Skip to main content

Doris

6 CVEs product

Monthly

CVE-2026-58319 CRITICAL PATCH Act Now

Missing authentication on Apache Doris Frontend (FE) HTTP REST administrative APIs allows any unauthenticated attacker with network reach to the FE HTTP service to invoke privileged administrative operations, degrading cluster integrity and availability up to full denial of service. All Apache Doris releases before 3.1.0 (per EUVD, the 2.1.0 through pre-3.1.0 line) are affected, and a fixed release exists in 3.1.0. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the 9.1 Critical CVSS reflects the trivial unauthenticated network exploitability rather than confirmed in-the-wild use.

Apache Authentication Bypass Denial Of Service Doris
NVD VulDB
CVSS 3.1
9.1
EPSS
0.3%
CVE-2024-48019 MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Path Traversal Doris
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2024-27438 CRITICAL Act Now

Download of Code Without Integrity Check vulnerability in Apache Doris. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Doris
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-26307 MEDIUM This Month

Possible race condition vulnerability in Apache Doris. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Race Condition Information Disclosure Apache Doris
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2023-41314 HIGH This Week

The api /api/snapshot and /api/get_log_file would allow unauthenticated access. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Doris
NVD
CVSS 3.1
8.2
EPSS
0.9%
CVE-2022-23942 PyPI HIGH PATCH This Week

Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Information Disclosure Doris
NVD
CVSS 3.1
7.5
EPSS
3.3%
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Missing authentication on Apache Doris Frontend (FE) HTTP REST administrative APIs allows any unauthenticated attacker with network reach to the FE HTTP service to invoke privileged administrative operations, degrading cluster integrity and availability up to full denial of service. All Apache Doris releases before 3.1.0 (per EUVD, the 2.1.0 through pre-3.1.0 line) are affected, and a fixed release exists in 3.1.0. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the 9.1 Critical CVSS reflects the trivial unauthenticated network exploitability rather than confirmed in-the-wild use.

Apache Authentication Bypass Denial Of Service +1
NVD VulDB
EPSS 1% CVSS 5.4
MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Path Traversal Doris
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Download of Code Without Integrity Check vulnerability in Apache Doris. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Doris
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Possible race condition vulnerability in Apache Doris. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Race Condition Information Disclosure Apache +1
NVD
EPSS 1% CVSS 8.2
HIGH This Week

The api /api/snapshot and /api/get_log_file would allow unauthenticated access. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Doris
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Information Disclosure +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy