Vulnerabilities > Apache > High

DATE CVE VULNERABILITY TITLE RISK
2016-06-07 CVE-2015-7611 OS Command Injection vulnerability in Apache James Server 2.3.2
Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors.
network
high complexity
apache CWE-78
8.1
2016-06-01 CVE-2016-2175 Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.
local
low complexity
apache debian
7.8
2016-04-26 CVE-2016-3081 Command Injection vulnerability in multiple products
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
network
high complexity
apache oracle CWE-77
8.1
2016-04-15 CVE-2015-5348 Data Processing Errors vulnerability in Apache Camel
Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.
network
high complexity
apache CWE-19
8.1
2016-04-14 CVE-2015-5343 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Integer overflow in util.c in mod_dav_svn in Apache Subversion 1.7.x, 1.8.x before 1.8.15, and 1.9.x before 1.9.3 allows remote authenticated users to cause a denial of service (subversion server crash or memory consumption) and possibly execute arbitrary code via a skel-encoded request body, which triggers an out-of-bounds read and heap-based buffer overflow.
network
low complexity
apache debian CWE-119
7.6
2016-04-12 CVE-2016-0785 Improper Input Validation vulnerability in Apache Struts
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
network
low complexity
apache CWE-20
8.8
2016-04-11 CVE-2015-5349 Command Injection vulnerability in Apache Directory Studio and Ldap Studio
The CSV export in Apache LDAP Studio and Apache Directory Studio before 2.0.0-M10 does not properly escape field values, which might allow attackers to execute arbitrary commands by leveraging a crafted LDAP entry that is interpreted as a formula when imported into a spreadsheet.
local
low complexity
apache CWE-77
7.8
2016-04-11 CVE-2016-0735 Permissions, Privileges, and Access Controls vulnerability in Apache Ranger 0.5.0/0.5.1
Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to bypass intended parent resource-level access restrictions by leveraging mishandling of a resource-level exclude policy.
network
low complexity
apache CWE-264
8.8
2016-04-11 CVE-2015-0266 Permissions, Privileges, and Access Controls vulnerability in Apache Ranger 0.4.0
The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs.
network
low complexity
apache CWE-264
7.1
2016-04-11 CVE-2016-2171 Permissions, Privileges, and Access Controls vulnerability in Apache Jetspeed
The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.
network
low complexity
apache CWE-264
7.5