Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-10-10 | CVE-2014-0030 | XXE vulnerability in Apache Roller The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. | 9.8 |
| 2017-10-04 | CVE-2017-9792 | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Impala 2.8.0/2.9.0 In Apache Impala (incubating) before 2.10.0, a malicious user with "ALTER" permissions on an Impala table can access any other Kudu table data by altering the table properties to make it "external" and then changing the underlying table mapping to point to other Kudu tables. | 6.5 |
| 2017-10-04 | CVE-2017-12617 | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. | 8.1 |
| 2017-10-03 | CVE-2017-9797 | Information Exposure vulnerability in Apache Geode When an Apache Geode cluster before v1.2.1 is operating in secure mode, an unauthenticated client can enter multi-user authentication mode and send metadata messages. | 6.5 |
| 2017-10-03 | CVE-2017-12620 | XXE vulnerability in Apache Opennlp When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. | 9.8 |
| 2017-10-03 | CVE-2016-6806 | Cross-Site Request Forgery (CSRF) vulnerability in Apache Wicket Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. | 8.8 |
| 2017-10-03 | CVE-2014-0043 | Information Exposure vulnerability in Apache Wicket 1.5.10/6.13.0 In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use. | 5.3 |
| 2017-09-30 | CVE-2017-9794 | Information Exposure vulnerability in Apache Geode When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. | 4.3 |
| 2017-09-30 | CVE-2016-4434 | XXE vulnerability in Apache Tika 1.12 Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175. | 7.8 |
| 2017-09-29 | CVE-2017-9790 | Use After Free vulnerability in Apache Mesos When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. | 7.5 |