Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2016-02-03 CVE-2015-5344 Data Processing Errors vulnerability in Apache Camel
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.
network
low complexity
apache CWE-19
critical
 9.8
9.8
2016-01-08 CVE-2015-5254 Improper Input Validation vulnerability in multiple products
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
network
low complexity
redhat apache fedoraproject CWE-20
critical
 9.8
9.8
2015-08-13 CVE-2015-3253 Injection vulnerability in multiple products
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.
network
low complexity
apache oracle CWE-74
critical
 9.8
9.8
2013-07-20 CVE-2013-2251 Injection vulnerability in multiple products
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
network
low complexity
apache fujitsu oracle CWE-74
critical
 9.8
9.8
2010-08-19 CVE-2010-2076 Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache CXF
Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a similar issue to CVE-2010-1632.
network
low complexity
apache CWE-829
critical
 9.8
9.8
2001-10-18 CVE-2001-0766 Improper Handling of Case Sensitivity vulnerability in Apache Http Server 1.3.14
Apache on MacOS X Client 10.0.3 with the HFS+ file system allows remote attackers to bypass access restrictions via a URL that contains some characters whose case is not matched by Apache's filters.
network
low complexity
apache CWE-178
critical
 9.8
9.8