Vulnerabilities > Apache > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-04-01 | CVE-2019-17564 | Deserialization of Untrusted Data vulnerability in Apache Dubbo Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. | 9.8 |
| 2020-03-30 | CVE-2019-17560 | Improper Certificate Validation vulnerability in multiple products The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. | 9.1 |
| 2020-03-25 | CVE-2020-1957 | Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. | 9.8 |
| 2020-03-23 | CVE-2020-1944 | HTTP Request Smuggling vulnerability in multiple products There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and Transfer-Encoding and Content length headers. | 9.8 |
| 2020-03-23 | CVE-2019-17565 | HTTP Request Smuggling vulnerability in multiple products There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and chunked encoding. | 9.8 |
| 2020-03-23 | CVE-2019-17559 | HTTP Request Smuggling vulnerability in multiple products There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and scheme parsing. | 9.8 |
| 2020-03-13 | CVE-2020-1953 | Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. | 10.0 |
| 2020-03-11 | CVE-2020-1947 | Deserialization of Untrusted Data vulnerability in Apache Shardingsphere 4.0.0 In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. | 9.8 |
| 2020-03-02 | CVE-2019-14892 | Deserialization of Untrusted Data vulnerability in multiple products A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. | 9.8 |
| 2020-02-24 | CVE-2020-1938 | When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. | 9.8 |