Vendor CVEs
Apache
All CVEs
2,550 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-45378 | 0.00 | — | 0.02 | Nov 14, 2022 | In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even… | |||
| CVE-2022-45136 | 0.00 | — | 0.02 | Nov 14, 2022 | Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of… | |||
| CVE-2022-27949 | 0.00 | — | 0.02 | Nov 14, 2022 | A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to… | |||
| CVE-2022-37865 | 0.00 | — | 0.02 | Nov 7, 2022 | With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when… | |||
| CVE-2022-37866 | 0.00 | — | 0.02 | Nov 7, 2022 | When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which… | |||
| CVE-2022-42920 | 0.00 | — | 0.03 | Nov 7, 2022 | Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass… | |||
| CVE-2022-33684 | 0.00 | — | 0.01 | Nov 4, 2022 | The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and… | |||
| CVE-2022-32287 | 0.00 | — | 0.02 | Nov 3, 2022 | A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version… | |||
| CVE-2022-43670 | 0.00 | — | 0.01 | Nov 2, 2022 | An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management… | |||
| CVE-2022-43982 | 0.00 | — | 0.01 | Nov 2, 2022 | In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. | |||
| CVE-2022-43985 | 0.00 | — | 0.01 | Nov 2, 2022 | In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. | |||
| CVE-2022-34662 | 0.00 | — | 0.01 | Nov 1, 2022 | When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher | |||
| CVE-2022-26884 | 0.00 | — | 0.01 | Oct 28, 2022 | Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher. | |||
| CVE-2022-42467 | 0.00 | — | 0.01 | Oct 19, 2022 | When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database. It was felt that it is safer to require the developer to explicitly enable this capability. As of… | |||
| CVE-2022-42466 | 0.00 | — | 0.01 | Oct 19, 2022 | Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. In particular, the end-user could enter javascript or similar and this would be executed.… | |||
| CVE-2022-41672 | 0.00 | — | 0.01 | Oct 7, 2022 | In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. | |||
| CVE-2022-33683 | 0.00 | — | 0.01 | Sep 23, 2022 | Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable… | |||
| CVE-2022-33682 | 0.00 | — | 0.01 | Sep 23, 2022 | TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to… | |||
| CVE-2022-33681 | 0.00 | — | 0.01 | Sep 23, 2022 | Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are… | |||
| CVE-2022-24280 | 0.00 | — | 0.01 | Sep 23, 2022 | Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP… | |||
| CVE-2022-40705 | 0.00 | — | 0.01 | Sep 22, 2022 | An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also… | |||
| CVE-2022-40754 | 0.00 | — | 0.01 | Sep 21, 2022 | In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint. | |||
| CVE-2022-40604 | 0.00 | — | 0.02 | Sep 21, 2022 | In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction. | |||
| CVE-2022-40955 | 0.00 | — | 0.02 | Sep 20, 2022 | In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code… | |||
| CVE-2022-38170 | 0.00 | — | 0.01 | Sep 2, 2022 | In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary… | |||
| CVE-2022-38054 | 0.00 | — | 0.02 | Sep 2, 2022 | In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. | |||
| CVE-2022-29158 | 0.00 | — | 0.02 | Sep 2, 2022 | Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599 | |||
| CVE-2022-25371 | 0.00 | — | 0.04 | Sep 2, 2022 | Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in… | |||
| CVE-2022-25370 | 0.00 | — | 0.02 | Sep 2, 2022 | Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. In Apache OFBiz release 18.12.05, and earlier versions, by leveraging a vulnerability in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142), an… | |||
| CVE-2022-37435 | 0.00 | — | 0.01 | Sep 1, 2022 | Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3. | |||
| CVE-2022-38362 | 0.00 | — | 0.02 | Aug 16, 2022 | Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host. | |||
| CVE-2022-2838 | 0.00 | — | 0.00 | Aug 16, 2022 | In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests. | |||
| CVE-2022-37401 | 0.00 | — | 0.01 | Aug 13, 2022 | Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening… | |||
| CVE-2022-37400 | 0.00 | — | 0.01 | Aug 13, 2022 | Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption… | |||
| CVE-2022-31779 | 0.00 | — | 0.02 | Aug 10, 2022 | Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. | |||
| CVE-2022-25763 | 0.00 | — | 0.02 | Aug 10, 2022 | Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. | |||
| CVE-2022-31780 | 0.00 | — | 0.02 | Aug 10, 2022 | Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. | |||
| CVE-2022-31778 | 0.00 | — | 0.02 | Aug 10, 2022 | Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 8.0.0 to 9.0.2. | |||
| CVE-2022-28129 | 0.00 | — | 0.02 | Aug 10, 2022 | Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. | |||
| CVE-2021-37150 | 0.00 | — | 0.02 | Aug 10, 2022 | Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. | |||
| CVE-2022-36125 | 0.00 | — | 0.01 | Aug 9, 2022 | It is possible to crash (panic) an application by providing a corrupted data to be read. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue. | |||
| CVE-2022-36124 | 0.00 | — | 0.01 | Aug 9, 2022 | It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version… | |||
| CVE-2022-35724 | 0.00 | — | 0.02 | Aug 9, 2022 | It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which… | |||
| CVE-2022-27631 | 0.00 | — | 0.01 | Aug 5, 2022 | A memory corruption vulnerability exists in the httpd unescape functionality of DD-WRT Revision 32270 - Revision 48599. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability. | |||
| CVE-2022-26437 | 0.00 | — | 0.01 | Aug 1, 2022 | In httpclient, there is a possible out of bounds write due to uninitialized data. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WSAP00103831; Issue ID: WSAP00103831. | |||
| CVE-2021-34538 | 0.00 | — | 0.01 | Jul 16, 2022 | Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized… | |||
| CVE-2022-31781 | 0.00 | — | 0.02 | Jul 13, 2022 | Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the… | |||
| CVE-2021-37839 | 0.00 | — | 0.01 | Jul 6, 2022 | Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics. | |||
| CVE-2022-33879 | 0.00 | — | 0.02 | Jun 27, 2022 | The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1. | |||
| CVE-2022-32549 | 0.00 | — | 0.02 | Jun 22, 2022 | Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files. |
- CVE-2022-45378Nov 14, 2022risk 0.00cvss —epss 0.02
In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even…
- CVE-2022-45136Nov 14, 2022risk 0.00cvss —epss 0.02
Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of…
- CVE-2022-27949Nov 14, 2022risk 0.00cvss —epss 0.02
A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to…
- CVE-2022-37865Nov 7, 2022risk 0.00cvss —epss 0.02
With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when…
- CVE-2022-37866Nov 7, 2022risk 0.00cvss —epss 0.02
When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which…
- CVE-2022-42920Nov 7, 2022risk 0.00cvss —epss 0.03
Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass…
- CVE-2022-33684Nov 4, 2022risk 0.00cvss —epss 0.01
The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and…
- CVE-2022-32287Nov 3, 2022risk 0.00cvss —epss 0.02
A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version…
- CVE-2022-43670Nov 2, 2022risk 0.00cvss —epss 0.01
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management…
- CVE-2022-43982Nov 2, 2022risk 0.00cvss —epss 0.01
In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument.
- CVE-2022-43985Nov 2, 2022risk 0.00cvss —epss 0.01
In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.
- CVE-2022-34662Nov 1, 2022risk 0.00cvss —epss 0.01
When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher
- CVE-2022-26884Oct 28, 2022risk 0.00cvss —epss 0.01
Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.
- CVE-2022-42467Oct 19, 2022risk 0.00cvss —epss 0.01
When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database. It was felt that it is safer to require the developer to explicitly enable this capability. As of…
- CVE-2022-42466Oct 19, 2022risk 0.00cvss —epss 0.01
Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. In particular, the end-user could enter javascript or similar and this would be executed.…
- CVE-2022-41672Oct 7, 2022risk 0.00cvss —epss 0.01
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.
- CVE-2022-33683Sep 23, 2022risk 0.00cvss —epss 0.01
Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable…
- CVE-2022-33682Sep 23, 2022risk 0.00cvss —epss 0.01
TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to…
- CVE-2022-33681Sep 23, 2022risk 0.00cvss —epss 0.01
Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are…
- CVE-2022-24280Sep 23, 2022risk 0.00cvss —epss 0.01
Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP…
- CVE-2022-40705Sep 22, 2022risk 0.00cvss —epss 0.01
An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also…
- CVE-2022-40754Sep 21, 2022risk 0.00cvss —epss 0.01
In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.
- CVE-2022-40604Sep 21, 2022risk 0.00cvss —epss 0.02
In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.
- CVE-2022-40955Sep 20, 2022risk 0.00cvss —epss 0.02
In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code…
- CVE-2022-38170Sep 2, 2022risk 0.00cvss —epss 0.01
In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary…
- CVE-2022-38054Sep 2, 2022risk 0.00cvss —epss 0.02
In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.
- CVE-2022-29158Sep 2, 2022risk 0.00cvss —epss 0.02
Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599
- CVE-2022-25371Sep 2, 2022risk 0.00cvss —epss 0.04
Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in…
- CVE-2022-25370Sep 2, 2022risk 0.00cvss —epss 0.02
Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. In Apache OFBiz release 18.12.05, and earlier versions, by leveraging a vulnerability in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142), an…
- CVE-2022-37435Sep 1, 2022risk 0.00cvss —epss 0.01
Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3.
- CVE-2022-38362Aug 16, 2022risk 0.00cvss —epss 0.02
Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.
- CVE-2022-2838Aug 16, 2022risk 0.00cvss —epss 0.00
In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.
- CVE-2022-37401Aug 13, 2022risk 0.00cvss —epss 0.01
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening…
- CVE-2022-37400Aug 13, 2022risk 0.00cvss —epss 0.01
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption…
- CVE-2022-31779Aug 10, 2022risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
- CVE-2022-25763Aug 10, 2022risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
- CVE-2022-31780Aug 10, 2022risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
- CVE-2022-31778Aug 10, 2022risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 8.0.0 to 9.0.2.
- CVE-2022-28129Aug 10, 2022risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
- CVE-2021-37150Aug 10, 2022risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
- CVE-2022-36125Aug 9, 2022risk 0.00cvss —epss 0.01
It is possible to crash (panic) an application by providing a corrupted data to be read. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.
- CVE-2022-36124Aug 9, 2022risk 0.00cvss —epss 0.01
It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version…
- CVE-2022-35724Aug 9, 2022risk 0.00cvss —epss 0.02
It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which…
- CVE-2022-27631Aug 5, 2022risk 0.00cvss —epss 0.01
A memory corruption vulnerability exists in the httpd unescape functionality of DD-WRT Revision 32270 - Revision 48599. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
- CVE-2022-26437Aug 1, 2022risk 0.00cvss —epss 0.01
In httpclient, there is a possible out of bounds write due to uninitialized data. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WSAP00103831; Issue ID: WSAP00103831.
- CVE-2021-34538Jul 16, 2022risk 0.00cvss —epss 0.01
Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized…
- CVE-2022-31781Jul 13, 2022risk 0.00cvss —epss 0.02
Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the…
- CVE-2021-37839Jul 6, 2022risk 0.00cvss —epss 0.01
Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics.
- CVE-2022-33879Jun 27, 2022risk 0.00cvss —epss 0.02
The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.
- CVE-2022-32549Jun 22, 2022risk 0.00cvss —epss 0.02
Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.
Page 39 of 51