Skip to main content

Apache

2551 CVEs vendor

Monthly

CVE-2020-17531 Maven CRITICAL PATCH Act Now

A Java Serialization vulnerability was found in Apache Tapestry 4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization Tapestry
NVD
CVSS 3.1
9.8
EPSS
9.7%
CVE-2020-17521 Maven MEDIUM PATCH This Month

Apache Groovy provides extension methods to aid with creating temporary directories. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Apache Java Information Disclosure Groovy Snapcenter +19
NVD
CVSS 3.1
5.5
EPSS
1.1%
CVE-2020-13945 MEDIUM POC PATCH THREAT This Month

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Apache Information Disclosure Apisix
NVD
CVSS 3.1
6.5
EPSS
73.0%
CVE-2020-17527 Maven HIGH PATCH This Week

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Tomcat Information Disclosure Element Plug In Oncommand System Manager +9
NVD
CVSS 3.1
7.5
EPSS
24.6%
CVE-2020-13956 Maven MEDIUM PATCH This Month

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Httpclient Quarkus Data Integrator +14
NVD
CVSS 3.1
5.3
EPSS
8.7%
CVE-2020-13942 Maven CRITICAL POC PATCH THREAT Act Now

It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Code Injection Unomi
NVD
CVSS 3.1
9.8
EPSS
68.4%
CVE-2020-13958 HIGH This Week

A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Openoffice
NVD
CVSS 3.1
7.8
EPSS
2.7%
CVE-2020-13954 Maven MEDIUM PATCH This Month

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Apache Cxf Snap Creator Framework Vasa Provider For Clustered Data Ontap +3
NVD
CVSS 3.1
6.1
EPSS
43.0%
CVE-2020-13927 PyPI CRITICAL POC KEV PATCH THREAT Emergency

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Authentication Bypass Airflow
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
99.7%
CVE-2020-17510 Maven CRITICAL PATCH Act Now

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Authentication Bypass Shiro Debian Linux
NVD
CVSS 3.1
9.8
EPSS
9.1%
CVE-2020-7760 npm HIGH POC PATCH This Week

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Denial Of Service Codemirror Application Express Enterprise Manager Express User Interface +3
NVD GitHub
CVSS 3.1
7.5
EPSS
5.2%
CVE-2020-5792 HIGH POC THREAT Act Now

Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache RCE Nagios Xi
NVD
CVSS 3.1
7.2
EPSS
61.0%
CVE-2020-5791 HIGH POC THREAT Act Now

Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Command Injection Nagios Xi
NVD Exploit-DB
CVSS 3.1
7.2
EPSS
78.6%
CVE-2020-13937 Maven MEDIUM POC PATCH THREAT This Month

Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Kylin
NVD
CVSS 3.1
5.3
EPSS
78.3%
CVE-2020-13957 Maven CRITICAL PATCH Act Now

Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Authentication Bypass Solr
NVD
CVSS 3.1
9.8
EPSS
78.9%
CVE-2020-13943 Maven MEDIUM PATCH This Month

If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Apache Tomcat Information Disclosure Debian Linux Instantis Enterprisetrack +1
NVD
CVSS 3.1
4.3
EPSS
57.3%
CVE-2020-13955 Maven MEDIUM PATCH This Month

HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Splunk Calcite
NVD
CVSS 3.1
5.9
EPSS
2.1%
CVE-2020-5632 HIGH This Week

InfoCage SiteShell series (Host type SiteShell for IIS V1.4, V1.5, and V1.6, Host type SiteShell for IIS prior to revision V2.0.0.6, V2.1.0.7, V2.1.1.6, V3.0.0.11, V4.0.0.6, V4.1.0.5, and V4.2.0.1,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Apache RCE Microsoft Infocage Siteshell
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2020-9491 Maven HIGH PATCH This Week

In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Nifi
NVD
CVSS 3.1
7.5
EPSS
2.9%
CVE-2020-9487 Maven HIGH PATCH This Week

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Nifi
NVD
CVSS 3.1
7.5
EPSS
3.0%
CVE-2020-9486 Maven HIGH PATCH This Week

In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Nifi
NVD
CVSS 3.1
7.5
EPSS
3.6%
CVE-2020-13940 Maven MEDIUM PATCH This Month

In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache XXE Nifi
NVD
CVSS 3.1
5.5
EPSS
1.9%
CVE-2020-11979 Maven HIGH PATCH This Week

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Code Injection Ant Gradle Fedora +34
NVD GitHub
CVSS 3.1
7.5
EPSS
8.2%
CVE-2020-13952 PyPI HIGH PATCH This Week

In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Superset
NVD
CVSS 3.1
8.1
EPSS
2.0%
CVE-2020-13953 Maven MEDIUM PATCH This Month

In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Information Disclosure Tapestry
NVD
CVSS 3.1
5.3
EPSS
2.7%
CVE-2020-13951 Maven HIGH POC PATCH THREAT This Week

Attackers can use public NetTest web service of Apache OpenMeetings 4.0.0-5.0.0 to organize denial of service attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Denial Of Service Openmeetings
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
70.4%
CVE-2020-13944 PyPI MEDIUM PATCH This Month

In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Apache Airflow
NVD
CVSS 3.1
6.1
EPSS
25.1%
CVE-2020-13948 PyPI HIGH PATCH This Week

While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Python Information Disclosure Superset
NVD
CVSS 3.1
8.8
EPSS
3.1%
CVE-2020-13928 Maven MEDIUM PATCH This Month

Apache Atlas before 2.1.0 contain a XSS vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Apache Atlas
NVD
CVSS 3.1
6.1
EPSS
2.6%
CVE-2020-11977 Maven HIGH PATCH This Week

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache RCE Syncope
NVD
CVSS 3.1
7.2
EPSS
2.8%
CVE-2020-13920 Maven MEDIUM PATCH This Month

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Authentication Bypass Activemq Communications Diameter Signaling Router Flexcube Private Banking +1
NVD
CVSS 3.1
5.9
EPSS
4.6%
CVE-2020-11998 Maven CRITICAL PATCH Act Now

A regression has been introduced in the commit preventing JMX re-bind. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Java RCE Oracle Activemq +6
NVD
CVSS 3.1
9.8
EPSS
51.2%
CVE-2020-11986 CRITICAL Act Now

To be able to analyze gradle projects, the build scripts need to be executed. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Netbeans
NVD
CVSS 3.1
9.8
EPSS
9.9%
CVE-2020-25073 MEDIUM POC This Month

FreedomBox through 20.13 allows remote attackers to obtain sensitive information from the /server-status page of the Apache HTTP Server, because a connection from the Tor onion service (or from. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Information Disclosure Freedombox
NVD
CVSS 3.1
5.3
EPSS
2.1%
CVE-2020-5777 PHP CRITICAL POC PATCH THREAT Act Now

MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe Apache Authentication Bypass Magmi
NVD
CVSS 3.1
9.8
EPSS
23.9%
CVE-2020-13946 Maven MEDIUM PATCH This Month

In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Cassandra Oncommand Insight
NVD
CVSS 3.1
5.9
EPSS
3.0%
CVE-2020-3484 MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to view potentially sensitive information on an affected. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Cisco Information Disclosure Vision Dynamic Signage Director
NVD
CVSS 3.1
5.3
EPSS
1.1%
CVE-2020-13933 Maven HIGH PATCH This Week

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Shiro Debian Linux
NVD
CVSS 3.1
7.5
EPSS
48.0%
CVE-2020-13941 Maven HIGH PATCH This Week

Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Solr
NVD
CVSS 3.1
8.8
EPSS
3.8%
CVE-2020-11976 Maven HIGH PATCH This Week

By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Information Disclosure Fortress Wicket
NVD
CVSS 3.1
7.5
EPSS
3.8%
CVE-2020-9490 HIGH PATCH This Week

Apache HTTP Server versions 2.4.20 to 2.4.43. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Apache Request Smuggling Denial Of Service Http Server Communications Element Manager +23
NVD
CVSS 3.1
7.5
EPSS
89.7%
CVE-2020-11993 HIGH POC PATCH THREAT This Week

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Request Smuggling Information Disclosure Http Server Clustered Data Ontap +11
NVD
CVSS 3.1
7.5
EPSS
58.7%
CVE-2020-11985 MEDIUM This Month

IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure PHP Http Server
NVD
CVSS 3.1
5.3
EPSS
6.8%
CVE-2020-11984 CRITICAL POC THREAT Act Now

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Apache Http Server Clustered Data Ontap Ubuntu Linux +10
NVD
CVSS 3.1
9.8
EPSS
90.0%
CVE-2020-13921 LIB CRITICAL PATCH Act Now

**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache SQLi Skywalking
NVD GitHub
CVSS 3.1
9.8
EPSS
33.5%
CVE-2020-13932 Maven MEDIUM PATCH This Month

In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Artemis
NVD VulDB
CVSS 3.1
6.1
EPSS
2.6%
CVE-2020-9485 PyPI MEDIUM PATCH This Month

An issue was found in Apache Airflow versions 1.10.10 and below. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Apache Airflow
NVD
CVSS 3.1
6.1
EPSS
2.0%
CVE-2020-11983 PyPI MEDIUM PATCH This Month

An issue was found in Apache Airflow versions 1.10.10 and below. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Apache Airflow
NVD
CVSS 3.1
5.4
EPSS
1.3%
CVE-2020-11982 PyPI CRITICAL PATCH Act Now

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Redis Deserialization RCE Airflow
NVD
CVSS 3.1
9.8
EPSS
7.2%
CVE-2020-11981 PyPI CRITICAL POC PATCH THREAT Act Now

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Redis Command Injection Airflow
NVD
CVSS 3.1
9.8
EPSS
34.0%
CVE-2020-11978 PyPI HIGH POC KEV PATCH THREAT Act Now

An issue was found in Apache Airflow versions 1.10.10 and below. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Command Injection Airflow
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
99.1%
CVE-2020-9496 MEDIUM POC THREAT This Month

XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Apache Deserialization Ofbiz
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
98.9%
CVE-2020-13923 MEDIUM This Month

IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Ofbiz
NVD
CVSS 3.1
5.3
EPSS
5.0%
CVE-2020-13935 Maven HIGH POC PATCH THREAT This Week

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Denial Of Service Tomcat Debian Linux Oncommand System Manager +15
NVD
CVSS 3.1
7.5
EPSS
87.6%
CVE-2020-13934 Maven HIGH PATCH This Week

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Memory Leak vulnerability could allow attackers to exhaust available memory leading to denial of service.

Apache Denial Of Service Tomcat Debian Linux Oncommand System Manager +11
NVD
CVSS 3.1
7.5
EPSS
64.1%
CVE-2020-9498 MEDIUM This Month

Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. Rated medium severity (CVSS 6.7). No vendor patch available.

Buffer Overflow Apache Memory Corruption RCE Guacamole +2
NVD
CVSS 3.1
6.7
EPSS
0.7%
CVE-2020-9497 MEDIUM This Month

Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. Rated medium severity (CVSS 4.4). No vendor patch available.

Apache Information Disclosure Guacamole Fedora Debian Linux
NVD
CVSS 3.1
4.4
EPSS
0.8%
CVE-2020-9483 HIGH POC THREAT This Week

**Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache SQLi Skywalking
NVD GitHub
CVSS 3.1
7.5
EPSS
34.6%
CVE-2020-11996 Maven HIGH PATCH This Week

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Tomcat Information Disclosure Ubuntu Linux Mysql Enterprise Monitor +5
NVD
CVSS 3.1
7.5
EPSS
26.7%
CVE-2020-9494 HIGH This Week

Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Traffic Server Debian Linux
NVD
CVSS 3.1
7.5
EPSS
3.9%
CVE-2020-10280 HIGH This Week

The Apache server on port 80 that host the web interface is vulnerable to a DoS by spamming incomplete HTTP headers, effectively blocking the access to the dashboard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Mir100 Firmware Mir200 Firmware Mir250 Firmware +7
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-9480 LIB CRITICAL POC PATCH THREAT Act Now

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Apache Authentication Bypass Spark Business Intelligence
NVD
CVSS 3.1
9.8
EPSS
29.2%
CVE-2020-11989 Maven CRITICAL PATCH Act Now

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Authentication Bypass Shiro
NVD
CVSS 3.1
9.8
EPSS
24.4%
CVE-2020-9495 Maven MEDIUM PATCH This Month

Apache Archiva login service before 2.2.5 is vulnerable to LDAP injection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Code Injection Archiva
NVD
CVSS 3.1
5.3
EPSS
8.0%
CVE-2020-11969 Maven CRITICAL PATCH Act Now

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Tomee
NVD
CVSS 3.1
9.8
EPSS
4.1%
CVE-2020-14060 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Active Iq Unified Manager Steelstore Cloud Integrated Storage +9
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
8.7%
CVE-2020-14062 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Active Iq Unified Manager Steelstore Cloud Integrated Storage +10
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
7.3%
CVE-2020-11980 Maven MEDIUM PATCH This Month

In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Privilege Escalation SSRF Karaf
NVD
CVSS 3.1
6.3
EPSS
1.9%
CVE-2020-11975 Maven CRITICAL POC PATCH THREAT Act Now

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Java Information Disclosure Unomi
NVD
CVSS 3.1
9.8
EPSS
29.9%
CVE-2020-1963 Maven CRITICAL PATCH Act Now

Apache Ignite uses H2 database to build SQL distributed execution engine. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Ignite
NVD
CVSS 3.1
9.1
EPSS
5.0%
CVE-2020-1956 Maven HIGH POC KEV PATCH THREAT This Week

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Apache Command Injection Kylin
NVD
CVSS 3.1
8.8
EPSS
97.3%
CVE-2020-9484 Maven HIGH POC PATCH THREAT This Week

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server;. Rated high severity (CVSS 7.0). This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache RCE Deserialization Tomcat Debian Linux +24
NVD
CVSS 3.1
7.0
EPSS
56.6%
CVE-2020-1960 Maven MEDIUM PATCH This Month

A vulnerability in Apache Flink (1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0) where, when. Rated medium severity (CVSS 4.7).

Apache Information Disclosure Flink
NVD
CVSS 3.1
4.7
EPSS
0.9%
CVE-2020-1941 Maven MEDIUM PATCH This Month

In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Apache Activemq Communications Diameter Signaling Router Communications Element Manager +4
NVD
CVSS 3.1
6.1
EPSS
6.2%
CVE-2020-11973 Maven CRITICAL PATCH Act Now

Apache Camel Netty enables Java deserialization by default. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization Camel Communications Diameter Signaling Router +2
NVD
CVSS 3.1
9.8
EPSS
6.6%
CVE-2020-11972 Maven CRITICAL PATCH Act Now

Apache Camel RabbitMQ enables Java deserialization by default. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization Camel Communications Diameter Signaling Router +2
NVD
CVSS 3.1
9.8
EPSS
5.5%
CVE-2020-11971 Maven HIGH PATCH This Week

Apache Camel's JMX is vulnerable to Rebind Flaw. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Camel Communications Diameter Intelligence Hub Communications Diameter Signaling Router +2
NVD
CVSS 3.1
7.5
EPSS
14.3%
CVE-2020-1945 Maven MEDIUM PATCH This Month

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. Rated medium severity (CVSS 6.3). This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.

Apache Java Information Disclosure Ant Ubuntu Linux +48
NVD
CVSS 3.1
6.3
EPSS
1.8%
CVE-2020-1939 CRITICAL PATCH Act Now

The Apache NuttX (Incubating) project provides an optional separate "apps" repository which contains various optional components and example programs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Apache Null Pointer Dereference Denial Of Service Nuttx
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2020-1961 Maven CRITICAL PATCH Act Now

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Syncope
NVD
CVSS 3.1
9.8
EPSS
4.6%
CVE-2020-1959 Maven CRITICAL PATCH Act Now

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java RCE Syncope
NVD
CVSS 3.1
9.8
EPSS
4.8%
CVE-2020-12442 CRITICAL Act Now

Ivanti Avalanche 6.3 allows a SQL injection that is vaguely associated with the Apache HTTP Server, aka Bug 683250. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Ivanti SQLi Avalanche
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2020-9481 HIGH PATCH This Week

Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Apache Denial Of Service Traffic Server Debian Linux
NVD
CVSS 3.1
7.5
EPSS
2.4%
CVE-2020-1952 Maven CRITICAL PATCH Act Now

An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Iotdb
NVD
CVSS 3.1
9.8
EPSS
2.7%
CVE-2020-9488 Maven LOW PATCH Monitor

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Apache Log4J Communications Application Session Controller Communications Billing And Revenue Management +43
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2020-9489 Maven MEDIUM PATCH This Month

A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Apache Denial Of Service Tika Flexcube Private Banking Primavera Unifier +2
NVD
CVSS 3.1
5.5
EPSS
2.5%
CVE-2020-1964 Maven CRITICAL PATCH Act Now

It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization Heron
NVD
CVSS 3.1
9.8
EPSS
4.8%
CVE-2020-11620 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Deserialization Jackson Databind Debian Linux Active Iq Unified Manager +15
NVD GitHub
CVSS 3.1
8.1
EPSS
5.6%
CVE-2020-1927 MEDIUM PATCH This Month

In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Apache Open Redirect Http Server Fedora Debian Linux +11
NVD
CVSS 3.1
6.1
EPSS
56.7%
CVE-2020-1958 Maven MEDIUM PATCH This Month

When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Druid
NVD
CVSS 3.1
6.5
EPSS
4.6%
EPSS 10% CVSS 9.8
CRITICAL PATCH Act Now

A Java Serialization vulnerability was found in Apache Tapestry 4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization +1
NVD
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

Apache Groovy provides extension methods to aid with creating temporary directories. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Apache Java Information Disclosure +21
NVD
EPSS 73% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Apache Information Disclosure Apisix
NVD
EPSS 25% CVSS 7.5
HIGH PATCH This Week

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Tomcat Information Disclosure +11
NVD
EPSS 9% CVSS 5.3
MEDIUM PATCH This Month

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Httpclient +16
NVD
EPSS 68% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Code Injection Unomi
NVD
EPSS 3% CVSS 7.8
HIGH This Week

A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Openoffice
NVD
EPSS 43% CVSS 6.1
MEDIUM PATCH This Month

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Apache Cxf +5
NVD
EPSS 100% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Emergency

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Authentication Bypass Airflow
NVD Exploit-DB
EPSS 9% CVSS 9.8
CRITICAL PATCH Act Now

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Authentication Bypass +2
NVD
EPSS 5% CVSS 7.5
HIGH POC PATCH This Week

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Denial Of Service Codemirror +5
NVD GitHub
EPSS 61% CVSS 7.2
HIGH POC THREAT Act Now

Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache RCE Nagios Xi
NVD
EPSS 79% CVSS 7.2
HIGH POC THREAT Act Now

Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Command Injection Nagios Xi
NVD Exploit-DB
EPSS 78% CVSS 5.3
MEDIUM POC PATCH THREAT This Month

Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Kylin
NVD
EPSS 79% CVSS 9.8
CRITICAL PATCH Act Now

Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Authentication Bypass +1
NVD
EPSS 57% CVSS 4.3
MEDIUM PATCH This Month

If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Apache Tomcat Information Disclosure +3
NVD
EPSS 2% CVSS 5.9
MEDIUM PATCH This Month

HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Splunk +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

InfoCage SiteShell series (Host type SiteShell for IIS V1.4, V1.5, and V1.6, Host type SiteShell for IIS prior to revision V2.0.0.6, V2.1.0.7, V2.1.1.6, V3.0.0.11, V4.0.0.6, V4.1.0.5, and V4.2.0.1,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Apache RCE Microsoft +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Nifi
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Nifi
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Nifi
NVD
EPSS 2% CVSS 5.5
MEDIUM PATCH This Month

In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache XXE Nifi
NVD
EPSS 8% CVSS 7.5
HIGH PATCH This Week

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Code Injection Ant +36
NVD GitHub
EPSS 2% CVSS 8.1
HIGH PATCH This Week

In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Superset
NVD
EPSS 3% CVSS 5.3
MEDIUM PATCH This Month

In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Information Disclosure +1
NVD
EPSS 70% CVSS 7.5
HIGH POC PATCH THREAT This Week

Attackers can use public NetTest web service of Apache OpenMeetings 4.0.0-5.0.0 to organize denial of service attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Denial Of Service Openmeetings
NVD Exploit-DB
EPSS 25% CVSS 6.1
MEDIUM PATCH This Month

In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Apache Airflow
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Python Information Disclosure +1
NVD
EPSS 3% CVSS 6.1
MEDIUM PATCH This Month

Apache Atlas before 2.1.0 contain a XSS vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Apache Atlas
NVD
EPSS 3% CVSS 7.2
HIGH PATCH This Week

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache RCE Syncope
NVD
EPSS 5% CVSS 5.9
MEDIUM PATCH This Month

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Authentication Bypass Activemq +3
NVD
EPSS 51% CVSS 9.8
CRITICAL PATCH Act Now

A regression has been introduced in the commit preventing JMX re-bind. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Java RCE +8
NVD
EPSS 10% CVSS 9.8
CRITICAL Act Now

To be able to analyze gradle projects, the build scripts need to be executed. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Netbeans
NVD
EPSS 2% CVSS 5.3
MEDIUM POC This Month

FreedomBox through 20.13 allows remote attackers to obtain sensitive information from the /server-status page of the Apache HTTP Server, because a connection from the Tor onion service (or from. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Information Disclosure Freedombox
NVD
EPSS 24% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe Apache Authentication Bypass +1
NVD
EPSS 3% CVSS 5.9
MEDIUM PATCH This Month

In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Cassandra +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to view potentially sensitive information on an affected. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Cisco Information Disclosure +1
NVD
EPSS 48% CVSS 7.5
HIGH PATCH This Week

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Shiro +1
NVD
EPSS 4% CVSS 8.8
HIGH PATCH This Week

Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Solr
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Information Disclosure +2
NVD
EPSS 90% CVSS 7.5
HIGH PATCH This Week

Apache HTTP Server versions 2.4.20 to 2.4.43. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Apache Request Smuggling Denial Of Service +25
NVD
EPSS 59% CVSS 7.5
HIGH POC PATCH THREAT This Week

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Request Smuggling Information Disclosure +13
NVD
EPSS 7% CVSS 5.3
MEDIUM This Month

IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure PHP +1
NVD
EPSS 90% CVSS 9.8
CRITICAL POC THREAT Act Now

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Apache Http Server +12
NVD
EPSS 33% CVSS 9.8
CRITICAL PATCH Act Now

**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache SQLi Skywalking
NVD GitHub
EPSS 3% CVSS 6.1
MEDIUM PATCH This Month

In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Artemis
NVD VulDB
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

An issue was found in Apache Airflow versions 1.10.10 and below. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Apache Airflow
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

An issue was found in Apache Airflow versions 1.10.10 and below. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Apache Airflow
NVD
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Redis Deserialization +2
NVD
EPSS 34% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Redis Command Injection +1
NVD
EPSS 99% CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

An issue was found in Apache Airflow versions 1.10.10 and below. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Command Injection Airflow
NVD Exploit-DB
EPSS 99% CVSS 6.1
MEDIUM POC THREAT This Month

XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Apache Deserialization +1
NVD Exploit-DB
EPSS 5% CVSS 5.3
MEDIUM This Month

IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Ofbiz
NVD
EPSS 88% CVSS 7.5
HIGH POC PATCH THREAT This Week

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Denial Of Service Tomcat +17
NVD
EPSS 64% CVSS 7.5
HIGH PATCH This Week

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Memory Leak vulnerability could allow attackers to exhaust available memory leading to denial of service.

Apache Denial Of Service Tomcat +13
NVD
EPSS 1% CVSS 6.7
MEDIUM This Month

Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. Rated medium severity (CVSS 6.7). No vendor patch available.

Buffer Overflow Apache Memory Corruption +4
NVD
EPSS 1% CVSS 4.4
MEDIUM This Month

Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. Rated medium severity (CVSS 4.4). No vendor patch available.

Apache Information Disclosure Guacamole +2
NVD
EPSS 35% CVSS 7.5
HIGH POC THREAT This Week

**Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache SQLi Skywalking
NVD GitHub
EPSS 27% CVSS 7.5
HIGH PATCH This Week

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Tomcat Information Disclosure +7
NVD
EPSS 4% CVSS 7.5
HIGH This Week

Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Traffic Server +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

The Apache server on port 80 that host the web interface is vulnerable to a DoS by spamming incomplete HTTP headers, effectively blocking the access to the dashboard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Mir100 Firmware +9
NVD GitHub
EPSS 29% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Apache Authentication Bypass Spark +1
NVD
EPSS 24% CVSS 9.8
CRITICAL PATCH Act Now

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Authentication Bypass +1
NVD
EPSS 8% CVSS 5.3
MEDIUM PATCH This Month

Apache Archiva login service before 2.2.5 is vulnerable to LDAP injection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Code Injection Archiva
NVD
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Tomee
NVD
EPSS 9% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +11
NVD GitHub VulDB
EPSS 7% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +12
NVD GitHub VulDB
EPSS 2% CVSS 6.3
MEDIUM PATCH This Month

In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Privilege Escalation SSRF +1
NVD
EPSS 30% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Java Information Disclosure +1
NVD
EPSS 5% CVSS 9.1
CRITICAL PATCH Act Now

Apache Ignite uses H2 database to build SQL distributed execution engine. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Ignite
NVD
EPSS 97% CVSS 8.8
HIGH POC KEV PATCH THREAT This Week

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Apache Command Injection Kylin
NVD
EPSS 57% CVSS 7.0
HIGH POC PATCH THREAT This Week

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server;. Rated high severity (CVSS 7.0). This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache RCE Deserialization +26
NVD
EPSS 1% CVSS 4.7
MEDIUM PATCH This Month

A vulnerability in Apache Flink (1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0) where, when. Rated medium severity (CVSS 4.7).

Apache Information Disclosure Flink
NVD
EPSS 6% CVSS 6.1
MEDIUM PATCH This Month

In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Apache Activemq +6
NVD
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

Apache Camel Netty enables Java deserialization by default. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization +4
NVD
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

Apache Camel RabbitMQ enables Java deserialization by default. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization +4
NVD
EPSS 14% CVSS 7.5
HIGH PATCH This Week

Apache Camel's JMX is vulnerable to Rebind Flaw. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Camel +4
NVD
EPSS 2% CVSS 6.3
MEDIUM PATCH This Month

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. Rated medium severity (CVSS 6.3). This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.

Apache Java Information Disclosure +50
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

The Apache NuttX (Incubating) project provides an optional separate "apps" repository which contains various optional components and example programs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Apache Null Pointer Dereference Denial Of Service +1
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Syncope
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java RCE +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Ivanti Avalanche 6.3 allows a SQL injection that is vaguely associated with the Apache HTTP Server, aka Bug 683250. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Ivanti SQLi +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Apache Denial Of Service Traffic Server +1
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Iotdb
NVD
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Apache Log4J +45
NVD VulDB
EPSS 3% CVSS 5.5
MEDIUM PATCH This Month

A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Apache Denial Of Service Tika +4
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization +1
NVD
EPSS 6% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Deserialization Jackson Databind +17
NVD GitHub
EPSS 57% CVSS 6.1
MEDIUM PATCH This Month

In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Apache Open Redirect Http Server +13
NVD
EPSS 5% CVSS 6.5
MEDIUM PATCH This Month

When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Druid
NVD
Prev Page 18 of 29 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy