Vulnerabilities > Apache > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-05-13 | CVE-2016-2099 | Use-After-Free Remote Code Execution vulnerability in Apache Xerces Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier allows context-dependent attackers to have unspecified impact via an invalid character in an XML document. | 10.0 |
| 2016-04-26 | CVE-2016-3082 | Improper Input Validation vulnerability in Apache Struts XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. | 10.0 |
| 2016-04-26 | CVE-2016-3081 | Command Injection vulnerability in multiple products Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. | 9.3 |
| 2016-04-12 | CVE-2016-0785 | Improper Input Validation vulnerability in Apache Struts Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. | 9.0 |
| 2016-04-12 | CVE-2016-2170 | Improper Input Validation vulnerability in Apache Ofbiz Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library. | 9.8 |
| 2016-04-12 | CVE-2016-0733 | Improper Authentication vulnerability in Apache Ranger 0.4.0/0.4.1/0.5.0 The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which allows remote attackers to bypass authentication by leveraging knowledge of a valid username. | 9.8 |
| 2016-02-03 | CVE-2015-5344 | Data Processing Errors vulnerability in Apache Camel The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. | 9.8 |
| 2016-01-08 | CVE-2015-5259 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apache Subversion 1.9.0/1.9.1/1.9.2 Integer overflow in the read_string function in libsvn_ra_svn/marshal.c in Apache Subversion 1.9.x before 1.9.3 allows remote attackers to execute arbitrary code via an svn:// protocol string, which triggers a heap-based buffer overflow and an out-of-bounds read. | 9.0 |
| 2016-01-08 | CVE-2015-5254 | Improper Input Validation vulnerability in multiple products Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. | 9.8 |
| 2015-08-13 | CVE-2015-3253 | Injection vulnerability in multiple products The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. | 9.8 |