Vulnerabilities > Apache > High

DATE CVE VULNERABILITY TITLE RISK
2017-04-18 CVE-2017-5661 XXE vulnerability in Apache Formatting Objects Processor
In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files.
network
low complexity
apache CWE-611
7.3
2017-04-17 CVE-2017-5659 Improper Input Validation vulnerability in Apache Traffic Server
Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked encoding.
network
low complexity
apache CWE-20
7.5
2017-04-17 CVE-2016-5396 Resource Management Errors vulnerability in Apache Traffic Server
Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack.
network
low complexity
apache CWE-399
7.5
2017-04-17 CVE-2017-5650 Improper Resource Shutdown or Release vulnerability in Apache Tomcat
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data.
network
low complexity
apache CWE-404
7.5
2017-04-17 CVE-2017-5647 Information Exposure vulnerability in Apache Tomcat
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed.
network
low complexity
apache CWE-200
7.5
2017-04-13 CVE-2016-4970 Infinite Loop vulnerability in multiple products
handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
network
low complexity
netty redhat apache CWE-835
7.5
2017-04-11 CVE-2016-6811 Permissions, Privileges, and Access Controls vulnerability in Apache Hadoop
In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
network
low complexity
apache CWE-264
8.8
2017-04-04 CVE-2017-5649 Information Exposure vulnerability in Apache Geode 1.0.0/1.1.0
Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes data stored in the cluster.
network
low complexity
apache CWE-200
7.5
2017-03-23 CVE-2016-9775 Permissions, Privileges, and Access Controls vulnerability in multiple products
The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u7 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to gain root privileges via a setgid program in the Catalina directory, as demonstrated by /etc/tomcat8/Catalina/attack.
local
low complexity
debian canonical apache CWE-264
7.8
2017-03-23 CVE-2016-9774 Link Following vulnerability in multiple products
The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u8 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to obtain sensitive information or gain root privileges via a symlink attack on the Catalina localhost directory.
local
low complexity
debian canonical apache CWE-59
7.8