2024

2023

2022

2021

2020

CVE-2020-1959 (v3: 9.8) 4 May 2020
A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code.

2019

CVE-2019-0222 (v3: 7.5) 28 Mar 2019
In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.

2018

CVE-2018-11780 (v3: 9.8) 17 Sept 2018
A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.
CVE-2018-11781 (v3: 7.8) 17 Sept 2018
Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax.

2017

2016

2015

CVE-2015-0249 (v3: 7.2) 17 Jul 2017
The weblog page template in Apache Roller 5.1 through 5.1.1 allows remote authenticated users with admin privileges for a weblog to execute arbitrary Java code via crafted Velocity Text Language (aka VTL).