Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2017-10-30 CVE-2015-3249 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apache Traffic Server 5.3.0
The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary code via vectors related to the (1) frame_handlers array or (2) set_dynamic_table_size function.
network
low complexity
apache CWE-119
critical
9.8
2017-10-30 CVE-2014-3624 Improper Access Control vulnerability in Apache Traffic Server 5.1.0
Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT.
network
low complexity
apache CWE-284
critical
9.8
2017-10-27 CVE-2014-3600 XXE vulnerability in Apache Activemq
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
network
low complexity
apache CWE-611
critical
9.8
2017-10-27 CVE-2014-3579 XXE vulnerability in Apache Activemq Apollo
XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
network
low complexity
apache CWE-611
critical
9.8
2017-10-27 CVE-2016-5003 Deserialization of Untrusted Data vulnerability in Apache Ws-Xmlrpc 3.1.3
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
network
low complexity
apache CWE-502
critical
9.8
2017-10-26 CVE-2012-1622 Unspecified vulnerability in Apache Ofbiz 10.04
Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors.
network
low complexity
apache
critical
9.8
2017-10-19 CVE-2017-5636 Injection vulnerability in Apache Nifi
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.
network
low complexity
apache CWE-74
critical
9.8
2017-10-14 CVE-2017-12629 XXE vulnerability in multiple products
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class.
network
low complexity
apache redhat debian canonical CWE-611
critical
9.8
2017-10-12 CVE-2016-8736 Deserialization of Untrusted Data vulnerability in Apache Openmeetings
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
network
low complexity
apache CWE-502
critical
9.8
2017-10-10 CVE-2014-0030 XXE vulnerability in Apache Roller
The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
network
low complexity
apache CWE-611
critical
9.8