Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2017-03-28 CVE-2016-8749 Deserialization of Untrusted Data vulnerability in Apache Camel
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
network
low complexity
apache CWE-502
critical
9.8
2017-03-11 CVE-2017-5638 Improper Handling of Exceptional Conditions vulnerability in multiple products
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
network
low complexity
apache ibm lenovo hp oracle arubanetworks netapp CWE-755
critical
9.8
2017-03-07 CVE-2017-3159 Deserialization of Untrusted Data vulnerability in Apache Camel
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability.
network
low complexity
apache CWE-502
critical
9.8
2017-01-13 CVE-2015-3188 Permissions, Privileges, and Access Controls vulnerability in Apache Storm 0.10.0
The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors.
network
low complexity
apache CWE-264
critical
9.8
2016-10-25 CVE-2016-1000031 Improper Access Control vulnerability in Apache Commons Fileupload
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
network
low complexity
apache CWE-284
critical
9.8
2016-10-03 CVE-2015-1832 XXE vulnerability in Apache Derby
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
network
low complexity
apache CWE-611
critical
9.1
2016-10-03 CVE-2016-5019 Deserialization of Untrusted Data vulnerability in Apache Myfaces Trinidad
CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string.
network
low complexity
apache CWE-502
critical
9.8
2016-10-03 CVE-2016-4436 Unspecified vulnerability in Apache Struts
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.
network
low complexity
apache
critical
9.8
2016-09-21 CVE-2016-4464 Improper Access Control vulnerability in Apache CXF Fediz
The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.
network
low complexity
apache CWE-284
critical
9.8
2016-07-04 CVE-2016-4438 Improper Input Validation vulnerability in Apache Struts
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.
network
low complexity
apache CWE-20
critical
9.8