Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2017-06-20 CVE-2017-3167 Improper Authentication vulnerability in multiple products
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
network
low complexity
apache netapp redhat apple debian oracle CWE-287
critical
9.8
2017-06-14 CVE-2017-7676 Improper Input Validation vulnerability in Apache Ranger
Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt.
network
low complexity
apache CWE-20
critical
9.8
2017-04-17 CVE-2017-5645 Deserialization of Untrusted Data vulnerability in multiple products
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
network
low complexity
apache netapp redhat oracle CWE-502
critical
9.8
2017-04-17 CVE-2017-5651 Unspecified vulnerability in Apache Tomcat
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing.
network
low complexity
apache
critical
9.8
2017-04-17 CVE-2017-5648 Exposure of Resource to Wrong Sphere vulnerability in Apache Tomcat
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object.
network
low complexity
apache CWE-668
critical
9.1
2017-04-12 CVE-2016-6808 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apache Tomcat JK Connector
Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42.
network
low complexity
apache CWE-119
critical
9.8
2017-04-11 CVE-2016-0779 Deserialization of Untrusted Data vulnerability in Apache Tomee
The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.
network
low complexity
apache CWE-502
critical
9.8
2017-04-06 CVE-2016-8735 Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports.
network
low complexity
apache canonical netapp debian redhat oracle
critical
9.8
2017-04-06 CVE-2016-6809 Deserialization of Untrusted Data vulnerability in Apache Nutch and Tika
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files.
network
low complexity
apache CWE-502
critical
9.8
2017-04-03 CVE-2017-5642 Incorrect Default Permissions vulnerability in Apache Ambari 2.4.0/2.4.1/2.4.2
During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artifacts are not created with proper ACLs.
network
low complexity
apache CWE-276
critical
9.8