VYPR

Vendor CVEs

Apache

All CVEs

2,550 total · sorted by risk
  • CVE-2023-39913Nov 8, 2023
    risk 0.00cvss epss 0.01

    Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0. Users are recommended to upgrade to version 3.5.0, which…

  • CVE-2023-46819Nov 7, 2023
    risk 0.00cvss epss 0.02

    Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before 18.12.09.  Users are recommended to upgrade to version 18.12.09

  • CVE-2023-46851Nov 7, 2023
    risk 0.00cvss epss 0.02

    Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Project administrators can run these imports, which could cause Allura to read local files and expose them.  Exposing internal files then can lead to other exploits, like session…

  • CVE-2023-46215Oct 28, 2023
    risk 0.00cvss epss 0.01

    Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vulnerability is about the information…

  • CVE-2023-46288Oct 23, 2023
    risk 0.00cvss epss 0.01

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0. Sensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST…

  • CVE-2023-31122Oct 23, 2023
    risk 0.00cvss epss 0.03

    Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.

  • CVE-2023-45802Oct 23, 2023
    risk 0.00cvss epss 0.03

    When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy…

  • CVE-2023-44483Oct 20, 2023
    risk 0.00cvss epss 0.01

    All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users…

  • CVE-2023-46227Oct 19, 2023
    risk 0.00cvss epss 0.01

    Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong. This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can use \t to bypass. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. …

  • CVE-2023-25753Oct 19, 2023
    risk 0.00cvss epss 0.01

    There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. Of particular…

  • CVE-2023-39456Oct 17, 2023
    risk 0.00cvss epss 0.53

    Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 9.2.3, which fixes the issue.

  • CVE-2023-41752Oct 17, 2023
    risk 0.00cvss epss 0.01

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue.

  • CVE-2023-43666Oct 16, 2023
    risk 0.00cvss epss 0.00

    Insufficient Verification of Data Authenticity vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,  General user can view all user data like Admin account. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve…

  • CVE-2023-43667Oct 16, 2023
    risk 0.00cvss epss 0.01

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can create misleading or false log records, making it harder to audit and…

  • CVE-2023-43668Oct 16, 2023
    risk 0.00cvss epss 0.01

    Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,  some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... .   Users are advised to upgrade…

  • CVE-2023-45757Oct 16, 2023
    risk 0.00cvss epss 0.01

    Security vulnerability in Apache bRPC <=1.6.0 on all platforms allows attackers to inject XSS code to the builtin rpcz page. An attacker that can send http request to bRPC server with rpcz enabled can inject arbitrary XSS code to the builtin rpcz page. Solution (choose one of…

  • CVE-2023-42663Oct 14, 2023
    risk 0.00cvss epss 0.02

    Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the…

  • CVE-2023-42792Oct 14, 2023
    risk 0.00cvss epss 0.01

    Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus,…

  • CVE-2023-45348Oct 14, 2023
    risk 0.00cvss epss 0.01

    Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the "expose_config" option is set to "non-sensitive-only". The `expose_config` option is False by default. It is…

  • CVE-2023-42780Oct 14, 2023
    risk 0.00cvss epss 0.01

    Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those…

  • CVE-2023-44981Oct 11, 2023
    risk 0.00cvss epss 0.02

    Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in…

  • CVE-2023-39410Sep 29, 2023
    risk 0.00cvss epss 0.02

    When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should…

  • CVE-2023-41834Sep 19, 2023
    risk 0.00cvss epss 0.02

    Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests. Attackers could potentially inject…

  • CVE-2023-41267Sep 14, 2023
    risk 0.00cvss epss 0.00

    In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package…

  • CVE-2023-42503Sep 14, 2023
    risk 0.00cvss epss 0.00

    Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0. Users are recommended to upgrade to version 1.24.0, which fixes the issue. A third party…

  • CVE-2023-41081Sep 13, 2023
    risk 0.00cvss epss 0.01

    Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied…

  • CVE-2023-40712Sep 12, 2023
    risk 0.00cvss epss 0.01

    Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. …

  • CVE-2023-40611Sep 12, 2023
    risk 0.00cvss epss 0.01

    Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users…

  • CVE-2023-32672Sep 6, 2023
    risk 0.00cvss epss 0.01

    An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL…

  • CVE-2023-39264Sep 6, 2023
    risk 0.00cvss epss 0.01

    By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users. This vulnerability exists in Apache Superset versions up to and including 2.1.0.

  • CVE-2023-27523Sep 6, 2023
    risk 0.00cvss epss 0.01

    Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to.

  • CVE-2023-36388Sep 6, 2023
    risk 0.00cvss epss 0.01

    Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.

  • CVE-2023-27526Sep 6, 2023
    risk 0.00cvss epss 0.01

    A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0. 

  • CVE-2023-36387Sep 6, 2023
    risk 0.00cvss epss 0.01

    An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.

  • CVE-2023-40743Sep 5, 2023
    risk 0.00cvss epss 0.02

    ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API…

  • CVE-2023-41180Sep 3, 2023
    risk 0.00cvss epss 0.00

    Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. The Disable Peer Verification property of InvokeHTTP was effectively flipped, disabling…

  • CVE-2023-40195Aug 28, 2023
    risk 0.00cvss epss 0.01

    Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. When the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to…

  • CVE-2023-27604Aug 28, 2023
    risk 0.00cvss epss 0.01

    Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. The…

  • CVE-2023-39441Aug 23, 2023
    risk 0.00cvss epss 0.01

    Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default SSL context with SSL library did not check a server's X.509 certificate. …

  • CVE-2023-37379Aug 23, 2023
    risk 0.00cvss epss 0.01

    Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by…

  • CVE-2023-40273Aug 23, 2023
    risk 0.00cvss epss 0.01

    The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for…

  • CVE-2022-44729Aug 22, 2023
    risk 0.00cvss epss 0.01

    Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in…

  • CVE-2022-44730Aug 22, 2023
    risk 0.00cvss epss 0.01

    Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data and send it directly as parameter to a URL.

  • CVE-2022-46751Aug 21, 2023
    risk 0.00cvss epss 0.02

    Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own…

  • CVE-2023-40037Aug 18, 2023
    risk 0.00cvss epss 0.02

    Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL…

  • CVE-2023-40272Aug 17, 2023
    risk 0.00cvss epss 0.02

    Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that…

  • CVE-2023-39553Aug 11, 2023
    risk 0.00cvss epss 0.02

    Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider. Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook giving an…

  • CVE-2023-33934Aug 9, 2023
    risk 0.00cvss epss 0.01

    Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1.

  • CVE-2022-47185Aug 9, 2023
    risk 0.00cvss epss 0.01

    Improper input validation vulnerability on the range header in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1.

  • CVE-2023-37581Aug 6, 2023
    risk 0.00cvss epss 0.01

    Insufficient input validation and sanitation in Weblog Category name, Website About and File Upload features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted…

Page 35 of 51