Vulnerabilities > Apache > High

DATE CVE VULNERABILITY TITLE RISK
2017-09-19 CVE-2017-12615 Unrestricted Upload of File with Dangerous Type vulnerability in multiple products
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g.
network
high complexity
apache netapp redhat CWE-434
8.1
2017-09-18 CVE-2017-9803 Improper Authentication vulnerability in Apache Solr
Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application.
network
high complexity
apache CWE-287
7.5
2017-09-18 CVE-2017-9798 Use After Free vulnerability in multiple products
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed.
network
low complexity
apache debian CWE-416
7.5
2017-09-15 CVE-2014-7808 Cryptographic Issues vulnerability in Apache Wicket
Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider.
network
low complexity
apache CWE-310
7.5
2017-09-15 CVE-2017-9805 Deserialization of Untrusted Data vulnerability in multiple products
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
network
high complexity
apache cisco netapp CWE-502
8.1
2017-09-13 CVE-2017-12612 Deserialization of Untrusted Data vulnerability in Apache Spark
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket.
local
low complexity
apache CWE-502
7.8
2017-09-13 CVE-2016-8744 Deserialization of Untrusted Data vulnerability in Apache Brooklyn
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs.
network
low complexity
apache CWE-502
8.8
2017-09-13 CVE-2016-8737 Cross-Site Request Forgery (CSRF) vulnerability in Apache Brooklyn
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker's commands as the user.
network
low complexity
apache CWE-352
8.8
2017-09-07 CVE-2015-3250 Information Exposure vulnerability in Apache Directory Ldap API 1.0.0
Apache Directory LDAP API before 1.0.0-M31 allows attackers to conduct timing attacks via unspecified vectors.
network
low complexity
apache CWE-200
7.5
2017-08-30 CVE-2016-4462 Improper Input Validation vulnerability in Apache Ofbiz
By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution.
network
low complexity
apache CWE-20
8.8