Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2019-11-18 CVE-2019-12409 Unrestricted Upload of File with Dangerous Type vulnerability in Apache Solr 8.1.1/8.2.0
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr.
network
low complexity
apache CWE-434
critical
9.8
2019-11-06 CVE-2019-12419 Incorrect Authorization vulnerability in multiple products
Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service.
network
low complexity
apache oracle CWE-863
critical
9.8
2019-11-01 CVE-2011-3923 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.
network
low complexity
apache redhat CWE-732
critical
9.8
2019-10-15 CVE-2019-17195 Improper Handling of Exceptional Conditions vulnerability in multiple products
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.
network
low complexity
connect2id apache oracle CWE-755
critical
9.8
2019-09-26 CVE-2019-10082 Use After Free vulnerability in multiple products
In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.
network
low complexity
apache oracle CWE-416
critical
9.1
2019-09-16 CVE-2019-10071 Information Exposure Through Discrepancy vulnerability in Apache Tapestry 5.4.0
The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures.
network
low complexity
apache CWE-203
critical
9.8
2019-09-16 CVE-2019-0195 Deserialization of Untrusted Data vulnerability in Apache Tapestry 5.4.0
Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded.
network
low complexity
apache CWE-502
critical
9.8
2019-09-11 CVE-2019-10074 Improper Encoding or Escaping of Output vulnerability in Apache Ofbiz
An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field.
network
low complexity
apache CWE-116
critical
9.8
2019-09-11 CVE-2019-0189 Deserialization of Untrusted Data vulnerability in Apache Ofbiz
The java.io.ObjectInputStream is known to cause Java serialisation issues.
network
low complexity
apache CWE-502
critical
9.8
2019-09-11 CVE-2018-17200 Unspecified vulnerability in Apache Ofbiz
The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint.
network
low complexity
apache
critical
9.8