Skip to main content

Apache

2551 CVEs vendor

Monthly

CVE-2017-5656 Maven HIGH PATCH This Week

Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Apache Information Disclosure Cxf
NVD
CVSS 3.0
7.5
EPSS
2.4%
CVE-2017-5653 Maven MEDIUM PATCH This Month

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Cxf
NVD
CVSS 3.0
5.3
EPSS
3.2%
CVE-2017-5662 Maven HIGH PATCH This Week

In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE Apache Batik
NVD
CVSS 3.0
7.3
EPSS
0.3%
CVE-2017-5661 Maven HIGH PATCH This Week

In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE Apache Formatting Objects Processor
NVD
CVSS 3.0
7.3
EPSS
2.4%
CVE-2017-5645 Maven CRITICAL POC PATCH THREAT Act Now

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 94.0%.

Deserialization Apache RCE Log4J Oncommand Api Services +77
NVD
CVSS 3.1
9.8
EPSS
94.0%
Threat
6.3
CVE-2017-5659 HIGH PATCH This Week

Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked encoding. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Traffic Server
NVD
CVSS 3.0
7.5
EPSS
2.0%
CVE-2016-5396 HIGH PATCH This Week

Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Traffic Server
NVD
CVSS 3.0
7.5
EPSS
1.8%
CVE-2017-5651 Maven CRITICAL PATCH Act Now

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Apache Information Disclosure
NVD
CVSS 3.0
9.8
EPSS
6.1%
CVE-2017-5650 Maven HIGH PATCH Act Now

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.7%.

Tomcat Apache Information Disclosure
NVD
CVSS 3.0
7.5
EPSS
12.7%
CVE-2017-5648 Maven CRITICAL PATCH Act Now

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 21.8%.

Tomcat Apache Information Disclosure
NVD
CVSS 3.0
9.1
EPSS
21.8%
CVE-2017-5647 Maven HIGH PATCH This Week

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Tomcat Apache Information Disclosure
NVD
CVSS 3.0
7.5
EPSS
2.3%
CVE-2017-6059 HIGH PATCH This Week

Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Mod Auth Openidc
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2016-6808 CRITICAL POC THREAT Emergency

Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 29.5%.

Buffer Overflow Tomcat Apache Tomcat Jk Connector
NVD
CVSS 3.0
9.8
EPSS
29.5%
Threat
4.3
CVE-2016-0779 CRITICAL PATCH Act Now

The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache RCE Tomee
NVD
CVSS 3.0
9.8
EPSS
5.0%
CVE-2016-6811 Maven HIGH PATCH This Week

In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Privilege Escalation Hadoop
NVD
CVSS 3.0
8.8
EPSS
0.5%
CVE-2016-6805 Maven MEDIUM PATCH This Month

Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Apache Ignite
NVD
CVSS 3.0
5.9
EPSS
0.9%
CVE-2016-8735 Maven CRITICAL POC KEV PATCH THREAT Act Now

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Apache Oracle Tomcat RCE
NVD
CVSS 3.1
9.8
EPSS
93.8%
Threat
7.8
CVE-2016-6809 Maven CRITICAL PATCH Act Now

Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Java Apache RCE Nutch +1
NVD
CVSS 3.1
9.8
EPSS
7.0%
CVE-2017-5649 Maven HIGH PATCH This Week

Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Geode
NVD
CVSS 3.0
7.5
EPSS
0.1%
CVE-2016-4976 Maven MEDIUM PATCH This Month

Apache Ambari 2.x before 2.4.0 includes KDC administrator passwords on the kadmin command line, which allows local users to obtain sensitive information via a process listing. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Ambari
NVD
CVSS 3.0
5.5
EPSS
0.1%
CVE-2016-8749 Maven CRITICAL POC PATCH THREAT Act Now

Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 12.2%.

Deserialization Apache RCE Camel
NVD GitHub
CVSS 3.0
9.8
EPSS
12.2%
CVE-2017-5644 Maven MEDIUM PATCH This Month

Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Denial Of Service Apache Poi
NVD
CVSS 3.0
5.5
EPSS
0.7%
CVE-2014-0229 Maven MEDIUM PATCH This Month

Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Privilege Escalation Cdh Hadoop
NVD
CVSS 3.0
6.5
EPSS
0.4%
CVE-2016-6816 Maven HIGH POC PATCH This Week

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Tomcat Apache
NVD Exploit-DB
CVSS 3.0
7.1
EPSS
2.9%
CVE-2017-5643 Maven HIGH PATCH This Week

Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF XXE Apache Camel
NVD
CVSS 3.0
7.4
EPSS
1.4%
CVE-2016-8747 Maven HIGH PATCH This Week

An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Tomcat Java
NVD
CVSS 3.1
7.5
EPSS
3.1%
CVE-2017-5638 Maven CRITICAL POC KEV PATCH THREAT Act Now

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Apache Information Disclosure
NVD Exploit-DB GitHub
CVSS 3.1
9.8
EPSS
94.3%
Threat
7.8
CVE-2017-3159 Maven CRITICAL PATCH Act Now

Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Java Apache Camel
NVD GitHub
CVSS 3.0
9.8
EPSS
2.8%
CVE-2017-6413 HIGH PATCH This Week

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Apache Mod Auth Openidc
NVD GitHub
CVSS 3.0
8.6
EPSS
0.4%
CVE-2017-6062 HIGH PATCH This Week

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Apache Mod Auth Openidc
NVD GitHub
CVSS 3.0
8.6
EPSS
0.4%
CVE-2015-8994 HIGH POC This Week

An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Apache PHP Privilege Escalation
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2017-5586 CRITICAL POC THREAT Emergency

OpenText Documentum D2 (formerly EMC Documentum D2) 4.x allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the BeanShell (bsh) and Apache Commons. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 35.3%.

Java Apache Information Disclosure Documentum D2
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
35.3%
Threat
4.5
CVE-2017-6056 HIGH Act Now

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 15.9% and no vendor patch available.

Denial Of Service Apache Tomcat Debian Ubuntu +2
NVD
CVSS 3.0
7.5
EPSS
15.9%
CVE-2017-5169 HIGH PATCH This Week

An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

RCE Redis CSRF Apache Smart Security Manager
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2016-10043 CRITICAL POC THREAT Emergency

An issue was discovered in Radisys MRF Web Panel (SWMS) 9.0.1. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 37.6%.

Apache Command Injection Web Panel
NVD Exploit-DB
CVSS 3.0
10.0
EPSS
37.6%
Threat
4.6
CVE-2016-6497 HIGH PATCH This Week

main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API in Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Apache Information Disclosure Groovy Ldap
NVD VulDB
CVSS 3.1
7.5
EPSS
3.0%
CVE-2015-3188 Maven CRITICAL PATCH Act Now

The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.4%.

Apache Privilege Escalation RCE Storm
NVD VulDB
CVSS 3.0
9.8
EPSS
12.4%
CVE-2016-10140 HIGH Act Now

Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 34.2% and no vendor patch available.

Authentication Bypass Apache Information Disclosure Zoneminder
NVD GitHub VulDB
CVSS 3.0
7.5
EPSS
34.2%
CVE-2016-9879 Maven HIGH PATCH This Week

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Authentication Bypass IBM Java Apache +2
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2016-3129 MEDIUM This Month

A remote shell execution vulnerability in the BlackBerry Good Enterprise Mobility Server (GEMS) implementation of the Apache Karaf command shell in GEMS versions 2.1.5.3 to 2.2.22.25 allows remote. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Apache Good Enterprise Mobility Server
NVD
CVSS 3.0
6.6
EPSS
1.9%
CVE-2015-3271 Maven MEDIUM PATCH This Month

Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitrary files via the HTTP fileUrl header. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Apache Tika
NVD
CVSS 3.0
5.3
EPSS
1.1%
CVE-2016-8740 HIGH POC PATCH THREAT Act Now

The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 68.3%.

Denial Of Service Apache Http Server Apache HTTP Server
NVD GitHub Exploit-DB
CVSS 3.0
7.5
EPSS
68.3%
Threat
5.0
CVE-2016-5393 Maven HIGH PATCH This Week

In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Authentication Bypass Hadoop
NVD
CVSS 3.0
8.8
EPSS
2.6%
CVE-2016-5526 HIGH PATCH This Week

Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality, integrity, and availability via. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Oracle Tomcat Apache Authentication Bypass Agile Product Lifecycle Management
NVD
CVSS 3.0
7.3
EPSS
0.3%
CVE-2016-1000031 Maven CRITICAL PATCH Act Now

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 56.4%.

Apache RCE Authentication Bypass Commons Fileupload
NVD
CVSS 3.0
9.8
EPSS
56.4%
CVE-2015-1832 Maven CRITICAL PATCH Act Now

XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service XXE Java Apache Derby
NVD
CVSS 3.0
9.1
EPSS
0.8%
CVE-2016-5019 Maven CRITICAL PATCH Act Now

CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache Myfaces Trinidad
NVD
CVSS 3.0
9.8
EPSS
6.0%
CVE-2016-4436 Maven CRITICAL PATCH Act Now

Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Apache Struts
NVD
CVSS 3.0
9.8
EPSS
5.7%
CVE-2016-4385 HIGH This Week

The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization HP Java Apache Network Automation
NVD
CVSS 3.0
7.3
EPSS
3.7%
CVE-2016-4978 Maven HIGH PATCH This Week

The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Apache Activemq Artemis Jboss Enterprise Application Platform
NVD VulDB
CVSS 3.1
7.2
EPSS
1.4%
CVE-2016-5395 Maven MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity.

XSS Apache Ranger
NVD
CVSS 3.0
4.8
EPSS
0.1%
CVE-2016-3110 Maven HIGH PATCH This Week

mod_cluster, as used in Red Hat JBoss Web Server 2.1, allows remote attackers to cause a denial of service (Apache http server crash) via an MCMP message containing a series of = (equals) characters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Red Hat Denial Of Service Apache Jboss Enterprise Application Platform Jboss Enterprise Web Server +1
NVD
CVSS 3.0
7.5
EPSS
3.2%
CVE-2016-4694 CRITICAL Act Now

The Apache HTTP Server in Apple OS X before 10.12 and OS X Server before 5.2 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted CGI client data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Apple Authentication Bypass Mac Os X Os X Server
NVD
CVSS 3.0
9.1
EPSS
1.0%
CVE-2016-4464 Maven CRITICAL PATCH Act Now

The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Authentication Bypass Cxf Fediz
NVD
CVSS 3.0
9.8
EPSS
2.1%
CVE-2016-6801 Maven HIGH PATCH This Week

Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Apache Jackrabbit Debian Linux
NVD
CVSS 3.0
8.8
EPSS
0.4%
CVE-2016-5017 HIGH POC This Week

Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Buffer Overflow Apache Zookeeper
NVD
CVSS 3.0
8.1
EPSS
6.1%
CVE-2016-6802 Maven HIGH PATCH Act Now

Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 13.5%.

Apache Authentication Bypass Shiro
NVD
CVSS 3.0
7.5
EPSS
13.5%
CVE-2016-3089 Maven MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the SWF panel in Apache OpenMeetings before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the swf parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Apache Openmeetings
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2016-0760 HIGH This Week

Multiple incomplete blacklist vulnerabilities in Apache Sentry before 1.7.0 allow remote authenticated users to execute arbitrary code via the (1) reflect, (2) reflect2, or (3) java_method Hive. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache RCE Authentication Bypass Sentry
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2016-0782 Maven MEDIUM PATCH This Month

The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS Java Apache Activemq
NVD
CVSS 3.0
5.4
EPSS
1.2%
CVE-2016-5000 Maven MEDIUM PATCH This Month

The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Apache Poi
NVD
CVSS 3.0
5.5
EPSS
0.3%
CVE-2016-1513 HIGH This Week

The Impress tool in Apache OpenOffice 4.1.2 and earlier allows remote attackers to cause a denial of service (out-of-bounds read or write) or execute arbitrary code via crafted MetaActions in an (1). Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Denial Of Service Buffer Overflow RCE Apache +1
NVD
CVSS 3.0
7.8
EPSS
1.1%
CVE-2016-4373 CRITICAL Act Now

The AdminUI in HPE Operations Manager (OM) before 9.21.130 on Linux, Unix, and Solaris allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Authentication Bypass Operations Manager
NVD
CVSS 3.0
9.8
EPSS
1.8%
CVE-2016-5005 Maven MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in Apache Archiva 1.3.9 and earlier allows remote authenticated administrators to inject arbitrary web script or HTML via the connector.sourceRepoId parameter. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Apache Archiva
NVD
CVSS 3.0
4.8
EPSS
0.5%
CVE-2016-4469 HIGH POC This Week

Multiple cross-site request forgery (CSRF) vulnerabilities in Apache Archiva 1.3.9 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add new. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Apache Archiva
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
0.8%
CVE-2016-5388 Maven HIGH PATCH Act Now

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 36.8%.

Apache Tomcat Authentication Bypass Enterprise Linux Desktop Enterprise Linux Hpc Node +8
NVD
CVSS 3.0
8.1
EPSS
36.8%
CVE-2016-5387 HIGH PATCH Act Now

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 60.3%.

Information Disclosure Apache Http Server System Management Homepage Communications User Data Repository +18
NVD
CVSS 3.1
8.1
EPSS
60.3%
CVE-2016-4372 CRITICAL POC THREAT Emergency

HPE iMC PLAT before 7.2 E0403P04, iMC EAD before 7.2 E0405P05, iMC APM before 7.2 E0401P04, iMC NTA before 7.2 E0401P01, iMC BIMS before 7.2 E0402P02, and iMC UAM_TAM before 7.2 E0405P05 allow remote. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 10.2%.

Information Disclosure Java Apache Intelligent Management Center Application Performance Manager Intelligent Management Center Branch Intelligent Management System +4
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
10.2%
CVE-2016-4974 Maven HIGH PATCH This Week

Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable.

RCE Apache Amqp 0 X Jms Client Jms Client Amqp
NVD
CVSS 3.0
7.5
EPSS
2.1%
CVE-2016-4463 HIGH POC THREAT Act Now

Stack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows context-dependent attackers to cause a denial of service via a deeply nested DTD. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 38.3%.

Denial Of Service Buffer Overflow Apache Xerces C Debian Linux
NVD GitHub
CVSS 3.0
7.5
EPSS
38.3%
Threat
4.2
CVE-2016-4979 HIGH PATCH Act Now

The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 17.4%.

Apache Authentication Bypass Http Server Apache HTTP Server
NVD GitHub
CVSS 3.0
7.5
EPSS
17.4%
CVE-2016-1546 MEDIUM PATCH This Month

The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 41.5%.

Apache Denial Of Service Microsoft Http Server Apache HTTP Server
NVD
CVSS 3.0
5.9
EPSS
41.5%
CVE-2016-4465 Maven MEDIUM PATCH This Month

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.4%.

Denial Of Service Apache Struts
NVD
CVSS 3.0
5.3
EPSS
10.4%
CVE-2016-4438 Maven CRITICAL PATCH Act Now

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 62.1%.

RCE Apache Struts
NVD
CVSS 3.0
9.8
EPSS
62.1%
CVE-2016-4433 Maven HIGH PATCH This Week

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Apache Struts
NVD
CVSS 3.0
7.5
EPSS
3.5%
CVE-2016-4431 Maven HIGH PATCH This Week

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Apache Struts
NVD
CVSS 3.0
7.5
EPSS
8.2%
CVE-2016-4430 Maven HIGH PATCH This Week

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Apache Struts
NVD
CVSS 3.0
8.8
EPSS
1.3%
CVE-2016-3092 Maven HIGH PATCH Act Now

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 33.9%.

Tomcat Denial Of Service Apache Icewall Identity Manager Icewall Sso Agent Option +3
NVD
CVSS 3.0
7.5
EPSS
33.9%
CVE-2016-1182 Maven HIGH PATCH This Week

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Denial Of Service Java Apache Struts
NVD GitHub
CVSS 3.0
8.2
EPSS
1.8%
CVE-2016-1181 Maven HIGH PATCH This Week

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

RCE Denial Of Service Java Apache Banking Platform +2
NVD GitHub
CVSS 3.0
8.1
EPSS
9.4%
CVE-2015-0899 Maven HIGH PATCH Act Now

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 69.5%.

Authentication Bypass Apache Struts
NVD
CVSS 3.0
7.5
EPSS
69.5%
CVE-2016-3642 CRITICAL POC THREAT Emergency

The RMI service in SolarWinds Virtualization Manager 6.3.1 and earlier allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 22.4%.

Information Disclosure Java Apache Virtualization Manager
NVD
CVSS 3.0
9.8
EPSS
22.4%
Threat
4.1
CVE-2016-2174 Maven HIGH PATCH This Week

SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administrators to execute arbitrary SQL commands via the eventTime parameter to. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

SQLi Apache Ranger
NVD
CVSS 3.0
7.2
EPSS
0.6%
CVE-2016-3085 MEDIUM This Month

Apache CloudStack 4.5.x before 4.5.2.1, 4.6.x before 4.6.2.1, 4.7.x before 4.7.1.1, and 4.8.x before 4.8.0.1, when SAML-based authentication is enabled and used, allow remote attackers to bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Apache Cloudstack
NVD
CVSS 3.0
6.5
EPSS
0.3%
CVE-2016-4369 HIGH This Week

HPE Discovery and Dependency Mapping Inventory (DDMi) 9.30, 9.31, 9.32, 9.32 update 1, 9.32 update 2, and 9.32 update 3 allows remote authenticated users to execute arbitrary commands via a crafted. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Java Authentication Bypass Discovery And Dependency Mapping Inventory
NVD
CVSS 3.0
8.8
EPSS
0.5%
CVE-2016-4368 CRITICAL Act Now

HPE Universal CMDB 10.0 through 10.21, Universal CMDB Configuration Manager 10.0 through 10.21, and Universal Discovery 10.0 through 10.21 allow remote attackers to execute arbitrary commands via a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Java Apache Universal Cmbd Foundation Universal Cmbd Configuration Manager +1
NVD
CVSS 3.0
9.8
EPSS
1.2%
CVE-2016-3093 Maven MEDIUM PATCH This Month

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Apache Ognl Struts
NVD
CVSS 3.0
5.3
EPSS
5.1%
CVE-2016-3087 Maven CRITICAL POC PATCH THREAT Act Now

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an !. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 87.0%.

RCE Apache Struts
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
87.0%
Threat
6.1
CVE-2016-4437 Maven CRITICAL POC KEV PATCH THREAT Act Now

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Apache RCE
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
94.2%
Threat
7.8
CVE-2015-7611 Maven HIGH POC PATCH THREAT Act Now

Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 74.9%.

Command Injection Apache James Server
NVD Exploit-DB
CVSS 3.0
8.1
EPSS
74.9%
Threat
5.4
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Apache Information Disclosure +1
NVD
EPSS 3% CVSS 5.3
MEDIUM PATCH This Month

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Cxf
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE Apache +1
NVD
EPSS 2% CVSS 7.3
HIGH PATCH This Week

In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE Apache +1
NVD
EPSS 94% 6.3 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 94.0%.

Deserialization Apache RCE +79
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked encoding. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Traffic Server
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Traffic Server
NVD
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Apache Information Disclosure
NVD
EPSS 13% CVSS 7.5
HIGH PATCH Act Now

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.7%.

Tomcat Apache Information Disclosure
NVD
EPSS 22% CVSS 9.1
CRITICAL PATCH Act Now

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 21.8%.

Tomcat Apache Information Disclosure
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Tomcat Apache Information Disclosure
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Mod Auth Openidc
NVD GitHub
EPSS 29% 4.3 CVSS 9.8
CRITICAL POC THREAT Emergency

Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 29.5%.

Buffer Overflow Tomcat Apache +1
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache RCE +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Privilege Escalation Hadoop
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Apache Ignite
NVD
EPSS 94% 7.8 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Apache Oracle Tomcat +1
NVD
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Java Apache +3
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Geode
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Apache Ambari 2.x before 2.4.0 includes KDC administrator passwords on the kadmin command line, which allows local users to obtain sensitive information via a process listing. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Ambari
NVD
EPSS 12% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 12.2%.

Deserialization Apache RCE +1
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Denial Of Service Apache Poi
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Privilege Escalation +2
NVD
EPSS 3% CVSS 7.1
HIGH POC PATCH This Week

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Tomcat Apache
NVD Exploit-DB
EPSS 1% CVSS 7.4
HIGH PATCH This Week

Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF XXE Apache +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Tomcat +1
NVD
EPSS 94% 7.8 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Apache Information Disclosure
NVD Exploit-DB GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Java Apache +1
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Apache Mod Auth Openidc
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Apache Mod Auth Openidc
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC This Week

An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Apache PHP Privilege Escalation
NVD
EPSS 35% 4.5 CVSS 9.8
CRITICAL POC THREAT Emergency

OpenText Documentum D2 (formerly EMC Documentum D2) 4.x allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the BeanShell (bsh) and Apache Commons. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 35.3%.

Java Apache Information Disclosure +1
NVD Exploit-DB
EPSS 16% CVSS 7.5
HIGH Act Now

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 15.9% and no vendor patch available.

Denial Of Service Apache Tomcat +4
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

RCE Redis CSRF +2
NVD
EPSS 38% 4.6 CVSS 10.0
CRITICAL POC THREAT Emergency

An issue was discovered in Radisys MRF Web Panel (SWMS) 9.0.1. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 37.6%.

Apache Command Injection Web Panel
NVD Exploit-DB
EPSS 3% CVSS 7.5
HIGH PATCH This Week

main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API in Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Apache Information Disclosure +1
NVD VulDB
EPSS 12% CVSS 9.8
CRITICAL PATCH Act Now

The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.4%.

Apache Privilege Escalation RCE +1
NVD VulDB
EPSS 34% CVSS 7.5
HIGH Act Now

Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 34.2% and no vendor patch available.

Authentication Bypass Apache Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Authentication Bypass IBM +4
NVD
EPSS 2% CVSS 6.6
MEDIUM This Month

A remote shell execution vulnerability in the BlackBerry Good Enterprise Mobility Server (GEMS) implementation of the Apache Karaf command shell in GEMS versions 2.1.5.3 to 2.2.22.25 allows remote. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Apache Good Enterprise Mobility Server
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitrary files via the HTTP fileUrl header. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Apache Tika
NVD
EPSS 68% 5.0 CVSS 7.5
HIGH POC PATCH THREAT Act Now

The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 68.3%.

Denial Of Service Apache Http Server +1
NVD GitHub Exploit-DB
EPSS 3% CVSS 8.8
HIGH PATCH This Week

In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Authentication Bypass Hadoop
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality, integrity, and availability via. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Oracle Tomcat Apache +2
NVD
EPSS 56% CVSS 9.8
CRITICAL PATCH Act Now

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 56.4%.

Apache RCE Authentication Bypass +1
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service XXE Java +2
NVD
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache Myfaces Trinidad
NVD
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Apache Struts
NVD
EPSS 4% CVSS 7.3
HIGH This Week

The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization HP Java +2
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Apache +2
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity.

XSS Apache Ranger
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

mod_cluster, as used in Red Hat JBoss Web Server 2.1, allows remote attackers to cause a denial of service (Apache http server crash) via an MCMP message containing a series of = (equals) characters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Red Hat Denial Of Service Apache +3
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

The Apache HTTP Server in Apple OS X before 10.12 and OS X Server before 5.2 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted CGI client data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Apple Authentication Bypass +2
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Authentication Bypass Cxf Fediz
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Apache Jackrabbit +1
NVD
EPSS 6% CVSS 8.1
HIGH POC This Week

Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Buffer Overflow Apache Zookeeper
NVD
EPSS 14% CVSS 7.5
HIGH PATCH Act Now

Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 13.5%.

Apache Authentication Bypass Shiro
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the SWF panel in Apache OpenMeetings before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the swf parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Apache Openmeetings
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Multiple incomplete blacklist vulnerabilities in Apache Sentry before 1.7.0 allow remote authenticated users to execute arbitrary code via the (1) reflect, (2) reflect2, or (3) java_method Hive. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache RCE Authentication Bypass +1
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS Java Apache +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Apache Poi
NVD
EPSS 1% CVSS 7.8
HIGH This Week

The Impress tool in Apache OpenOffice 4.1.2 and earlier allows remote attackers to cause a denial of service (out-of-bounds read or write) or execute arbitrary code via crafted MetaActions in an (1). Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Denial Of Service Buffer Overflow +3
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

The AdminUI in HPE Operations Manager (OM) before 9.21.130 on Linux, Unix, and Solaris allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Authentication Bypass +1
NVD
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in Apache Archiva 1.3.9 and earlier allows remote authenticated administrators to inject arbitrary web script or HTML via the connector.sourceRepoId parameter. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Apache Archiva
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Multiple cross-site request forgery (CSRF) vulnerabilities in Apache Archiva 1.3.9 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add new. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Apache Archiva
NVD Exploit-DB
EPSS 37% CVSS 8.1
HIGH PATCH Act Now

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 36.8%.

Apache Tomcat Authentication Bypass +10
NVD
EPSS 60% CVSS 8.1
HIGH PATCH Act Now

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 60.3%.

Information Disclosure Apache Http Server +20
NVD
EPSS 10% CVSS 9.8
CRITICAL POC THREAT Emergency

HPE iMC PLAT before 7.2 E0403P04, iMC EAD before 7.2 E0405P05, iMC APM before 7.2 E0401P04, iMC NTA before 7.2 E0401P01, iMC BIMS before 7.2 E0402P02, and iMC UAM_TAM before 7.2 E0405P05 allow remote. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 10.2%.

Information Disclosure Java Apache +6
NVD Exploit-DB
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable.

RCE Apache Amqp 0 X Jms Client +1
NVD
EPSS 38% 4.2 CVSS 7.5
HIGH POC THREAT Act Now

Stack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows context-dependent attackers to cause a denial of service via a deeply nested DTD. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 38.3%.

Denial Of Service Buffer Overflow Apache +2
NVD GitHub
EPSS 17% CVSS 7.5
HIGH PATCH Act Now

The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 17.4%.

Apache Authentication Bypass Http Server +1
NVD GitHub
EPSS 42% CVSS 5.9
MEDIUM PATCH This Month

The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 41.5%.

Apache Denial Of Service Microsoft +2
NVD
EPSS 10% CVSS 5.3
MEDIUM PATCH This Month

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.4%.

Denial Of Service Apache Struts
NVD
EPSS 62% CVSS 9.8
CRITICAL PATCH Act Now

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 62.1%.

RCE Apache Struts
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Apache Struts
NVD
EPSS 8% CVSS 7.5
HIGH PATCH This Week

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Apache Struts
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Apache Struts
NVD
EPSS 34% CVSS 7.5
HIGH PATCH Act Now

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 33.9%.

Tomcat Denial Of Service Apache +5
NVD
EPSS 2% CVSS 8.2
HIGH PATCH This Week

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Denial Of Service Java +2
NVD GitHub
EPSS 9% CVSS 8.1
HIGH PATCH This Week

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

RCE Denial Of Service Java +4
NVD GitHub
EPSS 69% CVSS 7.5
HIGH PATCH Act Now

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 69.5%.

Authentication Bypass Apache Struts
NVD
EPSS 22% 4.1 CVSS 9.8
CRITICAL POC THREAT Emergency

The RMI service in SolarWinds Virtualization Manager 6.3.1 and earlier allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 22.4%.

Information Disclosure Java Apache +1
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administrators to execute arbitrary SQL commands via the eventTime parameter to. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

SQLi Apache Ranger
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Apache CloudStack 4.5.x before 4.5.2.1, 4.6.x before 4.6.2.1, 4.7.x before 4.7.1.1, and 4.8.x before 4.8.0.1, when SAML-based authentication is enabled and used, allow remote attackers to bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Apache Cloudstack
NVD
EPSS 0% CVSS 8.8
HIGH This Week

HPE Discovery and Dependency Mapping Inventory (DDMi) 9.30, 9.31, 9.32, 9.32 update 1, 9.32 update 2, and 9.32 update 3 allows remote authenticated users to execute arbitrary commands via a crafted. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Java Authentication Bypass +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

HPE Universal CMDB 10.0 through 10.21, Universal CMDB Configuration Manager 10.0 through 10.21, and Universal Discovery 10.0 through 10.21 allow remote attackers to execute arbitrary commands via a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Java Apache +3
NVD
EPSS 5% CVSS 5.3
MEDIUM PATCH This Month

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Apache Ognl +1
NVD
EPSS 87% 6.1 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an !. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 87.0%.

RCE Apache Struts
NVD Exploit-DB
EPSS 94% 7.8 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Apache RCE
NVD Exploit-DB VulDB
EPSS 75% 5.4 CVSS 8.1
HIGH POC PATCH THREAT Act Now

Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 74.9%.

Command Injection Apache James Server
NVD Exploit-DB
Prev Page 24 of 29 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy