Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-04-27 CVE-2020-1952 Improper Certificate Validation vulnerability in Apache Iotdb
An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2.
network
low complexity
apache CWE-295
critical
9.8
2020-04-16 CVE-2020-1964 Deserialization of Untrusted Data vulnerability in Apache Heron 0.20.0Incubating/0.20.1Incubating/0.20.2Incubating
It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).
network
low complexity
apache CWE-502
critical
9.8
2020-04-01 CVE-2019-17564 Deserialization of Untrusted Data vulnerability in Apache Dubbo
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled.
network
low complexity
apache CWE-502
critical
9.8
2020-03-30 CVE-2019-17560 Improper Certificate Validation vulnerability in multiple products
The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads.
network
low complexity
apache oracle CWE-295
critical
9.1
2020-03-25 CVE-2020-1957 Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
network
low complexity
apache debian
critical
9.8
2020-03-23 CVE-2020-1944 HTTP Request Smuggling vulnerability in multiple products
There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and Transfer-Encoding and Content length headers.
network
low complexity
apache debian CWE-444
critical
9.8
2020-03-23 CVE-2019-17565 HTTP Request Smuggling vulnerability in multiple products
There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and chunked encoding.
network
low complexity
apache debian CWE-444
critical
9.8
2020-03-23 CVE-2019-17559 HTTP Request Smuggling vulnerability in multiple products
There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and scheme parsing.
network
low complexity
apache debian CWE-444
critical
9.8
2020-03-13 CVE-2020-1953 Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements.
network
low complexity
apache oracle
critical
10.0
2020-03-11 CVE-2020-1947 Deserialization of Untrusted Data vulnerability in Apache Shardingsphere 4.0.0
In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration.
network
low complexity
apache CWE-502
critical
9.8