Skip to main content

Apache

2551 CVEs vendor

Monthly

CVE-2023-25544 MEDIUM This Month

Dell NetWorker versions 19.5 and earlier contain 'Apache Tomcat' version disclosure vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure Dell Emc Networker
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-25956 PyPI HIGH PATCH This Week

Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider.2.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Apache Airflow Providers Amazon
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2023-25696 PyPI CRITICAL PATCH Act Now

Improper Input Validation vulnerability in the Apache Airflow Hive Provider.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Apache Airflow Providers Apache Hive
NVD GitHub
CVSS 3.1
9.8
EPSS
2.0%
CVE-2023-25693 PyPI CRITICAL PATCH Act Now

Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Apache Airflow Providers Apache Sqoop
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2023-25692 PyPI HIGH PATCH This Week

Improper Input Validation vulnerability in the Apache Airflow Google Provider.10.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Google Apache Airflow Providers Google
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2023-25691 PyPI CRITICAL PATCH Act Now

Improper Input Validation vulnerability in the Apache Airflow Google Provider.10.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Google Apache Airflow Providers Google
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2023-25824 HIGH POC PATCH This Week

Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Denial Of Service Mod Gnutls
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2023-25621 Maven MEDIUM PATCH This Month

Privilege Escalation vulnerability in Apache Software Foundation Apache Sling. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Sling I18N
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2023-25613 Maven CRITICAL PATCH Act Now

An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Code Injection Kerby Ldap Backend
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-24998 Maven HIGH PATCH This Week

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache File Upload Denial Of Service Commons Fileupload Debian Linux
NVD
CVSS 3.1
7.5
EPSS
46.8%
CVE-2023-25141 Maven HIGH PATCH This Week

Apache Sling JCR Base < 3.1.12 has a critical injection vulnerability when running on old JDK versions (JDK 1.8.191 or earlier) through utility functions in RepositoryAccessor. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Code Injection Sling Jcr Base
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-22832 Maven HIGH PATCH This Week

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Nifi
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2023-25194 Maven HIGH POC PATCH THREAT Act Now

A possible security vulnerability has been identified in Apache Kafka Connect API. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java Apache Deserialization Kafka Connect
NVD
CVSS 3.1
8.8
EPSS
95.3%
CVE-2023-24814 PHP MEDIUM POC PATCH This Month

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache XSS Nginx Typo3
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2023-22849 Maven MEDIUM PATCH This Month

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Sling Cms
NVD
CVSS 3.1
6.1
EPSS
1.4%
CVE-2023-24997 Maven CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.1.0 through 1.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2023-24977 Maven HIGH This Week

Out-of-bounds Read vulnerability in Apache Software Foundation Apache InLong.1.0 through 1.5.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Apache Inlong
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-24829 PyPI HIGH PATCH This Week

Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.13.0 before 0.13.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Iotdb
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2023-24830 PyPI HIGH PATCH This Week

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.13.0 before 0.13.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Iotdb
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-22884 PyPI CRITICAL PATCH Act Now

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Command Injection Airflow Apache Airflow Providers Mysql
NVD GitHub
CVSS 3.1
9.8
EPSS
11.1%
CVE-2023-22602 Maven HIGH PATCH This Week

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Apache Authentication Bypass Shiro Spring Boot
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2022-45347 Maven CRITICAL PATCH Act Now

Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Shardingsphere
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2022-4641 MEDIUM PATCH This Month

A vulnerability was found in pig-vector and classified as problematic. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Java Apache Information Disclosure Pig Vector
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2022-40145 Maven CRITICAL PATCH Act Now

This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Karaf
NVD
CVSS 3.1
9.8
EPSS
2.4%
CVE-2022-46421 PyPI CRITICAL PATCH Act Now

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Command Injection Apache Airflow Providers Apache Hive
NVD GitHub
CVSS 3.1
9.8
EPSS
3.2%
CVE-2022-40743 MEDIUM This Month

Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.0.0 to 9.1.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Traffic Server
NVD
CVSS 3.1
6.1
EPSS
1.1%
CVE-2022-47500 Maven MEDIUM PATCH This Month

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Software Foundation Apache Helix UI component.8.0 to 1.0.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Open Redirect Helix
NVD
CVSS 3.1
6.1
EPSS
1.1%
CVE-2022-37392 MEDIUM This Month

Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server.0.0 to 9.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Traffic Server
NVD
CVSS 3.1
5.3
EPSS
1.1%
CVE-2022-32749 HIGH This Week

Improper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions.0.0 through 9.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Traffic Server
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2022-46870 Maven MEDIUM PATCH This Month

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users'. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Zeppelin
NVD
CVSS 3.1
5.4
EPSS
1.1%
CVE-2022-32531 LIB MEDIUM PATCH This Month

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Java Apache Information Disclosure Bookkeeper
NVD
CVSS 3.1
5.9
EPSS
1.0%
CVE-2022-23527 MEDIUM This Month

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Open Redirect Mod Auth Openidc Debian Linux
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-34271 Maven HIGH PATCH This Week

A vulnerability in import module of Apache Atlas allows an authenticated user to write to web server filesystem.8.4 to 2.2.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Apache Atlas
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2022-46364 Maven CRITICAL PATCH Act Now

A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Cxf
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-46363 Maven HIGH PATCH This Week

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Cxf
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-46157 PHP HIGH POC PATCH This Week

Akeneo PIM is an open source Product Information Management (PIM). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache PHP Code Injection Docker RCE +1
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2022-45910 MEDIUM This Month

Improper neutralization of special elements used in an LDAP query ('LDAP Injection') vulnerability in ActiveDirectory and Sharepoint ActiveDirectory authority connectors of Apache ManifoldCF allows. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Microsoft Code Injection LDAP Manifoldcf
NVD
CVSS 3.1
5.3
EPSS
1.5%
CVE-2022-23470 HIGH PATCH This Week

Galaxy is an open-source platform for data analysis. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Apache Nginx Galaxy
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-46366 Maven CRITICAL PATCH Act Now

Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Deserialization Tapestry
NVD GitHub
CVSS 3.1
9.8
EPSS
3.6%
CVE-2022-44635 HIGH This Week

Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal RCE Apache File Upload Fineract
NVD
CVSS 3.1
8.8
EPSS
68.8%
CVE-2022-41131 PyPI HIGH PATCH This Week

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Apache Command Injection Airflow Apache Airflow Providers Apache Hive
NVD GitHub
CVSS 3.1
7.8
EPSS
1.8%
CVE-2022-40954 PyPI MEDIUM PATCH This Month

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Apache Command Injection Airflow Apache Airflow Providers Apache Spark
NVD GitHub
CVSS 3.1
5.5
EPSS
1.4%
CVE-2022-40189 PyPI CRITICAL PATCH Act Now

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Command Injection Airflow Apache Airflow Providers Apache Pig
NVD GitHub
CVSS 3.1
9.8
EPSS
3.9%
CVE-2022-38649 PyPI CRITICAL PATCH Act Now

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Command Injection Airflow Apache Airflow Providers Apache Pinot
NVD GitHub
CVSS 3.1
9.8
EPSS
3.2%
CVE-2022-44784 HIGH POC This Week

An issue was discovered in Appalti & Contratti 9.12.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Authentication Bypass SSRF Appalti Contratti
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2022-45470 Maven HIGH This Week

missing input validation in Apache Hama may cause information disclosure through path traversal and XSS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Apache XSS Hama
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-45047 Maven CRITICAL PATCH Act Now

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Java Apache Sshd
NVD VulDB
CVSS 3.1
9.8
EPSS
5.7%
CVE-2022-45381 Maven HIGH PATCH This Week

Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:'. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Apache Jenkins Pipeline Utility Steps
NVD
CVSS 3.1
8.1
EPSS
1.3%
CVE-2022-45402 PyPI MEDIUM PATCH This Month

In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Open Redirect Airflow
NVD GitHub
CVSS 3.1
6.1
EPSS
81.8%
CVE-2022-45136 Maven CRITICAL Act Now

Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Jena Sdb
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2022-45378 Maven CRITICAL Act Now

In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Authentication Bypass Soap
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2022-40127 PyPI HIGH POC PATCH THREAT This Week

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter.4.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Apache Code Injection Airflow
NVD GitHub
CVSS 3.1
8.8
EPSS
85.7%
CVE-2022-27949 PyPI HIGH PATCH This Week

A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Apache Airflow
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2022-37866 Maven HIGH PATCH This Week

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Ivy
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2022-42920 Maven CRITICAL PATCH Act Now

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Apache Buffer Overflow Commons Bcel Fedora
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2022-37865 Maven CRITICAL PATCH Act Now

With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Ivy
NVD
CVSS 3.1
9.1
EPSS
1.8%
CVE-2022-33684 PyPI HIGH POC PATCH This Week

The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Apache Information Disclosure Python Pulsar
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2022-32287 Maven HIGH PATCH This Week

A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Java Uimaj
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2022-43985 PyPI MEDIUM PATCH This Month

In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Open Redirect Airflow
NVD GitHub
CVSS 3.1
6.1
EPSS
1.5%
CVE-2022-43982 PyPI MEDIUM PATCH This Month

In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Airflow
NVD GitHub
CVSS 3.1
6.1
EPSS
1.4%
CVE-2022-31777 LIB MEDIUM PATCH This Month

A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Spark
NVD
CVSS 3.1
5.4
EPSS
1.5%
CVE-2022-42252 Maven HIGH PATCH This Week

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Tomcat Request Smuggling Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-26884 Maven MEDIUM PATCH This Month

Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Path Traversal Dolphinscheduler
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2022-43766 LIB HIGH PATCH This Week

Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Java Iotdb
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2022-42468 Maven CRITICAL PATCH Act Now

Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache RCE Java Flume
NVD
CVSS 3.1
9.8
EPSS
2.7%
CVE-2022-39944 Maven HIGH PATCH This Week

In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Deserialization RCE Linkis
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2022-42890 Maven HIGH PATCH This Week

A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript.16. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Java Batik Debian Linux
NVD
CVSS 3.1
7.5
EPSS
2.3%
CVE-2022-41704 Maven HIGH PATCH This Week

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.16. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Java Batik Debian Linux
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2022-34870 Maven MEDIUM PATCH This Month

Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Geode
NVD
CVSS 3.1
5.4
EPSS
1.1%
CVE-2022-39198 Maven CRITICAL PATCH Act Now

A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization RCE Dubbo
NVD
CVSS 3.1
9.8
EPSS
2.4%
CVE-2022-42889 Maven CRITICAL POC PATCH THREAT Act Now

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Apache Code Injection Commons Text Bluexp +1
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
99.9%
CVE-2022-40664 Maven CRITICAL PATCH Act Now

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Shiro
NVD
CVSS 3.1
9.8
EPSS
2.2%
CVE-2022-41672 PyPI HIGH PATCH This Week

In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
8.1
EPSS
1.2%
CVE-2022-33683 Maven MEDIUM PATCH This Month

Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Pulsar
NVD
CVSS 3.1
5.9
EPSS
0.6%
CVE-2022-33682 Maven MEDIUM PATCH This Month

TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Java Pulsar
NVD
CVSS 3.1
5.9
EPSS
0.6%
CVE-2022-33681 Maven MEDIUM PATCH This Month

Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Java Pulsar
NVD
CVSS 3.1
5.9
EPSS
0.6%
CVE-2022-24280 Maven MEDIUM PATCH This Month

Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Pulsar
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2022-26112 Maven CRITICAL PATCH Act Now

In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Apache Code Injection Pinot
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2022-40146 Maven HIGH PATCH This Week

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url.14. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Batik Debian Linux
NVD
CVSS 3.1
7.5
EPSS
5.8%
CVE-2022-38648 Maven MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources.14. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Batik Debian Linux
NVD
CVSS 3.1
5.3
EPSS
2.0%
CVE-2022-38398 Maven MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol.14. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Batik Debian Linux
NVD
CVSS 3.1
5.3
EPSS
2.0%
CVE-2022-40705 Maven HIGH This Week

An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP.2 and later versions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Soap
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-40754 PyPI MEDIUM PATCH This Month

In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Open Redirect Airflow
NVD GitHub
CVSS 3.1
6.1
EPSS
1.5%
CVE-2022-40604 PyPI HIGH PATCH This Week

In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2022-40955 Maven HIGH PATCH This Week

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization RCE Inlong
NVD
CVSS 3.1
8.8
EPSS
2.1%
CVE-2022-34917 Maven HIGH PATCH This Week

A security vulnerability has been identified in Apache Kafka. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Kafka
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-29240 HIGH PATCH This Week

Scylla is a real-time big data database that is API-compatible with Apache Cassandra and Amazon DynamoDB. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.

Apache Information Disclosure Scylla
NVD GitHub
CVSS 3.1
8.1
EPSS
1.0%
CVE-2022-39135 Maven CRITICAL PATCH Act Now

Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Oracle Calcite
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-28220 Maven HIGH PATCH This Week

Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Apache Command Injection James
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2022-38370 Maven HIGH PATCH This Week

Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Grafana Iotdb
NVD
CVSS 3.1
7.5
EPSS
1.1%
EPSS 1% CVSS 6.5
MEDIUM This Month

Dell NetWorker versions 19.5 and earlier contain 'Apache Tomcat' version disclosure vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider.2.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Apache Airflow Providers Amazon
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Improper Input Validation vulnerability in the Apache Airflow Hive Provider.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Apache Airflow Providers Apache Hive
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Apache Airflow Providers Apache Sqoop
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Improper Input Validation vulnerability in the Apache Airflow Google Provider.10.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Google +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Improper Input Validation vulnerability in the Apache Airflow Google Provider.10.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Google +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Denial Of Service Mod Gnutls
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Privilege Escalation vulnerability in Apache Software Foundation Apache Sling. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Sling I18N
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Code Injection Kerby Ldap Backend
NVD
EPSS 47% CVSS 7.5
HIGH PATCH This Week

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache File Upload Denial Of Service +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Apache Sling JCR Base < 3.1.12 has a critical injection vulnerability when running on old JDK versions (JDK 1.8.191 or earlier) through utility functions in RepositoryAccessor. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Code Injection Sling Jcr Base
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Nifi
NVD
EPSS 95% CVSS 8.8
HIGH POC PATCH THREAT Act Now

A possible security vulnerability has been identified in Apache Kafka Connect API. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java Apache Deserialization +1
NVD
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache XSS Nginx +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Sling Cms
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.1.0 through 1.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Out-of-bounds Read vulnerability in Apache Software Foundation Apache InLong.1.0 through 1.5.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Apache +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.13.0 before 0.13.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Iotdb
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.13.0 before 0.13.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Iotdb
NVD
EPSS 11% CVSS 9.8
CRITICAL PATCH Act Now

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Command Injection Airflow +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Apache Authentication Bypass +2
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Shardingsphere
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A vulnerability was found in pig-vector and classified as problematic. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Java Apache Information Disclosure +1
NVD GitHub VulDB
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Karaf
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Command Injection Apache Airflow Providers Apache Hive
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.0.0 to 9.1.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Traffic Server
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Software Foundation Apache Helix UI component.8.0 to 1.0.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Open Redirect Helix
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server.0.0 to 9.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Traffic Server
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Improper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions.0.0 through 9.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Traffic Server
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users'. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Zeppelin
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Java Apache Information Disclosure +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Open Redirect Mod Auth Openidc +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

A vulnerability in import module of Apache Atlas allows an authenticated user to write to web server filesystem.8.4 to 2.2.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Apache Atlas
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Cxf
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Cxf
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Akeneo PIM is an open source Product Information Management (PIM). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache PHP Code Injection +3
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

Improper neutralization of special elements used in an LDAP query ('LDAP Injection') vulnerability in ActiveDirectory and Sharepoint ActiveDirectory authority connectors of Apache ManifoldCF allows. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Microsoft Code Injection +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Galaxy is an open-source platform for data analysis. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Apache Nginx +1
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Deserialization +1
NVD GitHub
EPSS 69% CVSS 8.8
HIGH This Week

Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal RCE Apache +2
NVD
EPSS 2% CVSS 7.8
HIGH PATCH This Week

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Apache Command Injection Airflow +1
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Apache Command Injection Airflow +1
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Command Injection Airflow +1
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Command Injection Airflow +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

An issue was discovered in Appalti & Contratti 9.12.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Authentication Bypass SSRF +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

missing input validation in Apache Hama may cause information disclosure through path traversal and XSS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Apache +2
NVD
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Java Apache +1
NVD VulDB
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:'. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Apache Jenkins +1
NVD
EPSS 82% CVSS 6.1
MEDIUM PATCH This Month

In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Open Redirect Airflow
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Jena Sdb
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Authentication Bypass +1
NVD
EPSS 86% CVSS 8.8
HIGH POC PATCH THREAT This Week

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter.4.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Apache Code Injection +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Apache Airflow
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Ivy
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Apache Buffer Overflow +2
NVD
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Ivy
NVD
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Apache Information Disclosure Python +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Java +1
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Open Redirect Airflow
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Airflow
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Spark
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Tomcat Request Smuggling +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Path Traversal Dolphinscheduler
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Java +1
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache RCE Java +1
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Deserialization RCE +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript.16. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Java +2
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.16. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Java +2
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Geode
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization RCE +1
NVD
EPSS 100% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Apache Code Injection +3
NVD Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Shiro
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Pulsar
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Java +1
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Java +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Pulsar
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Apache Code Injection +1
NVD
EPSS 6% CVSS 7.5
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url.14. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Batik +1
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources.14. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Batik +1
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol.14. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Batik +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP.2 and later versions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Soap
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Open Redirect Airflow
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization RCE +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A security vulnerability has been identified in Apache Kafka. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Kafka
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Scylla is a real-time big data database that is API-compatible with Apache Cassandra and Amazon DynamoDB. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.

Apache Information Disclosure Scylla
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Oracle +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Apache Command Injection James
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Grafana +1
NVD
Prev Page 14 of 29 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy