Vulnerabilities > Apache > High

DATE CVE VULNERABILITY TITLE RISK
2020-05-20 CVE-2020-9484 Deserialization of Untrusted Data vulnerability in multiple products
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.
7.0
2020-05-14 CVE-2020-11971 Apache Camel's JMX is vulnerable to Rebind Flaw.
network
low complexity
apache oracle
7.5
2020-04-30 CVE-2019-12425 Injection vulnerability in Apache Ofbiz 17.12.01
Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host
network
low complexity
apache CWE-74
7.5
2020-04-30 CVE-2019-0235 Cross-Site Request Forgery (CSRF) vulnerability in Apache Ofbiz 17.12.01
Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks.
network
low complexity
apache CWE-352
8.8
2020-04-27 CVE-2020-9481 Resource Exhaustion vulnerability in multiple products
Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack.
network
low complexity
apache debian CWE-400
7.5
2020-03-30 CVE-2019-17561 Improper Verification of Cryptographic Signature vulnerability in multiple products
The "Apache NetBeans" autoupdate system does not fully validate code signatures.
network
low complexity
apache oracle CWE-347
7.5
2020-03-16 CVE-2019-10091 Improper Certificate Validation vulnerability in Apache Geode 1.9.0
When TLS is enabled with ssl-endpoint-identification-enabled set to true, Apache Geode fails to perform hostname verification of the entries in the certificate SAN during the SSL handshake.
network
high complexity
apache CWE-295
7.4
2020-02-24 CVE-2020-1937 SQL Injection vulnerability in Apache Kylin
Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.
network
low complexity
apache CWE-89
8.8
2020-02-11 CVE-2020-1942 Information Exposure Through Log Files vulnerability in Apache Nifi
In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values.
network
low complexity
apache CWE-532
7.5
2020-02-11 CVE-2020-5529 Improper Initialization vulnerability in multiple products
HtmlUnit prior to 2.37.0 contains code execution vulnerabilities.
network
high complexity
htmlunit debian canonical apache CWE-665
8.1