Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2017-10-03 CVE-2017-12620 XXE vulnerability in Apache Opennlp
When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources.
network
low complexity
apache CWE-611
critical
9.8
2017-09-28 CVE-2017-12621 XXE vulnerability in Apache Commons Jelly 1.0
During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL.
network
low complexity
apache CWE-611
critical
9.8
2017-09-20 CVE-2017-12611 Improper Input Validation vulnerability in Apache Struts
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
network
low complexity
apache CWE-20
critical
9.8
2017-09-20 CVE-2016-6795 Path Traversal vulnerability in Apache Struts
In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.
network
low complexity
apache CWE-22
critical
9.8
2017-09-13 CVE-2015-5206 Unspecified vulnerability in Apache Traffic Server 5.3.0/5.3.1
Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server before 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5168.
network
low complexity
apache
critical
9.8
2017-09-13 CVE-2015-5168 Unspecified vulnerability in Apache Traffic Server 5.3.0/5.3.1
Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5206.
network
low complexity
apache
critical
9.8
2017-09-05 CVE-2016-3086 Information Exposure vulnerability in Apache Hadoop
The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.
network
low complexity
apache CWE-200
critical
9.8
2017-08-22 CVE-2016-4460 Improper Authentication vulnerability in Apache Pony Mail 0.6C/0.7B/0.8B
Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass authentication.
network
low complexity
apache CWE-287
critical
9.8
2017-08-11 CVE-2017-9800 Improper Input Validation vulnerability in Apache Subversion
A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command.
network
low complexity
apache CWE-20
critical
9.8
2017-08-10 CVE-2016-5018 In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.
network
low complexity
apache netapp canonical debian redhat oracle
critical
9.1