CVE-2022-23437

< 9.0

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads.

6.5MEDIUM

CVE-2021-44790

<= 9.0

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua script

9.8CRITICAL

CVE-2021-44224

< 9.0

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for

8.2HIGH

CVE-2021-45105

< 9.0

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from sel

5.9MEDIUM

CVE-2021-2351

>= 8.0.0 and <= 8.2.5.0

Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1

8.3HIGH

CVE-2021-36090

>= 8.2.0 and <= 8.2.5.0

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an ou

7.5HIGH

CVE-2021-33037

>= 8.0.0 and <= 8.2.4.0

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding reque

5.3MEDIUM

CVE-2021-34428

>= 8.0.0.0 and <= 8.2.4.0

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed()

2.9LOW

CVE-2021-22118

>= 8.0.0 and <= 8.2.4.0

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a pr

7.8HIGH

CVE-2021-22696

>= 8.0.0 and <= 8.2.4.0

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth

7.5HIGH

CVE-2021-28165

>= 8.0.0.0 and <= 8.2.4.0

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a

7.5HIGH

CVE-2021-28163

>= 8.0.0 and <= 8.2.4.0

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is

2.7LOW

CVE-2021-27906

>= 8.0.0 and <= 8.2.4.0

A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version

5.5MEDIUM

CVE-2021-27807

>= 8.0.0 and <= 8.2.4.0

A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22

5.5MEDIUM

CVE-2020-13947

>= 8.0.0 and <= 8.2.2

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the me

6.1MEDIUM

CVE-2021-26117

>= 8.2.0 and <= 8.2.2

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache Act

7.5HIGH

CVE-2020-36183

>= 8.0.0.0 and <= 8.2.2.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-36182

>= 8.0.0.0 and <= 8.2.2.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-36180

>= 8.0.0.0 and <= 8.2.2.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-36179

>= 8.0.0.0 and <= 8.2.2.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oad

8.1HIGH

CVE-2020-36188

>= 8.0.0.0 and <= 8.2.2.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com

8.1HIGH

CVE-2020-36187

>= 8.0.0.0 and <= 8.2.2.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-36186

>= 8.0.0.0 and <= 8.2.2.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-36185

>= 8.0.0.0 and <= 8.2.2.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-36184

>= 8.0.0.0 and <= 8.2.2.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-36181

>= 8.0.0.0 and <= 8.2.2.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-35728

>= 8.0.0.0 and <= 8.2.2.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com

8.1HIGH

CVE-2020-28052

>= 8.0.0 and <= 8.2.4.0

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compa

8.1HIGH

CVE-2020-5421

>= 8.2.1 and <= 8.2.2.1

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the pr

6.5MEDIUM

CVE-2020-24750

>= 8.0.0.0 and <= 8.2.2.1

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com

8.1HIGH

CVE-2020-11998

>= 8.0.0 and <= 8.2.2

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer,

9.8CRITICAL

CVE-2020-24616

>= 8.0.0.0 and <= 8.2.2.1

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.

8.1HIGH

CVE-2020-9490

>= 8.2.0 and <= 8.2.2

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would re

7.5HIGH

CVE-2020-11993

>= 8.2.0 and <= 8.2.2

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patter

7.5HIGH

CVE-2020-11984

>= 8.2.0 and <= 8.2.2

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

9.8CRITICAL

CVE-2020-14195

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-14060

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oad

8.1HIGH

CVE-2020-14062

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com

8.1HIGH

CVE-2020-14061

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to ora

8.1HIGH

CVE-2020-9484

>= 8.2.0 and <= 8.2.2

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attack

7.0HIGH

CVE-2020-1941

all versions

In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue.

6.1MEDIUM

CVE-2020-11023

all versions

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sourc

6.9MEDIUM

CVE-2020-11655

>= 8.2.0 and <= 8.2.2

SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query bec

7.5HIGH

CVE-2020-1927

all versions

In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fo

6.1MEDIUM

CVE-2020-1954

>= 8.2.0 and <= 8.2.2

Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘cr

5.3MEDIUM

CVE-2020-1934

all versions

In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.

5.3MEDIUM

CVE-2020-11113

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-11112

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-11111

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-10969

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to jav

8.8HIGH

CVE-2020-10968

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-10673

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com

8.8HIGH

CVE-2020-10672

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-9548

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.

9.8CRITICAL

CVE-2020-9546

>= 8.2.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

9.8CRITICAL

CVE-2020-5398

all versions

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an applica

7.5HIGH

CVE-2019-17573

all versions

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage i

6.1MEDIUM

CVE-2019-12423

>= 8.2.0 and <= 8.2.2

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can

7.5HIGH

CVE-2019-10097

all versions

In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY"

7.2HIGH

CVE-2019-12402

>= 8.2.0 and <= 8.2.2

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced

7.5HIGH

CVE-2019-0197

all versions

A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enable

4.2MEDIUM

CVE-2019-0227

all versions

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Secur

7.5HIGH

CVE-2019-10247

all versions

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jett

5.3MEDIUM

CVE-2019-10246

all versions

In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualifie

5.3MEDIUM

CVE-2019-11358

all versions

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Objec

6.1MEDIUM

CVE-2019-0228

>= 8.0.0.0 and <= 8.2.4.0

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External

9.8CRITICAL

CVE-2019-0211

all versions

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child pr

7.8HIGH

CVE-2018-15756

all versions

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on t

7.5HIGH

CVE-2018-8032

all versions

Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.

6.1MEDIUM