Skip to main content

Apache

2550 CVEs vendor

Monthly

CVE-2023-22888 PyPI MEDIUM PATCH This Month

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
1.4%
CVE-2023-22887 PyPI MEDIUM PATCH This Month

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Apache Path Traversal Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
1.8%
CVE-2023-32200 Maven HIGH PATCH This Week

There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Jena
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2023-35887 Maven MEDIUM PATCH This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Path Traversal Sshd
NVD
CVSS 3.1
4.3
EPSS
1.3%
CVE-2023-34442 Maven LOW PATCH Monitor

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Camel.X through <=3.14.8, from 3.18.X through <=3.18.7, from 3.20.X through <= 3.20.5,. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Apache Information Disclosure Camel
NVD
CVSS 3.1
3.3
EPSS
0.4%
CVE-2023-33008 Maven MEDIUM PATCH This Month

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Deserialization Johnzon
NVD
CVSS 3.1
5.3
EPSS
1.5%
CVE-2023-34150 Maven MEDIUM This Month

** UNSUPPORTED WHEN ASSIGNED ** Use of TikaEncodingDetector in Apache Any23 can cause excessive memory usage. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Any23
NVD
CVSS 3.1
5.3
EPSS
1.5%
CVE-2023-35797 PyPI CRITICAL PATCH Act Now

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Authentication Bypass Apache Airflow Providers Apache Hive
NVD GitHub
CVSS 3.1
9.8
EPSS
2.8%
CVE-2023-22886 PyPI HIGH PATCH This Week

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Apache Airflow Providers Jdbc
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2023-35798 PyPI MEDIUM PATCH This Month

Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Apache Airflow Providers Microsoft Mssql Apache Airflow Providers Odbc
NVD GitHub
CVSS 3.1
4.3
EPSS
1.3%
CVE-2023-34395 PyPI HIGH PATCH This Week

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Privilege Escalation Apache Apache Airflow Providers Odbc
NVD GitHub
CVSS 3.1
7.8
EPSS
0.8%
CVE-2023-31469 Maven HIGH PATCH This Week

A REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) was not properly restricted to admin-only access. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Streampipes
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2023-34981 Maven HIGH PATCH This Week

A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2023-34340 Maven CRITICAL PATCH Act Now

Improper Authentication vulnerability in Apache Software Foundation Apache Accumulo.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Accumulo
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2023-35005 PyPI MEDIUM PATCH This Month

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
1.5%
CVE-2023-34396 Maven HIGH PATCH This Week

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.5.30, through 6.1.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Struts
NVD
CVSS 3.1
7.5
EPSS
5.5%
CVE-2023-34149 Maven MEDIUM PATCH This Month

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.5.30, through 6.1.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service Struts
NVD
CVSS 3.1
6.5
EPSS
5.4%
CVE-2023-33933 HIGH This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.0.0 through 9.2.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Traffic Server
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2023-30631 HIGH This Week

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Traffic Server Debian Linux Fedora
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2023-34468 Maven HIGH POC PATCH THREAT Act Now

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Apache Nifi
NVD GitHub
CVSS 3.1
8.8
EPSS
63.6%
CVE-2023-34212 Maven MEDIUM PATCH This Month

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Deserialization Nifi
NVD
CVSS 3.1
6.5
EPSS
2.4%
CVE-2023-30576 HIGH This Week

Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a freed RDP audio input buffer. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free Apache RCE Memory Corruption Guacamole
NVD
CVSS 3.1
8.1
EPSS
1.1%
CVE-2023-30575 HIGH This Week

Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths of instruction elements sent during the Guacamole protocol handshake, potentially allowing an attacker to inject Guacamole. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Code Injection Guacamole
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-33234 PyPI HIGH PATCH This Week

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Apache Kubernetes Apache Airflow Providers Cncf Kubernetes
NVD VulDB
CVSS 3.1
7.2
EPSS
1.5%
CVE-2023-30601 Maven HIGH PATCH This Week

Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra0.0 through 4.0.9, from 4.1.0 through 4.1.1. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Apache Cassandra
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2023-32315 Maven HIGH POC KEV PATCH THREAT Act Now

Openfire is an XMPP server licensed under the Open Source Apache License. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Openfire
NVD GitHub
CVSS 3.1
7.5
EPSS
100.0%
CVE-2023-31103 Maven HIGH PATCH This Week

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.6.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Inlong
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-31101 Maven MEDIUM PATCH This Month

Insecure Default Initialization of Resource Vulnerability in Apache Software Foundation Apache InLong.5.0 through 1.6.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Inlong
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2023-31098 Maven CRITICAL PATCH Act Now

Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.1.0 through 1.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Brute Force Inlong
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2023-31066 Maven CRITICAL PATCH Act Now

Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.6.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Information Disclosure Inlong
NVD
CVSS 3.1
9.1
EPSS
1.4%
CVE-2023-31065 Maven CRITICAL PATCH Act Now

Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.6.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Inlong
NVD
CVSS 3.1
9.1
EPSS
1.2%
CVE-2023-31064 Maven HIGH PATCH This Week

Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.2.0 through 1.6.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Information Disclosure Inlong
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-31062 Maven CRITICAL PATCH Act Now

Improper Privilege Management Vulnerabilities in Apache Software Foundation Apache InLong.2.0 through 1.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Apache Inlong
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2023-31454 Maven HIGH PATCH This Week

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.2.0 through 1.6.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Inlong
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-31453 Maven HIGH PATCH This Week

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.2.0 through 1.6.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Inlong
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-31206 Maven HIGH PATCH This Week

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.6.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Inlong
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-31058 Maven HIGH PATCH This Week

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.6.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-28709 Maven HIGH PATCH This Week

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Denial Of Service Debian Linux 7 Mode Transition Tool
NVD
CVSS 3.1
7.5
EPSS
51.5%
CVE-2023-29246 Maven HIGH PATCH This Week

An attacker who has gained access to an admin account can perform RCE via null-byte injection Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Code Injection Openmeetings
NVD
CVSS 3.1
7.2
EPSS
1.5%
CVE-2023-29032 Maven HIGH PATCH This Week

An attacker that has gained access to certain private information can use this to act as other user. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Authentication Bypass Openmeetings
NVD
CVSS 3.1
8.1
EPSS
1.1%
CVE-2023-28936 Maven MEDIUM PATCH This Month

Attacker can access arbitrary recording/room Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Openmeetings
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2023-25754 PyPI CRITICAL PATCH Act Now

Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
9.8
EPSS
2.3%
CVE-2023-29247 PyPI MEDIUM PATCH This Month

Task instance details page in the UI is vulnerable to a stored XSS.6.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Airflow
NVD GitHub
CVSS 3.1
5.4
EPSS
1.9%
CVE-2023-31039 CRITICAL PATCH Act Now

Security vulnerability in Apache bRPC <1.5.0 on all platforms allows attackers to execute arbitrary code via ServerOptions::pid_file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache RCE Brpc
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-26268 MEDIUM This Month

Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list *. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Couchdb Cloudant
NVD
CVSS 3.1
5.3
EPSS
1.4%
CVE-2023-32007 LIB HIGH PATCH This Week

** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Command Injection Spark
NVD
CVSS 3.1
8.8
EPSS
75.8%
CVE-2023-31207 MEDIUM This Month

Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be written to the site Apache access log. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Apache Information Disclosure Checkmk
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-22665 Maven MEDIUM PATCH This Month

There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Jena
NVD
CVSS 3.1
5.4
EPSS
1.3%
CVE-2023-30776 PyPI MEDIUM PATCH This Month

An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API.3.0 up to 2.0.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Superset
NVD
CVSS 3.1
6.5
EPSS
2.1%
CVE-2023-27524 PyPI CRITICAL POC KEV PATCH THREAT Act Now

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Information Disclosure Superset
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
97.4%
CVE-2023-25601 Maven MEDIUM PATCH This Month

On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Python Authentication Bypass Dolphinscheduler
NVD
CVSS 3.1
4.3
EPSS
1.1%
CVE-2023-29004 MEDIUM POC This Month

hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Nginx Roxy Wi
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2023-27525 PyPI MEDIUM PATCH This Month

An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Superset
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2023-25504 PyPI MEDIUM PATCH This Month

A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SSRF Superset
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2023-30771 PyPI CRITICAL Act Now

Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.13.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Iotdb Web Workbench
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2023-22946 LIB CRITICAL PATCH Act Now

In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Spark
NVD
CVSS 3.1
9.9
EPSS
1.1%
CVE-2023-24831 LIB CRITICAL PATCH Act Now

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.13.0 through 0.13.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Grafana Apache Authentication Bypass Iotdb
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2023-30465 Maven MEDIUM PATCH This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.5.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization SQLi Inlong
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2023-29216 Maven CRITICAL PATCH Act Now

In Apache Linkis <=1.3.1, because the parameters are not effectively filtered, the attacker uses the MySQL data source and malicious parameters to configure a new data source to trigger a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization Linkis
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2023-29215 Maven CRITICAL PATCH Act Now

In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger a deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization Linkis
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2023-27987 Maven CRITICAL PATCH Act Now

In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Linkis
NVD
CVSS 3.1
9.1
EPSS
0.8%
CVE-2023-27603 Maven CRITICAL PATCH Act Now

In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Linkis
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2023-27602 Maven CRITICAL PATCH Act Now

In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache File Upload Linkis
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2023-28710 PyPI HIGH PATCH This Week

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Apache Airflow Providers Apache Spark
NVD GitHub
CVSS 3.1
7.5
EPSS
2.2%
CVE-2023-28707 PyPI HIGH PATCH This Week

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.3.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Apache Airflow Providers Apache Drill
NVD GitHub
CVSS 3.1
7.5
EPSS
2.1%
CVE-2023-28706 PyPI CRITICAL PATCH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Apache Airflow Hive Provider
NVD GitHub
CVSS 3.1
9.8
EPSS
2.8%
CVE-2023-28625 HIGH PATCH This Week

mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Apache Mod Auth Openidc
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-26269 Maven HIGH PATCH This Week

Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Apache Authentication Bypass James
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2023-28935 Maven HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache UIMA DUCC. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Command Injection Unstructured Information Management Architecture
NVD
CVSS 3.1
8.8
EPSS
3.0%
CVE-2023-1663 MEDIUM This Month

Coverity versions prior to 2023.3.2 are vulnerable to forced browsing, which exposes authenticated resources to unauthorized actors. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Authentication Bypass Coverity
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-28326 Maven CRITICAL PATCH Act Now

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Description: Attacker can elevate their privileges in any room. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Openmeetings
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2023-25197 MEDIUM This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Fineract
NVD
CVSS 3.1
6.3
EPSS
1.1%
CVE-2023-25196 MEDIUM This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Fineract
NVD
CVSS 3.1
4.3
EPSS
1.3%
CVE-2023-25195 HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SSRF Fineract
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2023-27296 Maven HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Deserialization Inlong
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2023-28708 Maven MEDIUM PATCH This Month

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Apache Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
1.8%
CVE-2023-26513 Maven HIGH PATCH This Week

Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.2.0 before 1.4.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Sling Resource Merger
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2023-25804 MEDIUM POC This Month

Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Nginx Roxy Wi
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
CVE-2023-0100 Maven HIGH PATCH This Week

In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure Business Intelligence And Reporting Tools
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2023-25695 PyPI MEDIUM PATCH This Month

Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.5.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
5.3
EPSS
1.4%
CVE-2023-23408 MEDIUM POC PATCH This Month

Azure Apache Ambari Spoofing Vulnerability. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Apache XSS Microsoft Azure Hdinsight
NVD Exploit-DB
CVSS 3.1
4.5
EPSS
4.0%
CVE-2023-25803 HIGH POC This Week

Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Nginx Roxy Wi
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-25802 HIGH POC PATCH This Week

Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Path Traversal Nginx Roxy Wi
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-27901 Maven HIGH PATCH This Week

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Jenkins Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-27900 Maven HIGH PATCH This Week

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Jenkins Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-26464 Maven HIGH PATCH This Week

** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Deserialization Log4J
NVD
CVSS 3.1
7.5
EPSS
1.9%
CVE-2023-23638 Maven CRITICAL PATCH Act Now

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization Dubbo
NVD
CVSS 3.1
9.8
EPSS
4.8%
CVE-2023-27522 PyPI HIGH PATCH This Week

HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi.4.30 through 2.4.55. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling Http Server Debian Linux +1
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2023-25690 CRITICAL Act Now

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Request Smuggling Authentication Bypass Http Server
NVD
CVSS 3.1
9.8
EPSS
83.8%
CVE-2023-25544 MEDIUM This Month

Dell NetWorker versions 19.5 and earlier contain 'Apache Tomcat' version disclosure vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure Dell Emc Networker
NVD
CVSS 3.1
6.5
EPSS
0.5%
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Apache Path Traversal Airflow
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Jena
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Path Traversal Sshd
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Camel.X through <=3.14.8, from 3.18.X through <=3.18.7, from 3.20.X through <= 3.20.5,. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Apache Information Disclosure Camel
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Deserialization +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

** UNSUPPORTED WHEN ASSIGNED ** Use of TikaEncodingDetector in Apache Any23 can cause excessive memory usage. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Any23
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Authentication Bypass Apache Airflow Providers Apache Hive
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Apache Airflow Providers Jdbc
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Apache Airflow Providers Microsoft Mssql +1
NVD GitHub
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Privilege Escalation Apache Apache Airflow Providers Odbc
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

A REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) was not properly restricted to admin-only access. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Streampipes
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Improper Authentication vulnerability in Apache Software Foundation Apache Accumulo.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Accumulo
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 5% CVSS 7.5
HIGH PATCH This Week

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.5.30, through 6.1.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Struts
NVD
EPSS 5% CVSS 6.5
MEDIUM PATCH This Month

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.5.30, through 6.1.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service Struts
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.0.0 through 9.2.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Traffic Server
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Traffic Server +2
NVD
EPSS 64% CVSS 8.8
HIGH POC PATCH THREAT Act Now

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Apache +1
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Deserialization Nifi
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a freed RDP audio input buffer. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free Apache RCE +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths of instruction elements sent during the Guacamole protocol handshake, potentially allowing an attacker to inject Guacamole. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Code Injection Guacamole
NVD
EPSS 2% CVSS 7.2
HIGH PATCH This Week

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Apache Kubernetes +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra0.0 through 4.0.9, from 4.1.0 through 4.1.1. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Apache Cassandra
NVD
EPSS 100% CVSS 7.5
HIGH POC KEV PATCH THREAT Act Now

Openfire is an XMPP server licensed under the Open Source Apache License. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Openfire
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.6.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Inlong
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Insecure Default Initialization of Resource Vulnerability in Apache Software Foundation Apache InLong.5.0 through 1.6.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Inlong
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.1.0 through 1.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Brute Force +1
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.6.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Information Disclosure +1
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.6.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Inlong
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.2.0 through 1.6.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Information Disclosure +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Improper Privilege Management Vulnerabilities in Apache Software Foundation Apache InLong.2.0 through 1.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Apache Inlong
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.2.0 through 1.6.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Inlong
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.2.0 through 1.6.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Inlong
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.6.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Inlong
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.6.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD
EPSS 52% CVSS 7.5
HIGH PATCH This Week

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Denial Of Service +2
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

An attacker who has gained access to an admin account can perform RCE via null-byte injection Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Code Injection Openmeetings
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

An attacker that has gained access to certain private information can use this to act as other user. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Authentication Bypass Openmeetings
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Attacker can access arbitrary recording/room Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Openmeetings
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 2% CVSS 5.4
MEDIUM PATCH This Month

Task instance details page in the UI is vulnerable to a stored XSS.6.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Airflow
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Security vulnerability in Apache bRPC <1.5.0 on all platforms allows attackers to execute arbitrary code via ServerOptions::pid_file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache RCE Brpc
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list *. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Couchdb +1
NVD
EPSS 76% CVSS 8.8
HIGH PATCH This Week

** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Command Injection Spark
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be written to the site Apache access log. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Apache Information Disclosure Checkmk
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Jena
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API.3.0 up to 2.0.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Superset
NVD
EPSS 97% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Information Disclosure Superset
NVD Exploit-DB
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Python Authentication Bypass +1
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Nginx +1
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Superset
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SSRF Superset
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.13.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Iotdb Web Workbench
NVD
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Spark
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.13.0 through 0.13.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Grafana Apache Authentication Bypass +1
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.5.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization SQLi +1
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

In Apache Linkis <=1.3.1, because the parameters are not effectively filtered, the attacker uses the MySQL data source and malicious parameters to configure a new data source to trigger a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization +1
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger a deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization +1
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Linkis
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Linkis
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache File Upload Linkis
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Apache Airflow Providers Apache Spark
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.3.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Apache Airflow Providers Apache Drill
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Apache +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Apache +1
NVD GitHub
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Apache Authentication Bypass +1
NVD
EPSS 3% CVSS 8.8
HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache UIMA DUCC. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Command Injection Unstructured Information Management Architecture
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Coverity versions prior to 2023.3.2 are vulnerable to forced browsing, which exposes authenticated resources to unauthorized actors. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Authentication Bypass +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Description: Attacker can elevate their privileges in any room. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Openmeetings
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Fineract
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Fineract
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SSRF Fineract
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Deserialization Inlong
NVD
EPSS 2% CVSS 4.3
MEDIUM PATCH This Month

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Apache Information Disclosure
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.2.0 before 1.4.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Sling Resource Merger
NVD
EPSS 1% CVSS 5.3
MEDIUM POC This Month

Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Nginx +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure +1
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.5.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 4% CVSS 4.5
MEDIUM POC PATCH This Month

Azure Apache Ambari Spoofing Vulnerability. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Apache XSS Microsoft +1
NVD Exploit-DB
EPSS 1% CVSS 7.5
HIGH POC This Week

Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Nginx +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Path Traversal Nginx +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Jenkins Denial Of Service
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Jenkins Denial Of Service
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Deserialization +1
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi.4.30 through 2.4.55. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling +3
NVD
EPSS 84% CVSS 9.8
CRITICAL Act Now

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Request Smuggling Authentication Bypass +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Dell NetWorker versions 19.5 and earlier contain 'Apache Tomcat' version disclosure vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure +2
NVD
Prev Page 13 of 29 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy