Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2017-03-29 CVE-2014-3582 Code Injection vulnerability in Apache Ambari
In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster.
network
low complexity
apache CWE-94
critical
9.8
2017-03-28 CVE-2016-6807 Improper Access Control vulnerability in Apache Ambari 2.4.0/2.4.1
Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system.
network
low complexity
apache CWE-284
critical
9.8
2017-03-28 CVE-2016-8749 Deserialization of Untrusted Data vulnerability in Apache Camel
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
network
low complexity
apache CWE-502
critical
9.8
2017-03-11 CVE-2017-5638 Improper Handling of Exceptional Conditions vulnerability in multiple products
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
network
low complexity
apache ibm lenovo hp oracle arubanetworks netapp CWE-755
critical
9.8
2017-03-07 CVE-2017-3159 Deserialization of Untrusted Data vulnerability in Apache Camel
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability.
network
low complexity
apache CWE-502
critical
9.8
2017-01-13 CVE-2015-3188 Permissions, Privileges, and Access Controls vulnerability in Apache Storm 0.10.0
The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors.
network
low complexity
apache CWE-264
critical
9.8
2016-10-25 CVE-2016-1000031 Improper Access Control vulnerability in Apache Commons Fileupload
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
network
low complexity
apache CWE-284
critical
9.8
2016-10-03 CVE-2015-1832 XXE vulnerability in Apache Derby
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
network
low complexity
apache CWE-611
critical
9.1
2016-10-03 CVE-2016-5019 Deserialization of Untrusted Data vulnerability in Apache Myfaces Trinidad
CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string.
network
low complexity
apache CWE-502
critical
9.8
2016-10-03 CVE-2016-4436 Unspecified vulnerability in Apache Struts
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.
network
low complexity
apache
critical
9.8