Vulnerabilities > Apache > High

DATE CVE VULNERABILITY TITLE RISK
2017-03-20 CVE-2016-6816 Improper Input Validation vulnerability in Apache Tomcat
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters.
network
low complexity
apache CWE-20
7.1
2017-03-16 CVE-2017-5643 Server-Side Request Forgery (SSRF) vulnerability in Apache Camel
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
network
low complexity
apache CWE-918
7.4
2017-03-14 CVE-2016-8747 Information Exposure vulnerability in Apache Tomcat
An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations.
network
low complexity
apache CWE-200
7.5
2017-01-18 CVE-2016-6497 7PK - Security Features vulnerability in Apache Groovy Ldap
main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API in Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods.
network
low complexity
apache CWE-254
7.5
2016-12-05 CVE-2016-8740 Resource Management Errors vulnerability in Apache Http Server
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.
network
low complexity
apache CWE-399
7.5
2016-11-29 CVE-2016-5393 Improper Access Control vulnerability in Apache Hadoop
In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.
network
low complexity
apache CWE-284
8.8
2016-10-13 CVE-2016-6325 Permissions, Privileges, and Access Controls vulnerability in Apache Tomcat
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
local
low complexity
apache CWE-264
7.8
2016-10-13 CVE-2016-5425 Incorrect Default Permissions vulnerability in Apache Tomcat
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
local
low complexity
apache CWE-276
7.8
2016-10-03 CVE-2016-1240 Improper Input Validation vulnerability in Apache Tomcat 6.0/7.0/8.0
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.
local
low complexity
apache CWE-20
7.8
2016-09-27 CVE-2016-4978 Deserialization of Untrusted Data vulnerability in multiple products
The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.
network
low complexity
apache redhat CWE-502
7.2