Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-03-02 CVE-2019-14892 Deserialization of Untrusted Data vulnerability in multiple products
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes.
network
low complexity
fasterxml redhat apache CWE-502
critical
9.8
2020-02-24 CVE-2020-1938 When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat.
network
low complexity
apache fedoraproject oracle debian opensuse blackberry netapp
critical
9.8
2020-02-18 CVE-2014-4651 Improper Input Validation vulnerability in Apache Jclouds 1.7.3
It was found that the jclouds scriptbuilder Statements class wrote a temporary file to a predictable location.
network
low complexity
apache CWE-20
critical
9.8
2020-01-29 CVE-2019-20445 HTTP Request Smuggling vulnerability in multiple products
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
network
low complexity
netty debian fedoraproject canonical redhat apache CWE-444
critical
9.1
2020-01-23 CVE-2019-17570 Deserialization of Untrusted Data vulnerability in multiple products
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library.
network
low complexity
apache debian canonical fedoraproject redhat CWE-502
critical
9.8
2020-01-14 CVE-2019-0219 A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI.
network
low complexity
apache oracle
critical
9.8
2020-01-04 CVE-2020-5499 Unspecified vulnerability in Apache Rust SGX SDK
Baidu Rust SGX SDK through 1.0.8 has an enclave ID race.
network
low complexity
apache
critical
9.8
2020-01-02 CVE-2014-0048 Improper Input Validation vulnerability in multiple products
An issue was found in Docker before 1.6.0.
network
low complexity
docker apache CWE-20
critical
9.8
2019-12-20 CVE-2019-17571 Deserialization of Untrusted Data vulnerability in multiple products
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
network
low complexity
apache debian canonical opensuse netapp oracle CWE-502
critical
9.8
2019-12-04 CVE-2019-17556 Deserialization of Untrusted Data vulnerability in Apache Olingo
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized.
network
low complexity
apache CWE-502
critical
9.8