Vulnerabilities > Apache > High

DATE CVE VULNERABILITY TITLE RISK
2020-08-07 CVE-2020-11993 HTTP Request Smuggling vulnerability in multiple products
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools.
7.5
2020-07-17 CVE-2020-11978 OS Command Injection vulnerability in Apache Airflow
An issue was found in Apache Airflow versions 1.10.10 and below.
network
low complexity
apache CWE-78
8.8
2020-07-14 CVE-2020-13935 Infinite Loop vulnerability in multiple products
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104.
7.5
2020-07-14 CVE-2020-13934 Memory Leak vulnerability in multiple products
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2.
7.5
2020-07-08 CVE-2020-11994 Injection vulnerability in multiple products
Server-Side Template Injection and arbitrary file disclosure on Camel templating components
network
low complexity
apache oracle CWE-74
7.5
2020-06-30 CVE-2020-9483 SQL Injection vulnerability in Apache Skywalking
**Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data.
network
low complexity
apache CWE-89
7.5
2020-06-29 CVE-2020-8022 A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root.
local
low complexity
apache opensuse
7.8
2020-06-26 CVE-2020-11996 A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds.
network
low complexity
apache canonical oracle opensuse debian netapp
7.5
2020-06-24 CVE-2020-9494 Allocation of Resources Without Limits or Throttling vulnerability in multiple products
Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread.
network
low complexity
apache debian CWE-770
7.5
2020-05-22 CVE-2020-1956 OS Command Injection vulnerability in Apache Kylin
Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.
network
low complexity
apache CWE-78
8.8