Vulnerabilities > Apache > High

DATE CVE VULNERABILITY TITLE RISK
2018-01-29 CVE-2017-12626 Infinite Loop vulnerability in Apache POI
Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
network
low complexity
apache CWE-835
7.5
2018-01-23 CVE-2017-12632 Improper Input Validation vulnerability in Apache Nifi
A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server.
network
low complexity
apache CWE-20
7.5
2018-01-18 CVE-2017-3158 Race Condition vulnerability in Apache Guacamole
A race condition in Guacamole's terminal emulator in versions 0.9.5 through 0.9.10-incubating could allow writes of blocks of printed data to overlap.
network
high complexity
apache CWE-362
8.1
2018-01-10 CVE-2017-9795 Information Exposure vulnerability in Apache Geode
When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries that allow read and write access to objects within unauthorized regions.
network
high complexity
apache CWE-200
7.5
2018-01-10 CVE-2017-12622 Information Exposure vulnerability in Apache Geode
When an Apache Geode cluster before v1.3.0 is operating in secure mode and an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the user is able to obtain status information and control cluster members even without CLUSTER:MANAGE privileges.
network
low complexity
apache CWE-200
7.1
2018-01-09 CVE-2012-3353 Information Exposure vulnerability in Apache Sling JCR Contentloader 2.1.4
The Apache Sling JCR ContentLoader 2.1.4 XmlReader used in the Sling JCR content loader module makes it possible to import arbitrary files in the content repository, including local files, causing potential information leaks.
network
low complexity
apache CWE-200
7.5
2017-12-18 CVE-2017-15700 Information Exposure vulnerability in Apache Sling Authentication Service 1.4.0
A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method in Apache Sling Authentication Service 1.4.0 allows an attacker, through the Sling login form, to trick a victim to send over their credentials.
network
low complexity
apache CWE-200
8.8
2017-12-14 CVE-2017-5663 SQL Injection vulnerability in Apache Fineract 0.4.0Incubating/0.5.0Incubating/0.6.0Incubating
In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries.
network
low complexity
apache CWE-89
8.8
2017-12-01 CVE-2017-15701 Resource Exhaustion vulnerability in Apache Qpid Broker-J
In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the broker does not properly enforce a maximum frame size in AMQP 1.0 frames.
network
low complexity
apache CWE-400
7.5
2017-11-30 CVE-2017-12631 Cross-Site Request Forgery (CSRF) vulnerability in Apache CXF Fediz
Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications.
network
low complexity
apache CWE-352
8.8