Vulnerabilities > Apache > Critical
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-03-02 | CVE-2019-14892 | Deserialization of Untrusted Data vulnerability in multiple products A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. | 9.8 |
2020-02-24 | CVE-2020-1938 | When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. | 9.8 |
2020-02-18 | CVE-2014-4651 | Improper Input Validation vulnerability in Apache Jclouds 1.7.3 It was found that the jclouds scriptbuilder Statements class wrote a temporary file to a predictable location. | 9.8 |
2020-01-29 | CVE-2019-20445 | HTTP Request Smuggling vulnerability in multiple products HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. | 9.1 |
2020-01-23 | CVE-2019-17570 | Deserialization of Untrusted Data vulnerability in multiple products An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. | 9.8 |
2020-01-14 | CVE-2019-0219 | A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI. | 9.8 |
2020-01-04 | CVE-2020-5499 | Unspecified vulnerability in Apache Rust SGX SDK Baidu Rust SGX SDK through 1.0.8 has an enclave ID race. | 9.8 |
2020-01-02 | CVE-2014-0048 | Improper Input Validation vulnerability in multiple products An issue was found in Docker before 1.6.0. | 9.8 |
2019-12-20 | CVE-2019-17571 | Deserialization of Untrusted Data vulnerability in multiple products Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. | 9.8 |
2019-12-04 | CVE-2019-17556 | Deserialization of Untrusted Data vulnerability in Apache Olingo Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. | 9.8 |