Skip to main content

Apache

2550 CVEs vendor

Monthly

CVE-2023-44483 Maven MEDIUM PATCH This Month

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Apache Information Disclosure Santuario Xml Security For Java
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2023-46227 Maven HIGH PATCH This Week

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.8.0, the attacker can use \t to bypass. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-25753 Maven MEDIUM PATCH This Month

There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache SSRF Shenyu
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2023-41752 HIGH This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.0.0 through 8.1.8, from 9.0.0 through 9.2.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Traffic Server Fedora
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-39456 HIGH This Week

Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.0.0 through 9.2.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Traffic Server Fedora
NVD
CVSS 3.1
7.5
EPSS
53.5%
CVE-2023-45757 MEDIUM This Month

Security vulnerability in Apache bRPC <=1.6.0 on all platforms allows attackers to inject XSS code to the builtin rpcz page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Brpc
NVD
CVSS 3.1
6.1
EPSS
1.0%
CVE-2023-43668 Maven CRITICAL PATCH Act Now

Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.4.0 through 1.8.0, some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Inlong
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-43667 Maven HIGH PATCH This Week

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Apache InLong.4.0 through 1.8.0, the attacker can create misleading or false log. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Code Injection Inlong
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-43666 Maven MEDIUM PATCH This Month

Insufficient Verification of Data Authenticity vulnerability in Apache InLong.4.0 through 1.8.0, General user can view all user data like Admin account. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Inlong
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-45348 PyPI MEDIUM PATCH This Month

Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the "expose_config" option is set to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
4.3
EPSS
1.2%
CVE-2023-42792 PyPI MEDIUM PATCH This Month

Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
1.4%
CVE-2023-42780 PyPI MEDIUM PATCH This Month

Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
1.1%
CVE-2023-42663 PyPI MEDIUM PATCH This Month

Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
1.6%
CVE-2023-44981 Maven CRITICAL PATCH Act Now

Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Zookeeper Debian Linux
NVD
CVSS 3.1
9.1
EPSS
1.7%
CVE-2023-45648 Maven MEDIUM POC PATCH This Month

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure Debian Linux
NVD
CVSS 3.1
5.3
EPSS
5.8%
CVE-2023-42795 Maven MEDIUM PATCH This Month

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure Debian Linux
NVD
CVSS 3.1
5.3
EPSS
2.2%
CVE-2023-42794 Maven MEDIUM PATCH This Month

Incomplete Cleanup vulnerability in Apache Tomcat. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Tomcat Apache Denial Of Service Microsoft
NVD
CVSS 3.1
5.9
EPSS
1.9%
CVE-2023-36419 CRITICAL PATCH Act Now

Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Apache XXE Microsoft Azure Hdinsight
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2023-45303 Maven HIGH POC PATCH This Week

ThingsBoard before 3.5 allows Server-Side Template Injection if users are allowed to modify an email template, because Apache FreeMarker supports freemarker.template.utility.Execute (for content sent. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Code Injection Thingsboard
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2023-39410 LIB HIGH PATCH This Week

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.11.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Apache Deserialization Avro
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2023-33972 HIGH This Week

Scylladb is a NoSQL data store using the seastar framework, compatible with Apache Cassandra. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Scylladb
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2023-42457 PyPI HIGH PATCH This Week

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Apache Denial Of Service Nginx Rest
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-41834 MEDIUM This Month

Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Code Injection Flink Stateful Functions
NVD
CVSS 3.1
6.1
EPSS
1.6%
CVE-2023-42503 Maven MEDIUM PATCH This Month

Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.22 before 1.24.0. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Oracle Atlassian Java Apache +1
NVD
CVSS 3.1
5.5
EPSS
0.5%
CVE-2023-41267 PyPI HIGH PATCH This Week

In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Apache Information Disclosure Airflow Hdfs Provider
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2023-41081 HIGH This Week

Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Authentication Bypass Tomcat Connectors
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-38156 HIGH PATCH This Week

Azure HDInsight Apache Ambari JDBC Injection Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Apache Code Injection Microsoft Azure Hdinsight
NVD
CVSS 3.1
7.2
EPSS
1.9%
CVE-2023-40712 PyPI MEDIUM PATCH This Month

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
1.5%
CVE-2023-40611 PyPI MEDIUM PATCH This Month

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Apache Authentication Bypass Airflow
NVD GitHub
CVSS 3.1
4.3
EPSS
1.3%
CVE-2023-39265 PyPI MEDIUM POC PATCH THREAT This Month

Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Information Disclosure Superset
NVD GitHub
CVSS 3.1
6.5
EPSS
83.7%
CVE-2023-37941 PyPI MEDIUM POC PATCH THREAT This Month

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

RCE Apache Python Deserialization Superset
NVD GitHub
CVSS 3.1
6.6
EPSS
29.2%
CVE-2023-32672 PyPI MEDIUM PATCH This Month

An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Superset
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2023-39264 PyPI MEDIUM PATCH This Month

By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Superset
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2023-36388 PyPI MEDIUM PATCH This Month

Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SSRF Superset
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2023-36387 PyPI MEDIUM PATCH This Month

An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Apache Authentication Bypass Superset
NVD GitHub
CVSS 3.1
5.4
EPSS
0.8%
CVE-2023-27526 PyPI MEDIUM PATCH This Month

A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Superset
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2023-27523 PyPI MEDIUM PATCH This Month

Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Superset
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2023-40743 Maven CRITICAL PATCH Act Now

** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Apache SSRF Axis
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2023-41180 MEDIUM This Month

Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Nifi Minifi C
NVD
CVSS 3.1
5.9
EPSS
0.4%
CVE-2023-40576 HIGH POC This Week

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Apache Freerdp
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-40575 CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Apache Freerdp
NVD GitHub
CVSS 3.1
9.1
EPSS
1.1%
CVE-2023-40574 CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Apache Freerdp
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-40569 CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Apache Freerdp Debian Linux +1
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-40567 CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Apache Freerdp Debian Linux +1
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2023-40188 CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Apache Freerdp Debian Linux +1
NVD GitHub
CVSS 3.1
9.1
EPSS
1.2%
CVE-2023-40187 CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Apache Information Disclosure Memory Corruption Freerdp
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-40186 CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Integer Overflow Apache Buffer Overflow Freerdp Debian Linux +1
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-40181 CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Apache Freerdp Debian Linux +1
NVD GitHub
CVSS 3.1
9.1
EPSS
1.4%
CVE-2023-39356 CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Apache Freerdp Debian Linux +1
NVD GitHub
CVSS 3.1
9.1
EPSS
1.5%
CVE-2023-39353 CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Apache Freerdp Debian Linux +1
NVD GitHub
CVSS 3.1
9.1
EPSS
1.2%
CVE-2023-39352 CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Apache Freerdp Debian Linux +1
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2023-39355 CRITICAL POC PATCH Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Use After Free Apache Denial Of Service Memory Corruption Freerdp +1
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-39354 HIGH POC PATCH This Week

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Apache Freerdp Debian Linux +1
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-39351 HIGH POC This Week

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Null Pointer Dereference Apache Freerdp Debian Linux +1
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-39350 HIGH POC PATCH This Week

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Apache Denial Of Service Freerdp Debian Linux +1
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2023-40589 HIGH POC PATCH This Week

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Apache Freerdp Fedora Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-40195 PyPI HIGH PATCH This Week

Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache RCE Deserialization Airflow Spark Provider
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2023-27604 PyPI HIGH PATCH This Week

Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Airflow Sqoop Provider
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2023-41080 Maven MEDIUM PATCH This Month

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Apache Open Redirect Debian Linux
NVD
CVSS 3.1
6.1
EPSS
6.0%
CVE-2023-34040 Maven HIGH PATCH This Week

In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java Apache Deserialization Spring For Apache Kafka
NVD
CVSS 3.1
7.8
EPSS
2.2%
CVE-2023-40273 PyPI HIGH PATCH This Week

The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Session Fixation Airflow
NVD GitHub
CVSS 3.1
8.0
EPSS
1.4%
CVE-2023-39441 PyPI MEDIUM PATCH This Month

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Apache OpenSSL Information Disclosure Airflow Apache Airflow Providers Imap +1
NVD GitHub
CVSS 3.1
5.9
EPSS
0.6%
CVE-2023-37379 PyPI HIGH PATCH This Week

Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Denial Of Service Airflow
NVD GitHub
CVSS 3.1
8.1
EPSS
1.5%
CVE-2023-38035 CRITICAL POC KEV THREAT Emergency

A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Ivanti Authentication Bypass Mobileiron Sentry
NVD
CVSS 3.1
9.8
EPSS
99.9%
CVE-2023-40037 Maven MEDIUM PATCH This Month

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Nifi
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2023-40272 PyPI HIGH PATCH This Week

Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Apache Airflow Providers Apache Spark
NVD
CVSS 3.1
7.5
EPSS
1.7%
CVE-2023-39553 PyPI HIGH PATCH This Week

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Apache Airflow Providers Apache Drill
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2023-33934 CRITICAL Act Now

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.2.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling Traffic Server
NVD
CVSS 3.1
9.1
EPSS
1.1%
CVE-2023-38188 MEDIUM PATCH This Month

Azure Apache Hadoop Spoofing Vulnerability. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Microsoft Azure Hdinsight
NVD
CVSS 3.1
4.5
EPSS
1.0%
CVE-2023-36881 MEDIUM PATCH This Month

Azure Apache Ambari Spoofing Vulnerability. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Microsoft Azure Hdinsight
NVD
CVSS 3.1
4.5
EPSS
1.0%
CVE-2023-36877 MEDIUM PATCH This Month

Azure Apache Oozie Spoofing Vulnerability. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Microsoft Azure Hdinsight
NVD
CVSS 3.1
4.5
EPSS
1.0%
CVE-2023-35393 MEDIUM PATCH This Month

Azure Apache Hive Spoofing Vulnerability. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Microsoft Azure Hdinsight
NVD
CVSS 3.1
4.5
EPSS
1.3%
CVE-2023-37581 MEDIUM This Month

Insufficient input validation and sanitation in Weblog Category name, Website About and File Upload features in all versions of Apache Roller on all platforms allows an authenticated user to perform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache File Upload XSS Roller
NVD
CVSS 3.1
5.4
EPSS
0.9%
CVE-2023-39508 PyPI HIGH PATCH This Week

Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
8.8
EPSS
2.4%
CVE-2023-36542 Maven HIGH PATCH This Week

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Apache Nifi
NVD
CVSS 3.1
8.8
EPSS
1.6%
CVE-2023-38435 Maven MEDIUM PATCH This Month

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Apache Felix Healthcheck Webconsole Plugin version 2.0.2 and prior may allow an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Felix Health Check Webconsole Plugin
NVD
CVSS 3.1
6.1
EPSS
1.8%
CVE-2023-37895 Maven CRITICAL PATCH Act Now

Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Apache RCE Deserialization Jackrabbit
NVD
CVSS 3.1
9.8
EPSS
2.7%
CVE-2023-35088 Maven CRITICAL PATCH Act Now

Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.7.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache SQLi Inlong
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2023-34434 Maven HIGH PATCH This Week

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.7.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-34189 Maven MEDIUM PATCH This Month

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.7.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Inlong
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2023-34478 Maven CRITICAL PATCH Act Now

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Authentication Bypass Shiro
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-28754 Maven HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache ShardingSphere-Agent, which allows attackers to execute arbitrary code by constructing a special YAML configuration file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache RCE Deserialization Shardingsphere
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2023-26512 Maven CRITICAL Act Now

7.0\V1.8.0 on windows\linux\mac os e.g. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Microsoft Deserialization Eventmesh Connector Rabbitmq
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-37415 PyPI HIGH PATCH This Week

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Code Injection Apache Airflow Providers Apache Hive
NVD
CVSS 3.1
8.8
EPSS
1.6%
CVE-2023-37579 Maven MEDIUM PATCH This Month

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.10.4, and 2.11.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Pulsar
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2023-36543 PyPI MEDIUM PATCH This Month

Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Apache Denial Of Service Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
1.6%
CVE-2023-35908 PyPI MEDIUM PATCH This Month

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Apache Authentication Bypass Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2023-31007 Maven MEDIUM PATCH This Month

Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Pulsar
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2023-30429 Maven HIGH PATCH This Week

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar.10.4, and 2.11.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Authentication Bypass Pulsar
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2023-30428 Maven HIGH PATCH This Week

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Pulsar
NVD
CVSS 3.1
8.1
EPSS
0.8%
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Apache Information Disclosure +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.8.0, the attacker can use \t to bypass. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache SSRF Shenyu
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.0.0 through 8.1.8, from 9.0.0 through 9.2.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Traffic Server +1
NVD
EPSS 53% CVSS 7.5
HIGH This Week

Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.0.0 through 9.2.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Traffic Server +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Security vulnerability in Apache bRPC <=1.6.0 on all platforms allows attackers to inject XSS code to the builtin rpcz page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Brpc
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.4.0 through 1.8.0, some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Inlong
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Apache InLong.4.0 through 1.8.0, the attacker can create misleading or false log. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Code Injection Inlong
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient Verification of Data Authenticity vulnerability in Apache InLong.4.0 through 1.8.0, General user can view all user data like Admin account. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Inlong
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the "expose_config" option is set to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Zookeeper +1
NVD
EPSS 6% CVSS 5.3
MEDIUM POC PATCH This Month

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure +1
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure +1
NVD
EPSS 2% CVSS 5.9
MEDIUM PATCH This Month

Incomplete Cleanup vulnerability in Apache Tomcat. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Tomcat Apache Denial Of Service +1
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Apache XXE Microsoft +1
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

ThingsBoard before 3.5 allows Server-Side Template Injection if users are allowed to modify an email template, because Apache FreeMarker supports freemarker.template.utility.Execute (for content sent. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Code Injection Thingsboard
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.11.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Apache Deserialization +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Scylladb is a NoSQL data store using the seastar framework, compatible with Apache Cassandra. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Scylladb
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Apache Denial Of Service Nginx +1
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM This Month

Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Code Injection Flink Stateful Functions
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.22 before 1.24.0. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Oracle Atlassian +3
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Apache Information Disclosure Airflow Hdfs Provider
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Authentication Bypass +1
NVD
EPSS 2% CVSS 7.2
HIGH PATCH This Week

Azure HDInsight Apache Ambari JDBC Injection Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Apache Code Injection Microsoft +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Apache Authentication Bypass Airflow
NVD GitHub
EPSS 84% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Information Disclosure Superset
NVD GitHub
EPSS 29% CVSS 6.6
MEDIUM POC PATCH THREAT This Month

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

RCE Apache Python +2
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Superset
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Superset
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SSRF Superset
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Apache Authentication Bypass Superset
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Superset
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Superset
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Apache SSRF +1
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Nifi Minifi C
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Apache +1
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Apache +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Apache +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Apache +3
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Apache +3
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Apache +3
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Apache Information Disclosure +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Integer Overflow Apache Buffer Overflow +3
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Apache +3
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Apache +3
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Apache +3
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Apache +3
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Use After Free Apache Denial Of Service +3
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Apache +3
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Null Pointer Dereference Apache +3
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Apache Denial Of Service +3
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Apache Freerdp +2
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache RCE Deserialization +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Airflow Sqoop Provider
NVD GitHub
EPSS 6% CVSS 6.1
MEDIUM PATCH This Month

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Apache Open Redirect +1
NVD
EPSS 2% CVSS 7.8
HIGH PATCH This Week

In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java Apache Deserialization +1
NVD
EPSS 1% CVSS 8.0
HIGH PATCH This Week

The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Session Fixation +1
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Apache OpenSSL Information Disclosure +3
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Denial Of Service +1
NVD GitHub
EPSS 100% CVSS 9.8
CRITICAL POC KEV THREAT Emergency

A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Ivanti Authentication Bypass +1
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Nifi
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Apache Airflow Providers Apache Spark
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Apache Airflow Providers Apache Drill
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL Act Now

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.2.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling +1
NVD
EPSS 1% CVSS 4.5
MEDIUM PATCH This Month

Azure Apache Hadoop Spoofing Vulnerability. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Microsoft +1
NVD
EPSS 1% CVSS 4.5
MEDIUM PATCH This Month

Azure Apache Ambari Spoofing Vulnerability. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Microsoft +1
NVD
EPSS 1% CVSS 4.5
MEDIUM PATCH This Month

Azure Apache Oozie Spoofing Vulnerability. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Microsoft +1
NVD
EPSS 1% CVSS 4.5
MEDIUM PATCH This Month

Azure Apache Hive Spoofing Vulnerability. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Microsoft +1
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Insufficient input validation and sanitation in Weblog Category name, Website About and File Upload features in all versions of Apache Roller on all platforms allows an authenticated user to perform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache File Upload XSS +1
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Apache +1
NVD
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Apache Felix Healthcheck Webconsole Plugin version 2.0.2 and prior may allow an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Felix Health Check Webconsole Plugin
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Apache RCE +2
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.7.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache SQLi Inlong
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.7.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.7.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Inlong
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Authentication Bypass +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache ShardingSphere-Agent, which allows attackers to execute arbitrary code by constructing a special YAML configuration file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache RCE Deserialization +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

7.0\V1.8.0 on windows\linux\mac os e.g. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Microsoft Deserialization +1
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Code Injection Apache Airflow Providers Apache Hive
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.10.4, and 2.11.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Pulsar
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Apache Denial Of Service Airflow
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Apache Authentication Bypass Airflow
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Pulsar
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar.10.4, and 2.11.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Authentication Bypass +1
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Pulsar
NVD
Prev Page 12 of 29 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy