VYPR

Vendor CVEs

Apache

All CVEs

2,550 total · sorted by risk
  • CVE-2023-22849Feb 4, 2023
    risk 0.00cvss epss 0.01

    An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. …

  • CVE-2023-24997Feb 1, 2023
    risk 0.00cvss epss 0.01

    Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7223…

  • CVE-2023-24977Feb 1, 2023
    risk 0.00cvss epss 0.01

    Out-of-bounds Read vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7214…

  • CVE-2022-28331Jan 31, 2023
    risk 0.00cvss epss 0.02

    On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow.

  • CVE-2022-25147Jan 31, 2023
    risk 0.00cvss epss 0.01

    Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.

  • CVE-2022-24963Jan 31, 2023
    risk 0.00cvss epss 0.01

    Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.

  • CVE-2023-24829Jan 31, 2023
    risk 0.00cvss epss 0.01

    Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed…

  • CVE-2023-24830Jan 30, 2023
    risk 0.00cvss epss 0.01

    Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects iotdb-web-workbench component: from 0.13.0 before 0.13.3.

  • CVE-2020-36658Jan 27, 2023
    risk 0.00cvss epss 0.00

    In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the…

  • CVE-2023-22884Jan 21, 2023
    risk 0.00cvss epss 0.11

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL…

  • CVE-2022-37436Jan 17, 2023
    risk 0.00cvss epss 0.58

    Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

  • CVE-2022-36760Jan 17, 2023
    risk 0.00cvss epss 0.02

    Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version…

  • CVE-2006-20001Jan 17, 2023
    risk 0.00cvss epss 0.04

    A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.

  • CVE-2022-41703Jan 16, 2023
    risk 0.00cvss epss 0.01

    A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user…

  • CVE-2022-45438Jan 16, 2023
    risk 0.00cvss epss 0.01

    When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and…

  • CVE-2022-43721Jan 16, 2023
    risk 0.00cvss epss 0.01

    An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

  • CVE-2022-43720Jan 16, 2023
    risk 0.00cvss epss 0.01

    An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2…

  • CVE-2022-43719Jan 16, 2023
    risk 0.00cvss epss 0.01

    Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

  • CVE-2022-43718Jan 16, 2023
    risk 0.00cvss epss 0.01

    Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

  • CVE-2022-43717Jan 16, 2023
    risk 0.00cvss epss 0.01

    Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and…

  • CVE-2022-46769Jan 9, 2023
    risk 0.00cvss epss 0.01

    An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature. …

  • CVE-2022-45935Jan 6, 2023
    risk 0.00cvss epss 0.00

    Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version…

  • CVE-2022-45787Jan 6, 2023
    risk 0.00cvss epss 0.00

    Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions. We recommend users to upgrade to MIME4j version 0.8.9 or…

  • CVE-2022-45875Jan 4, 2023
    risk 0.00cvss epss 0.03

    Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by…

  • CVE-2021-32824Jan 3, 2023
    risk 0.00cvss epss 0.03

    Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers…

  • CVE-2022-45347Dec 22, 2022
    risk 0.00cvss epss 0.01

    Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client. This vulnerability has…

  • CVE-2022-46421Dec 20, 2022
    risk 0.00cvss epss 0.03

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0.

  • CVE-2022-37392Dec 19, 2022
    risk 0.00cvss epss 0.01

    Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

  • CVE-2022-32749Dec 19, 2022
    risk 0.00cvss epss 0.01

    Improper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions. This issue affects Apache Traffic Server: from 8.0.0 through 9.1.3.

  • CVE-2022-47500Dec 19, 2022
    risk 0.00cvss epss 0.01

    URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Software Foundation Apache Helix UI component.This issue affects Apache Helix all releases from 0.8.0 to 1.0.4. Solution: removed the the forward component since it was improper designed for UI…

  • CVE-2022-46870Dec 16, 2022
    risk 0.00cvss epss 0.01

    An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers. This issue affects Apache Zeppelin before 0.8.2. Users are recommended to…

  • CVE-2021-28655Dec 16, 2022
    risk 0.00cvss epss 0.02

    The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

  • CVE-2022-32531Dec 15, 2022
    risk 0.00cvss epss 0.01

    The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior…

  • CVE-2022-34271Dec 14, 2022
    risk 0.00cvss epss 0.01

    A vulnerability in import module of Apache Atlas allows an authenticated user to write to web server filesystem. This issue affects Apache Atlas versions from 0.8.4 to 2.2.0.

  • CVE-2022-46364Dec 13, 2022
    risk 0.00cvss epss 0.02

    A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. 

  • CVE-2022-46363Dec 13, 2022
    risk 0.00cvss epss 0.01

    A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check…

  • CVE-2022-45910Dec 7, 2022
    risk 0.00cvss epss 0.01

    Improper neutralization of special elements used in an LDAP query ('LDAP Injection') vulnerability in ActiveDirectory and Sharepoint ActiveDirectory authority connectors of Apache ManifoldCF allows an attacker to manipulate the LDAP search queries (DoS, additional queries,…

  • CVE-2021-37533Dec 3, 2022
    risk 0.00cvss epss 0.02

    Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of…

  • CVE-2022-46366Dec 2, 2022
    risk 0.00cvss epss 0.04

    Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version…

  • CVE-2022-26885Nov 24, 2022
    risk 0.00cvss epss 0.01

    When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher.

  • CVE-2022-45462Nov 23, 2022
    risk 0.00cvss epss 0.03

    Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher

  • CVE-2022-38649Nov 22, 2022
    risk 0.00cvss epss 0.03

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue…

  • CVE-2022-40189Nov 22, 2022
    risk 0.00cvss epss 0.04

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue…

  • CVE-2022-40954Nov 22, 2022
    risk 0.00cvss epss 0.01

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue…

  • CVE-2022-41131Nov 22, 2022
    risk 0.00cvss epss 0.02

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue…

  • CVE-2022-45470Nov 21, 2022
    risk 0.00cvss epss 0.01

    missing input validation in Apache Hama may cause information disclosure through path traversal and XSS. Since Apache Hama is EOL, we do not expect these issues to be fixed.

  • CVE-2022-45402Nov 15, 2022
    risk 0.00cvss epss 0.82

    In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint.

  • CVE-2022-40308Nov 15, 2022
    risk 0.00cvss epss 0.01

    If anonymous read enabled, it's possible to read the database file directly without logging in.

  • CVE-2022-40309Nov 15, 2022
    risk 0.00cvss epss 0.01

    Users with write permissions to a repository can delete arbitrary directories.

  • CVE-2022-40127Nov 14, 2022
    risk 0.00cvss epss 0.86

    A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.

Page 38 of 51