Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2019-01-23 CVE-2017-17836 Credentials Management vulnerability in Apache Airflow
In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow.
network
low complexity
apache CWE-255
critical
9.8
2019-01-07 CVE-2018-11788 XXE vulnerability in Apache Karaf
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder.
network
low complexity
apache CWE-611
critical
9.8
2018-12-31 CVE-2018-17191 Unspecified vulnerability in Apache Netbeans 9.0
Apache NetBeans (incubating) 9.0 NetBeans Proxy Auto-Configuration (PAC) interpretation is vulnerable for remote command execution (RCE).
network
low complexity
apache
critical
9.8
2018-11-19 CVE-2018-17190 Unspecified vulnerability in Apache Spark
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts.
network
low complexity
apache
critical
9.8
2018-11-07 CVE-2018-8021 Deserialization of Untrusted Data vulnerability in Apache Superset
Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution.
network
low complexity
apache CWE-502
critical
9.8
2018-10-24 CVE-2018-11792 Incorrect Permission Assignment for Critical Resource vulnerability in Apache Impala
In Apache Impala before 3.0.1, ALTER TABLE/VIEW RENAME required ALTER on the old table.
network
low complexity
apache CWE-732
critical
9.8
2018-09-17 CVE-2018-11780 Code Injection vulnerability in multiple products
A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.
network
low complexity
apache pdfinfo-project debian canonical CWE-94
critical
9.8
2018-08-26 CVE-2011-2767 Code Injection vulnerability in multiple products
mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
network
low complexity
apache debian redhat canonical CWE-94
critical
9.8
2018-07-31 CVE-2018-8027 XXE vulnerability in Apache Camel
Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.
network
low complexity
apache CWE-611
critical
9.8
2018-07-23 CVE-2018-11757 Unspecified vulnerability in Apache Openwhisk
In Docker Skeleton Runtime for Apache OpenWhisk, a Docker action inheriting the Docker tag openwhisk/dockerskeleton:1.3.0 (or earlier) may allow an attacker to replace the user function inside the container if the user code is vulnerable to code exploitation.
network
low complexity
apache
critical
9.8