Tag: apache
-
Apache Tomcat und Tomcat Native – BSI warnt vor drei kritischen Apache-Schwachstellen
First seen on security-insider.de Jump to article: www.security-insider.de/bsi-warnung-kritische-apache-tomcat-schwachstellen-a-27831bc3505e3a24dd0daa3b17416a1c/
-
March Patch Tuesday: Three high severity holes in Microsoft Office
aadsshlogin package. Systems with the extension already installed have packages.microsoft.com configured automatically, so no additional setup is required.”The cloud ecosystem doesn’t really handle patching well,” Reguly said. “It’s a relatively immature process, and the way that Microsoft handles these products really demonstrates that. The CVE impacting Azure Linux Virtual Machines (CVE-2026-23665) or the multiple CVEs…
-
Apache ZooKeeper Flaw Exposes Sensitive Data to Attackers
Apache ZooKeeper, a centralized service used for maintaining configuration information and naming in distributed systems, has received critical security updates. The Apache Software Foundation recently addressed two >>Important<< severity vulnerabilities that could expose sensitive data and allow server impersonation in production environments. Configuration and Hostname Verification Flaws The first vulnerability, identified as CVE-2026-24308, involves sensitive…
-
Apache ActiveMQ Flaw Enables DoS Attacks via Malformed Network Packets
Security researchers have uncovered a significant vulnerability in Apache ActiveMQ, a popular open-source message broker used by enterprises to route data between applications. Tracked as CVE-2025-66168, this security flaw allows malicious actors to trigger unexpected broker behavior and potential denial-of-service (DoS) conditions by sending specifically crafted, malformed network packets. A successful attack against a message…
-
Threat Actors Exploit Apache ActiveMQ Vulnerability to Gain RDP Access, Deploy LockBit Ransomware
Threat actors recently abused a critical Apache ActiveMQ vulnerability to gain deep access to a Windows environment, eventually deploying LockBit ransomware over RDP. The attack shows how failing to patch CVE-2023-46604 can give adversaries repeat access and time to turn an initial foothold into full-domain impact. The exploit loaded a malicious Java Spring bean configuration XML file,…
-
Apache Tomcat Vulnerability Circumvents Access Rules
Apache disclosed a Tomcat flaw (CVE-2026-24733) that can bypass access controls via legacy HTTP/0.9 requests under specific configurations. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/apache-tomcat-vulnerability-circumvents-access-rules/
-
CVE-2026-25903 Impacts Apache NiFi Users
CVE-2026-25903 allows lower-privileged users to modify restricted components in affected Apache NiFi versions. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/cve-2026-25903-impacts-apache-nifi-users/
-
Apache NiFi Vulnerabilities Expose Systems to Authorization Bypass Attacks
Apache NiFi users are being urged to upgrade after the project disclosed a high-severity authorization flaw tracked as CVE-2026-25903. The issue, published on 2026-02-16, can allow a less-privileged authenticated user to modify configuration properties on certain “restricted” extension components that were previously added to a flow by a more privileged user, potentially weakening security controls…
-
Apache Syncope Vulnerability Allows Attackers to Hijack Active User Sessions
Apache Syncope, a popular open-source identity and access management platform, has disclosed a critical XML External Entity (XXE) vulnerability in its Console component. The vulnerability, tracked as CVE-2026-23795, allows authenticated administrators to execute XXE attacks and extract sensitive data from affected systems. Security researchers Follycat and Y0n3er discovered the flaw, which affects multiple versions of…
-
Ivanti patches two actively exploited critical vulnerabilities in EPMM
install rpm url [patch_url] command.The RPM_12.x.0.x patch is applicable to EPMM software versions 12.5.0.x, 12.6.0.x, and 12.7.0.x. It is also compatible with the older 12.3.0.x and 12.4.0.x versions. Meanwhile the RPM_12.x.1.x patch is applicable to versions 12.5.1.0 and 12.6.1.0.”The RPM script does not survive a version upgrade,” the company warns. “If after applying the RPM…
-
Imperva Customers Protected Against CVE-2026-21962 in Oracle HTTP and WebLogic
What Is CVE-2026-21962? CVE-2026-21962 is a critical (CVSS 10.0) vulnerability in the Oracle HTTP Server and the WebLogic Server Proxy Plug-in for Apache HTTP Server and Microsoft IIS. An unauthenticated attacker with HTTP access can exploit this flaw by sending crafted requests to the affected proxy components and bypass security controls. Successful exploitation can result……
-
Apache Hadoop Flaw Could Trigger System Crashes or Data Corruption
A moderate out-of-bounds write vulnerability in Apache Hadoop’s HDFS native client that could allow attackers to trigger system crashes or cause data corruption in production environments. The flaw, identified as CVE-2025-27821, affects the native HDFS client’s URI parser and has been assigned moderate severity by Apache. The vulnerability was discovered and reported by security researcher…
-
NDSS 2025 Secure Data Analytics
Session 10A: Confidential Computing 2 Authors, Creators & Presenters: Byeongwook Kim (Seoul National University), Jaewon Hur (Seoul National University), Adil Ahmad (Arizona State University), Byoungyoung Lee (Seoul National University) PAPER Secure Data Analytics in Apache Spark with Fine-grained Policy Enforcement and Isolated Execution Cloud based Spark platform is a tempting approach for sharing data, as…
-
NDSS 2025 Secure Data Analytics
Session 10A: Confidential Computing 2 Authors, Creators & Presenters: Byeongwook Kim (Seoul National University), Jaewon Hur (Seoul National University), Adil Ahmad (Arizona State University), Byoungyoung Lee (Seoul National University) PAPER Secure Data Analytics in Apache Spark with Fine-grained Policy Enforcement and Isolated Execution Cloud based Spark platform is a tempting approach for sharing data, as…
-
NDSS 2025 Secure Data Analytics
Session 10A: Confidential Computing 2 Authors, Creators & Presenters: Byeongwook Kim (Seoul National University), Jaewon Hur (Seoul National University), Adil Ahmad (Arizona State University), Byoungyoung Lee (Seoul National University) PAPER Secure Data Analytics in Apache Spark with Fine-grained Policy Enforcement and Isolated Execution Cloud based Spark platform is a tempting approach for sharing data, as…
-
Apache Airflow Flaws Expose Sensitive Workflow Data to Potential Attackers
Apache Airflow has patched two separate credential-exposure vulnerabilities in versions before 3.1.6. The flaws could allow attackers to extract sensitive authentication data embedded in proxy configurations and templated workflow fields through log files and the web UI, potentially compromising networkinfrastructureand sensitive data pipelines. The first vulnerability affects Apache Airflow versions before 3.1.6 and stems from…
-
The culture you can’t see is running your security operations
Tags: apache, breach, business, compliance, control, credentials, cyber, data, email, exploit, finance, firewall, flaw, identity, intelligence, jobs, network, north-korea, phishing, risk, technology, threat, tool, training, update, vulnerabilityNon-observable culture: The hidden drivers: Now we get interesting.Non-observable culture is everything happening inside people’s heads. Their beliefs about cyber risk. Their attitudes toward security. Their values and priorities when security conflicts with convenience or speed.This is where the real decisions get made.You can’t see someone’s belief that “we’re too small to be targeted” or…
-
Years-Old Vulnerable Apache Struts 2 Versions See 387K Weekly Downloads
Over 387,000 users downloaded vulnerable Apache Struts versions this week. Exclusive Sonatype research reveals a high-risk flaw found by AI. Is your system at risk? First seen on hackread.com Jump to article: hackread.com/years-old-vulnerable-apache-struts-2-downloads/
-
Apache Struts External Entity (XXE) Injection Vulnerability S2-069 (CVE-2025-68493)
Overview Recently, NSFOCUS CERT detected that Apache issued a security bulletin to fix the Apache Struts external entity (XXE) injection vulnerability S2-069 (CVE-2025-68493); Because the XWork component of Apache Struts does not perform effective validation when parsing XML configuration, attackers can inject external entities by constructing malicious XML data to read sensitive server files, perform…The…
-
Critical Apache Struts 2 Flaw Could Let Attackers Steal Sensitive Data
A newly disclosed vulnerability in Apache Struts 2’s XWork component could expose sensitive data and open the door to denial”‘of”‘service and server”‘side request forgery (SSRF) attacks if left unpatched. The flaw, tracked as CVE-2025-68493, is rated Important and affects a wide range of Struts 2 versions, putting many Java web applications at risk. Field Details CVE ID CVE-2025-68493…
-
Apache NuttX Flaw Allows Attackers to Crash Embedded Systems
The Apache Software Foundation has released a security advisory addressing a memory corruption vulnerability in the Apache NuttX Real-Time Operating System (RTOS). Tracked as CVE-2025-48769, this flaw affects widely used embedded systems and could allow attackers to destabilize devices or manipulate files. The vulnerability stems from a >>Use After Free
-
Apache StreamPipes Flaw Lets Anyone Become Admin
A critical Apache StreamPipes vulnerability lets users hijack admin accounts via broken authentication. The post Apache StreamPipes Flaw Lets Anyone Become Admin appeared first on TechRepublic. First seen on techrepublic.com Jump to article: www.techrepublic.com/article/news-apache-streampipes-flaw-lets-anyone-become-admin/
-
Critical Apache StreamPipes Flaw Allows Attackers to Take Over Admin Accounts
Apache StreamPipes has released an urgent security advisory addressing CVE-2025-47411, a critical privilege escalation vulnerability affecting versions 0.69.0 through 0.97.0. The flaw allows attackers with legitimate non-administrator accounts to exploit the user ID creation mechanism and hijack administrator credentials, gaining full control over the streaming data platform. The Vulnerability The vulnerability stems from improper handling…
-
Docker Releases Free, Production-Grade Hardened Container Images
Docker has released its production-grade hardened container images as a free, open-source offering, marking a significant shift in software supply chain security accessibility. The Docker Hardened Images (DHI), previously a commercial product, are now available under an Apache 2.0 license to all 26 million developers in the container ecosystem. The hardened images address the escalating…
-
Docker Hardened Images now open source and available for free
More than a 1,000 Docker Hardened Images (DHI) are now freely available and open source for software builders, under the Apache 2.0 license. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/docker-hardened-images-now-open-source-and-available-for-free/
-
Apache Log4j Flaw Enables Interception of Sensitive Logging Data
The Apache Software Foundation has released a critical security update for its widely used Log4j logging library. A newly discovered vulnerability, tracked as CVE-2025-68161, allows attackers to intercept or redirect sensitive log data by exploiting a flaw in how the software establishes secure connections. The issue specifically affects the >>Socket Appender
-
Critical Apache Commons Text Flaw Lets Hackers Execute Remote Code
A critical remote code execution vulnerability has been discovered in Apache Commons Text, affecting all versions prior to 1.10.0. The flaw, tracked as CVE-2025-46295, poses a significant security risk to organizations relying on the widely-used Java library for text manipulation and processing. The vulnerability resides in Apache Commons Text’s interpolation features, which are designed to…
-
Critical Apache Commons Text Flaw Lets Hackers Execute Remote Code
A critical remote code execution vulnerability has been discovered in Apache Commons Text, affecting all versions prior to 1.10.0. The flaw, tracked as CVE-2025-46295, poses a significant security risk to organizations relying on the widely-used Java library for text manipulation and processing. The vulnerability resides in Apache Commons Text’s interpolation features, which are designed to…
-
Atlassian fixed maximum severity flaw CVE-2025-66516 in Apache Tika
Atlassian released security updates to address dozens of flaws, including multiple critical-severity vulnerabilities. Atlassian addressed dozens of vulnerabilities impacting its products, including multiple critical-severity issues. One of the most severe bugs is a maximum-severity XML External Entity (XXE) injection flaw, tracked as CVE-2025-66516 (CVSS score of 10/10), in Apache Tika. CVE-2025-66516 carries a maximum CVSS rating…