CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Apache : Security Vulnerabilities Published In 2017 (Execute Code)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-9791 20 Exec Code 2017-07-10 2017-08-11
7.5
None Remote Low Not required Partial Partial Partial
The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
2 CVE-2017-5645 502 Exec Code 2017-04-17 2017-04-24
7.5
None Remote Low Not required Partial Partial Partial
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
3 CVE-2017-5638 20 Exec Code 2017-03-10 2017-08-15
10.0
None Remote Low Not required Complete Complete Complete
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.
4 CVE-2016-8751 79 Exec Code XSS 2017-06-14 2017-06-19
3.5
None Remote Medium Single system None Partial None
Apache Ranger before 0.6.is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
5 CVE-2016-8749 502 Exec Code 2017-03-28 2017-06-08
7.5
None Remote Low Not required Partial Partial Partial
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
6 CVE-2016-8735 284 Exec Code 2017-04-06 2017-07-27
7.5
None Remote Low Not required Partial Partial Partial
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
7 CVE-2016-6809 502 Exec Code 2017-04-06 2017-04-12
7.5
None Remote Low Not required Partial Partial Partial
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
8 CVE-2016-6807 284 Exec Code 2017-03-28 2017-04-04
7.5
None Remote Low Not required Partial Partial Partial
Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process.
9 CVE-2016-6793 502 DoS Exec Code 2017-07-17 2017-08-04
6.4
None Remote Low Not required None Partial Partial
The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.7 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object.
10 CVE-2016-0779 502 Exec Code 2017-04-11 2017-04-18
7.5
None Remote Low Not required Partial Partial Partial
The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.
11 CVE-2015-3188 264 Exec Code 2017-01-13 2017-01-17
10.0
None Remote Low Not required Complete Complete Complete
The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors.
12 CVE-2015-0249 94 Exec Code 2017-07-17 2017-07-27
6.5
None Remote Low Single system Partial Partial Partial
The weblog page template in Apache Roller 5.1 through 5.1.1 allows remote authenticated users with admin privileges for a weblog to execute arbitrary Java code via crafted Velocity Text Language (aka VTL).
13 CVE-2014-3582 94 Exec Code 2017-03-29 2017-05-30
7.5
None Remote Low Not required Partial Partial Partial
In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster.
Total number of vulnerabilities : 13   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.