arbitrary URIs when handling requests like /foo, enabling open redirect. Affected branches include 9.0.x (9.0.0.M1–9.0.11), 8.5.x (8.5.0–8.5.33), and 7.0.x (7.0.23–7.0.90). Root cause is how th...
CVE-2021-33037
CVE-2021-33037 affects Apache Tomcat: versions 10.0.0-M1–10.0.6, 9.0.0.M1–9.0.46, and 8.5.0–8.5.66 may mishandle the HTTP transfer-encoding header with reverse proxies, enabling request smuggling. Root cause: improper header handling allowing spoofed content encoding sequencing. Impact stated in ...
CVE-2018-0735
CVE-2018-0735 corresponds to a timing side-channel vulnerability in OpenSSL’s ECDSA signature generation. An attacker could exploit variations in signing to recover the private key. Affected: OpenSSL 1.1.0 (1.1.0-1.1.0i) and OpenSSL 1.1.1 (1.1.1) prior to the fixes. Fixes were released in OpenSSL...
CVE-2021-3450
CVE-2021-3450 affects OpenSSL 1.1.1h–1.1.1j where a bug in the X509_V_FLAG_X509_STRICT path overwrote a prior CA-check result, bypassing the non-CA certificates prohibition unless a programmed purpose is used. When a purpose is configured, the certificate chain is still rejected; the issue is fix...
CVE-2019-3822
CVE-2019-3822 affects libcurl 7.36.0 through before 7.64.0. The vulnerability is a stack-based buffer overflow in the NTLM header creation path: Curl_auth_create_ntlm_type3_message() uses unsigned arithmetic to guard a local buffer, but the check is insufficient, allowing the output data to excee...
CVE-2018-1304
Apache Tomcat vulnerability CVE-2018-1304 arises from incorrect handling of the empty string URL pattern ("") in security constraint processing, allowing unauthorized access to protected resources. Affected versions: Tomcat 9.0.0.M1–9.0.4, 8.5.0–8.5.27, 8.0.0.RC1–8.0.49, and 7.0.0–7.0.84. This is...
CVE-2019-0227
The CVE-2019-0227 entry concerns an SSRF in Apache Axis 1.4 (last released in 2006). The connected IBM bulletins confirm Axis 1.x vulnerability details and state Axis 2 is the successor, with 1.7.9 (Axis2) being not vulnerable. Affected Axis 1.x components are legacy; remediation is to upgrade to...
CVE-2018-16890
CVE-2018-16890 affects libcurl versions 7.36.0 to before 7.64.0. The NTLM type-2 handling path (lib/vauth/ntlm.c:ntlm_decode_type2_target) fails to validate incoming data, enabling an integer overflow that an attacker could abuse to trigger a heap read out-of-bounds. Related issues in the same se...
CVE-2019-3823
CVE-2019-3823 affects curl/libcurl from version 7.34.0 through before 7.64.0. The issue is a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to smtp_endofresp() isn’t NUL terminated and contains no character ending the parsed number, and len is 5, a...
CVE-2018-8032
CVE-2018-8032 affects Apache Axis 1.x (up to 1.4) with a cross-site scripting (XSS) vulnerability in the default servlet/services. This vulnerability is documented in IBM/PM security bulletins linked to Axis, confirming an XSS flaw (CWE-79) in Axis 1.x and indicating broader IBM product exposure....
CVE-2019-17091
CVE-2019-17091 affects Eclipse Mojarra (used in Mojarra for Eclipse EE4J) with an issue in faces/context/PartialViewContextImpl.java that allows Reflected XSS. Affected versions are Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20. The root cause is mishandling of...
CVE-2013-2064
CVE-2013-2064 is an integer overflow vulnerability in X.Org libxcb 1.9 and earlier that can cause a heap/allocation issue and buffer overflow via read_packet. Connected advisories confirm this flaw affects libxcb and related X11 client libraries, with CentOS/RHEL/Fedora updates issued to fix mult...
CVE-2018-19439
Oracle Secure Global Desktop (SGD) Administration Console 4.4 contains a reflected Cross-Site Scripting vulnerability in helpwindow.jsp, exploitable via all parameters (notably windowTitle). The underlying issue is reflected XSS in helpwindow.jsp that can execute arbitrary script in a victim’s br...
CVE-2021-2446
CVE-2021-2446 affects Oracle Secure Global Desktop, Client component, version 5.6. The vulnerability allows a network-accessible, unauthenticated attacker to compromise the product, with attacks requiring user interaction and potentially leading to takeover of Oracle Secure Global Desktop and imp...
CVE-2021-2248
CVE-2021-2248 affects Oracle Secure Global Desktop (Server component) with affected version 5.6. Descriptions across NVD/Red Hat/CVEs state an unauthenticated attacker with network access via multiple protocols can compromise Oracle Secure Global Desktop, potentially leading to takeover. The root...
CVE-2021-2177
CVE-2021-2177 affects Oracle Secure Global Desktop (Gateway) version 5.6. The vulnerability allows an unauthenticated attacker with network access via multiple protocols to take over Oracle Secure Global Desktop. The description in multiple sources confirms the impact as takeover; no root-cause o...
CVE-2021-2221
CVE-2021-2221 affects Oracle Secure Global Desktop (Client) with vulnerable version 5.6. Multiple sources indicate an input-validation/remote code-execution style flaw in the Client component that can allow an unauthenticated attacker to execute arbitrary code over network protocols, potentially ...
CVE-2016-0501
CVE-2016-0501 is associated with Oracle Secure Global Desktop (SGD) Core component in SGD/Oracle Virtualization 5.2. Connected sources indicate an unspecified vulnerability in SGD Core that allows remote attackers to cause a denial-of-service condition. Concrete exploitation details, affected sub...
CVE-2016-5580
CVE-2016-5580 applies to Oracle Secure Global Desktop ( SGD ) Web Services in Oracle Virtualization 4.7 and 5.2. A remote authenticated attacker could affect confidentiality and availability via the SGD Web Services component. The CVSS data indicates high impact on confidentiality and availabilit...
CVE-2021-35650
CVE-2021-35650 affects Oracle Secure Global Desktop (Oracle Virtualization), component: Client, version 5.6. The vulnerability is exploitable by a low-privileged user with network access via multiple protocols; exploitation requires user interaction and can grant unauthorized read access to a dat...
CVE-2021-2447
Summary : CVE-2021-2447 affects Oracle Secure Global Desktop (Server component) on version 5.6. The vulnerability allows a low-privilege, network-based attacker to compromise the product via multiple protocols, potentially leading to takeover of Oracle Secure Global Desktop. This is consistent wi...
CVE-2016-3613
CVE-2016-3613 is an unspecified vulnerability in Oracle Secure Global Desktop within Oracle Virtualization 4.63, 4.71, and 5.2, affecting confidentiality, integrity, and availability via OpenSSL-related vectors. The vulnerability is listed across multiple sources (NVD entry, SUSE/Tenable/Nessus p...
CVE-2021-35649
CVE-2021-35649 affects Oracle Secure Global Desktop (Server component) in Oracle Virtualization, with affected version 5.6. The vulnerability allows a low-privilege, network-accessing attacker to read a subset of data and cause partial denial of service. CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U...