Vulnerabilities > Apache > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-11-01 | CVE-2011-3923 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands. | 9.8 |
| 2019-10-15 | CVE-2019-17195 | Improper Handling of Exceptional Conditions vulnerability in multiple products Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. | 9.8 |
| 2019-09-26 | CVE-2019-10082 | Use After Free vulnerability in multiple products In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. | 9.1 |
| 2019-09-16 | CVE-2019-10071 | Information Exposure Through Discrepancy vulnerability in Apache Tapestry 5.4.0 The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. | 9.8 |
| 2019-09-16 | CVE-2019-0195 | Deserialization of Untrusted Data vulnerability in Apache Tapestry 5.4.0 Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. | 9.8 |
| 2019-09-11 | CVE-2019-10074 | Improper Encoding or Escaping of Output vulnerability in Apache Ofbiz An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. | 9.8 |
| 2019-09-11 | CVE-2019-0189 | Deserialization of Untrusted Data vulnerability in Apache Ofbiz The java.io.ObjectInputStream is known to cause Java serialisation issues. | 9.8 |
| 2019-09-11 | CVE-2018-17200 | Unspecified vulnerability in Apache Ofbiz The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. | 9.8 |
| 2019-09-09 | CVE-2019-12405 | Improper Authentication vulnerability in Apache Traffic Control 3.0.0/3.0.1 Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. | 9.8 |
| 2019-07-29 | CVE-2018-11773 | Improper Input Validation vulnerability in Apache Virtual Computing LAB Apache VCL versions 2.1 through 2.5 do not properly validate form input when processing a submitted block allocation. | 9.8 |