Vulnerabilities > Apache > High

DATE CVE VULNERABILITY TITLE RISK
2017-10-16 CVE-2016-4461 Improper Input Validation vulnerability in multiple products
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
network
low complexity
apache netapp CWE-20
8.8
2017-10-10 CVE-2017-5637 Missing Authentication for Critical Function vulnerability in multiple products
Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests.
network
low complexity
apache debian CWE-306
7.5
2017-10-04 CVE-2017-12617 Unrestricted Upload of File with Dangerous Type vulnerability in multiple products
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g.
network
high complexity
apache canonical oracle debian netapp redhat CWE-434
8.1
2017-10-03 CVE-2016-6806 Cross-Site Request Forgery (CSRF) vulnerability in Apache Wicket
Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests.
network
low complexity
apache CWE-352
8.8
2017-09-30 CVE-2016-4434 XXE vulnerability in Apache Tika 1.12
Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.
local
low complexity
apache CWE-611
7.8
2017-09-29 CVE-2017-9790 Use After Free vulnerability in Apache Mesos
When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'.
network
low complexity
apache CWE-416
7.5
2017-09-29 CVE-2017-7687 Unspecified vulnerability in Apache Mesos
When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function.
network
low complexity
apache
7.5
2017-09-20 CVE-2017-9804 Improper Input Validation vulnerability in Apache Struts
In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
network
low complexity
apache CWE-20
7.5
2017-09-20 CVE-2017-9793 Improper Input Validation vulnerability in Apache Struts
The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.
network
low complexity
apache CWE-20
7.5
2017-09-19 CVE-2017-12616 Information Exposure vulnerability in Apache Tomcat
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
network
low complexity
apache CWE-200
7.5