Vulnerabilities > Apache > High

DATE CVE VULNERABILITY TITLE RISK
2017-10-30 CVE-2016-3090 Improper Input Validation vulnerability in Apache Struts
The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.
network
low complexity
apache CWE-20
8.8
2017-10-30 CVE-2015-0226 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Apache Wss4J
Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages.
network
low complexity
apache CWE-327
7.5
2017-10-30 CVE-2015-0224 Data Processing Errors vulnerability in Apache Qpid
qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted protocol sequence set.
network
low complexity
apache CWE-19
7.5
2017-10-30 CVE-2014-3526 Information Exposure vulnerability in Apache Wicket
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions.
network
low complexity
apache CWE-200
7.5
2017-10-30 CVE-2013-4246 Improper Access Control vulnerability in Apache Subversion 1.8.0/1.8.1
libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing packed revision properties.
network
low complexity
apache CWE-284
8.8
2017-10-27 CVE-2016-5002 XXE vulnerability in Apache Xml-Rpc 3.1.3
XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD.
local
low complexity
apache CWE-611
7.8
2017-10-24 CVE-2017-12613 Out-of-bounds Read vulnerability in multiple products
When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.
local
low complexity
apache debian redhat CWE-125
7.1
2017-10-23 CVE-2010-2232 Improper Access Control vulnerability in Apache Derby
In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file.
network
low complexity
apache CWE-284
7.5
2017-10-20 CVE-2017-12628 Deserialization of Untrusted Data vulnerability in Apache James Server 2.3.2/2.3.2.1/3.0.0
The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands.
local
low complexity
apache CWE-502
7.8
2017-10-19 CVE-2017-5635 Improper Authentication vulnerability in Apache Nifi
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.
network
low complexity
apache CWE-287
7.5