Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2018-01-04 CVE-2017-15714 Injection vulnerability in Apache Ofbiz 16.11.01/16.11.02/16.11.03
The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed.
network
low complexity
apache CWE-74
critical
9.8
2017-12-28 CVE-2017-5641 Deserialization of Untrusted Data vulnerability in multiple products
Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default.
network
low complexity
apache hp CWE-502
critical
9.8
2017-12-11 CVE-2017-15708 Injection vulnerability in multiple products
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI).
network
low complexity
apache oracle CWE-74
critical
9.8
2017-12-01 CVE-2017-15702 Unspecified vulnerability in Apache Qpid Broker-J
In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured with different authentication providers on different ports one of which is an HTTP port, then the broker can be tricked by a remote unauthenticated attacker connecting to the HTTP port into using an authentication provider that was configured on a different port.
network
low complexity
apache
critical
9.8
2017-11-15 CVE-2017-12634 Deserialization of Untrusted Data vulnerability in Apache Camel
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability.
network
low complexity
apache CWE-502
critical
9.8
2017-11-15 CVE-2017-12633 Deserialization of Untrusted Data vulnerability in Apache Camel
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability.
network
low complexity
apache CWE-502
critical
9.8
2017-11-14 CVE-2017-12635 Improper Privilege Management vulnerability in Apache Couchdb
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users.
network
low complexity
apache CWE-269
critical
9.8
2017-10-30 CVE-2014-0073 Permissions, Privileges, and Access Controls vulnerability in Apache Cordova and Cordova In-App-Browser
The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI.
network
low complexity
apache CWE-264
critical
9.8
2017-10-30 CVE-2013-4366 Improper Input Validation vulnerability in Apache Httpclient 4.3
http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.
network
low complexity
apache CWE-20
critical
9.8
2017-10-30 CVE-2012-4449 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Apache Hadoop
Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.
network
low complexity
apache CWE-327
critical
9.8