Vulnerabilities > Apache

DATE CVE VULNERABILITY TITLE RISK
2017-10-26 CVE-2012-1622 Unspecified vulnerability in Apache Ofbiz 10.04
Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors.
network
low complexity
apache
critical
9.8
2017-10-24 CVE-2017-12618 Out-of-bounds Read vulnerability in Apache Portable Runtime Utility
Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to validate the integrity of SDBM database files used by apr_sdbm*() functions, resulting in a possible out of bound read access.
local
high complexity
apache CWE-125
4.7
2017-10-24 CVE-2017-12613 Out-of-bounds Read vulnerability in multiple products
When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.
local
low complexity
apache debian redhat CWE-125
7.1
2017-10-23 CVE-2010-2232 Improper Access Control vulnerability in Apache Derby
In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file.
network
low complexity
apache CWE-284
7.5
2017-10-20 CVE-2017-12628 Deserialization of Untrusted Data vulnerability in Apache James Server 2.3.2/2.3.2.1/3.0.0
The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands.
local
low complexity
apache CWE-502
7.8
2017-10-19 CVE-2017-5636 Injection vulnerability in Apache Nifi
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.
network
low complexity
apache CWE-74
critical
9.8
2017-10-19 CVE-2017-5635 Improper Authentication vulnerability in Apache Nifi
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.
network
low complexity
apache CWE-287
7.5
2017-10-19 CVE-2016-8748 Cross-site Scripting vulnerability in Apache Nifi
In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user.
network
low complexity
apache CWE-79
5.4
2017-10-16 CVE-2016-4461 Improper Input Validation vulnerability in multiple products
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
network
low complexity
apache netapp CWE-20
8.8
2017-10-16 CVE-2016-8734 Resource Exhaustion vulnerability in multiple products
Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion.
network
low complexity
apache debian CWE-400
6.5