Vulnerabilities > Apache > High

DATE CVE VULNERABILITY TITLE RISK
2016-07-08 CVE-2016-4463 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Stack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows context-dependent attackers to cause a denial of service via a deeply nested DTD.
network
low complexity
apache debian CWE-119
7.5
2016-07-06 CVE-2016-4979 Improper Access Control vulnerability in Apache Http Server 2.4.18/2.4.19/2.4.20
The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.
network
low complexity
apache CWE-284
7.5
2016-07-04 CVE-2016-4433 Improper Input Validation vulnerability in Apache Struts
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.
network
low complexity
apache CWE-20
7.5
2016-07-04 CVE-2016-4431 Improper Input Validation vulnerability in Apache Struts
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.
network
low complexity
apache CWE-20
7.5
2016-07-04 CVE-2016-4430 Cross-Site Request Forgery (CSRF) vulnerability in Apache Struts
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.
network
low complexity
apache CWE-352
8.8
2016-07-04 CVE-2016-3092 Improper Input Validation vulnerability in multiple products
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
network
low complexity
hp apache debian canonical CWE-20
7.5
2016-07-04 CVE-2016-1182 Improper Input Validation vulnerability in Apache Struts
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
network
low complexity
apache CWE-20
8.2
2016-07-04 CVE-2016-1181 ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.
network
high complexity
oracle apache
8.1
2016-07-04 CVE-2015-0899 Improper Input Validation vulnerability in Apache Struts
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.
network
low complexity
apache CWE-20
7.5
2016-06-13 CVE-2016-2174 SQL Injection vulnerability in Apache Ranger 0.5.0/0.5.1/0.5.2
SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administrators to execute arbitrary SQL commands via the eventTime parameter to service/plugins/policies/eventTime.
network
low complexity
apache CWE-89
7.2