Vulnerabilities > Apache > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-11-14 | CVE-2017-12635 | Improper Privilege Management vulnerability in Apache Couchdb Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. | 9.8 |
| 2017-10-30 | CVE-2014-0073 | Permissions, Privileges, and Access Controls vulnerability in Apache Cordova and Cordova In-App-Browser The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI. | 9.8 |
| 2017-10-30 | CVE-2013-4366 | Improper Input Validation vulnerability in Apache Httpclient 4.3 http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification. | 9.8 |
| 2017-10-30 | CVE-2012-4449 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Apache Hadoop Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack. | 9.8 |
| 2017-10-30 | CVE-2015-3249 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apache Traffic Server 5.3.0 The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary code via vectors related to the (1) frame_handlers array or (2) set_dynamic_table_size function. | 9.8 |
| 2017-10-30 | CVE-2014-3624 | Improper Access Control vulnerability in Apache Traffic Server 5.1.0 Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT. | 9.8 |
| 2017-10-27 | CVE-2014-3600 | XXE vulnerability in Apache Activemq XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. | 9.8 |
| 2017-10-27 | CVE-2014-3579 | XXE vulnerability in Apache Activemq Apollo XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. | 9.8 |
| 2017-10-27 | CVE-2016-5003 | Deserialization of Untrusted Data vulnerability in Apache Ws-Xmlrpc 3.1.3 The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element. | 9.8 |
| 2017-10-26 | CVE-2012-1622 | Unspecified vulnerability in Apache Ofbiz 10.04 Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors. | 9.8 |