Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-01-25 | CVE-2017-15703 | Deserialization of Untrusted Data vulnerability in Apache Nifi Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. | 5.0 |
| 2018-01-24 | CVE-2017-15718 | Unspecified vulnerability in Apache Hadoop 2.7.3/2.7.4 The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications. | 9.8 |
| 2018-01-23 | CVE-2017-15697 | Improper Input Validation vulnerability in Apache Nifi A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. | 9.8 |
| 2018-01-23 | CVE-2017-12632 | Improper Input Validation vulnerability in Apache Nifi A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. | 7.5 |
| 2018-01-19 | CVE-2017-15713 | Information Exposure vulnerability in Apache Hadoop Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. | 6.5 |
| 2018-01-18 | CVE-2017-3158 | Race Condition vulnerability in Apache Guacamole A race condition in Guacamole's terminal emulator in versions 0.9.5 through 0.9.10-incubating could allow writes of blocks of printed data to overlap. | 8.1 |
| 2018-01-18 | CVE-2016-6814 | Deserialization of Untrusted Data vulnerability in multiple products When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. | 9.8 |
| 2018-01-10 | CVE-2016-6810 | Cross-site Scripting vulnerability in Apache Activemq In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. | 6.1 |
| 2018-01-10 | CVE-2017-15717 | Cross-site Scripting vulnerability in Apache products A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. | 6.1 |
| 2018-01-10 | CVE-2017-9796 | Information Exposure vulnerability in Apache Geode When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries containing a region name as a bind parameter that allow read access to objects within unauthorized regions. | 5.3 |