Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2018-07-23 CVE-2018-11756 Unspecified vulnerability in Apache Openwhisk 1.0.0
In PHP Runtime for Apache OpenWhisk, a Docker action inheriting one of the Docker tags openwhisk/action-php-v7.2:1.0.0 or openwhisk/action-php-v7.1:1.0.1 (or earlier) may allow an attacker to replace the user function inside the container if the user code is vulnerable to code exploitation.
network
low complexity
apache
critical
9.8
2018-07-20 CVE-2018-8018 Deserialization of Untrusted Data vulnerability in Apache Ignite
In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath.
network
low complexity
apache CWE-502
critical
9.8
2018-07-10 CVE-2018-1337 Information Exposure vulnerability in Apache Directory Ldap API 1.0.0
In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request).
network
low complexity
apache CWE-200
critical
9.8
2018-06-28 CVE-2018-8016 Missing Authentication for Critical Function vulnerability in Apache Cassandra
The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request.
network
low complexity
apache CWE-306
critical
9.8
2018-05-24 CVE-2018-8013 Deserialization of Untrusted Data vulnerability in multiple products
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class.
network
low complexity
apache debian canonical oracle CWE-502
critical
9.8
2018-05-23 CVE-2018-1309 XXE vulnerability in Apache Nifi
Apache NiFi External XML Entity issue in SplitXML processor.
network
low complexity
apache CWE-611
critical
9.8
2018-05-16 CVE-2018-8014 Insecure Default Initialization of Resource vulnerability in multiple products
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins.
network
low complexity
apache canonical debian netapp CWE-1188
critical
9.8
2018-04-20 CVE-2018-1290 SQL Injection vulnerability in Apache Fineract
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection.
network
low complexity
apache CWE-89
critical
9.8
2018-04-11 CVE-2018-1273 Injection vulnerability in multiple products
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements.
network
low complexity
pivotal-software apache oracle CWE-74
critical
9.8
2018-04-05 CVE-2018-1282 SQL Injection vulnerability in Apache Hive
This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation.
network
low complexity
apache CWE-89
critical
9.1