CVE-2022-23437

< 9.0

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads.

6.5MEDIUM

CVE-2021-44790

<= 9.0

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua script

9.8CRITICAL

CVE-2021-44224

< 9.0

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for

8.2HIGH

CVE-2021-45105

< 9.0

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from sel

5.9MEDIUM

CVE-2021-36090

>= 8.2.0 and <= 8.2.4.0

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an ou

7.5HIGH

CVE-2021-34428

all versions

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed()

2.9LOW

CVE-2021-30468

all versions

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which

7.5HIGH

CVE-2021-22118

>= 8.2.0 and <= 8.2.4.0

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a pr

7.8HIGH

CVE-2021-22696

all versions

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth

7.5HIGH

CVE-2021-28165

all versions

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a

7.5HIGH

CVE-2021-28163

all versions

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is

2.7LOW

CVE-2021-22112

>= 8.2.0 and <= 8.2.4.0

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions c

8.8HIGH

CVE-2021-26117

>= 8.2.0 and <= 8.2.4.0

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache Act

7.5HIGH

CVE-2020-36183

>= 8.2.0.0 and <= 8.2.4.0

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-36182

>= 8.2.0.0 and <= 8.2.4.0

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-36180

>= 8.2.0.0 and <= 8.2.4.0

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-36179

>= 8.2.0.0 and <= 8.2.4.0

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oad

8.1HIGH

CVE-2020-36188

>= 8.2.0.0 and <= 8.2.4.0

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com

8.1HIGH

CVE-2020-36187

>= 8.2.0.0 and <= 8.2.4.0

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-36186

>= 8.2.0.0 and <= 8.2.4.0

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-36185

>= 8.2.0.0 and <= 8.2.4.0

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-36184

>= 8.2.0.0 and <= 8.2.4.0

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-36181

>= 8.2.0.0 and <= 8.2.4.0

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-35728

>= 8.2.0.0 and <= 8.2.4.0

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com

8.1HIGH

CVE-2020-27216

>= 8.2.1 and <= 8.2.2.1

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Uni

7.0HIGH

CVE-2020-24750

>= 8.2.0 and <= 8.2.4.0

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com

8.1HIGH

CVE-2020-11998

>= 8.2.0 and <= 8.2.4.0

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer,

9.8CRITICAL

CVE-2020-24616

>= 8.2.0 and <= 8.2.4.0

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.

8.1HIGH

CVE-2020-9490

>= 8.2.0 and <= 8.2.2

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would re

7.5HIGH

CVE-2020-11993

>= 8.2.0 and <= 8.2.2

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patter

7.5HIGH

CVE-2020-11984

>= 8.2.0 and <= 8.2.2

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

9.8CRITICAL

CVE-2020-14195

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-14060

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oad

8.1HIGH

CVE-2020-14062

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com

8.1HIGH

CVE-2020-14061

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to ora

8.1HIGH

CVE-2020-9484

>= 8.2.0 and <= 8.2.2

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attack

7.0HIGH

CVE-2020-1941

all versions

In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue.

6.1MEDIUM

CVE-2020-11023

all versions

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sourc

6.9MEDIUM

CVE-2020-11655

>= 8.2.0 and <= 8.2.2

SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query bec

7.5HIGH

CVE-2020-1927

all versions

In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fo

6.1MEDIUM

CVE-2020-1954

>= 8.2.0 and <= 8.2.2

Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘cr

5.3MEDIUM

CVE-2020-1934

all versions

In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.

5.3MEDIUM

CVE-2020-11113

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-11112

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-11111

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-10969

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to jav

8.8HIGH

CVE-2020-10968

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-10673

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com

8.8HIGH

CVE-2020-10672

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-9548

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.

9.8CRITICAL

CVE-2020-9546

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

9.8CRITICAL

CVE-2020-1938

all versions

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats

9.8CRITICAL

CVE-2020-1935

all versions

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-l

4.8MEDIUM

CVE-2020-5397

all versions

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring

5.3MEDIUM

CVE-2020-5398

all versions

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an applica

7.5HIGH

CVE-2019-17573

all versions

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage i

6.1MEDIUM

CVE-2019-12423

>= 8.2.0 and <= 8.2.2

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can

7.5HIGH

CVE-2019-10097

all versions

In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY"

7.2HIGH

CVE-2019-10092

all versions

In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attac

6.1MEDIUM

CVE-2019-10082

all versions

In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after be

9.1CRITICAL

CVE-2019-12402

>= 8.2.0 and <= 8.2.2

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced

7.5HIGH

CVE-2019-9517

all versions

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. Th

7.5HIGH

CVE-2019-0227

all versions

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Secur

7.5HIGH

CVE-2019-10247

all versions

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jett

5.3MEDIUM

CVE-2019-10246

all versions

In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualifie

5.3MEDIUM

CVE-2019-11358

all versions

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Objec

6.1MEDIUM

CVE-2018-15756

all versions

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on t

7.5HIGH

CVE-2018-8032

all versions

Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.

6.1MEDIUM