Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2021-03-25 CVE-2020-1946 OS Command Injection vulnerability in multiple products
In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors.
network
low complexity
apache debian fedoraproject CWE-78
critical
9.8
2021-03-22 CVE-2021-26295 Deserialization of Untrusted Data vulnerability in Apache Ofbiz
Apache OFBiz has unsafe deserialization prior to 17.12.06.
network
low complexity
apache CWE-502
critical
9.8
2021-02-03 CVE-2020-17523 Improper Authentication vulnerability in Apache Shiro
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
network
low complexity
apache CWE-287
critical
9.8
2021-01-25 CVE-2021-23901 XXE vulnerability in multiple products
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18.
network
low complexity
apache netapp CWE-611
critical
9.1
2021-01-14 CVE-2021-23926 XML Entity Expansion vulnerability in multiple products
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input.
network
low complexity
apache netapp debian oracle CWE-776
critical
9.1
2021-01-11 CVE-2020-11995 Deserialization of Untrusted Data vulnerability in Apache Dubbo
A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution.
network
low complexity
apache CWE-502
critical
9.8
2020-12-18 CVE-2020-11974 Unspecified vulnerability in Apache Dolphinscheduler 1.2.0/1.2.1
In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database.
network
low complexity
apache
critical
9.8
2020-12-18 CVE-2020-13931 Unspecified vulnerability in Apache Tomee
If Apache TomEE 8.0.0-M1 - 8.0.3, 7.1.0 - 7.1.3, 7.0.0-M1 - 7.0.8, 1.0.0 - 1.7.5 is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port 1099, which does not include authentication.
network
low complexity
apache
critical
9.8
2020-12-11 CVE-2020-17530 Expression Language Injection vulnerability in multiple products
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
network
low complexity
apache oracle CWE-917
critical
9.8
2020-12-09 CVE-2020-17529 Out-of-bounds Write vulnerability in Apache Nuttx
Out-of-bounds Write vulnerability in TCP Stack of Apache NuttX (incubating) versions up to and including 9.1.0 and 10.0.0 allows attacker to corrupt memory by supplying and invalid fragmentation offset value specified in the IP header.
network
low complexity
apache CWE-787
critical
9.8