VYPR

Vendor CVEs

Apache

All CVEs

2,550 total · sorted by risk
  • CVE-2022-45378Nov 14, 2022
    risk 0.00cvss epss 0.02

    In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even…

  • CVE-2022-45136Nov 14, 2022
    risk 0.00cvss epss 0.02

    Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of…

  • CVE-2022-27949Nov 14, 2022
    risk 0.00cvss epss 0.02

    A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to…

  • CVE-2022-37865Nov 7, 2022
    risk 0.00cvss epss 0.02

    With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when…

  • CVE-2022-37866Nov 7, 2022
    risk 0.00cvss epss 0.02

    When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which…

  • CVE-2022-42920Nov 7, 2022
    risk 0.00cvss epss 0.03

    Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass…

  • CVE-2022-33684Nov 4, 2022
    risk 0.00cvss epss 0.01

    The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and…

  • CVE-2022-32287Nov 3, 2022
    risk 0.00cvss epss 0.02

    A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version…

  • CVE-2022-43670Nov 2, 2022
    risk 0.00cvss epss 0.01

    An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management…

  • CVE-2022-43982Nov 2, 2022
    risk 0.00cvss epss 0.01

    In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument.

  • CVE-2022-43985Nov 2, 2022
    risk 0.00cvss epss 0.01

    In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.

  • CVE-2022-34662Nov 1, 2022
    risk 0.00cvss epss 0.01

    When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher

  • CVE-2022-26884Oct 28, 2022
    risk 0.00cvss epss 0.01

    Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.

  • CVE-2022-42467Oct 19, 2022
    risk 0.00cvss epss 0.01

    When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database. It was felt that it is safer to require the developer to explicitly enable this capability. As of…

  • CVE-2022-42466Oct 19, 2022
    risk 0.00cvss epss 0.01

    Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. In particular, the end-user could enter javascript or similar and this would be executed.…

  • CVE-2022-41672Oct 7, 2022
    risk 0.00cvss epss 0.01

    In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.

  • CVE-2022-33683Sep 23, 2022
    risk 0.00cvss epss 0.01

    Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable…

  • CVE-2022-33682Sep 23, 2022
    risk 0.00cvss epss 0.01

    TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to…

  • CVE-2022-33681Sep 23, 2022
    risk 0.00cvss epss 0.01

    Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are…

  • CVE-2022-24280Sep 23, 2022
    risk 0.00cvss epss 0.01

    Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP…

  • CVE-2022-40705Sep 22, 2022
    risk 0.00cvss epss 0.01

    An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also…

  • CVE-2022-40754Sep 21, 2022
    risk 0.00cvss epss 0.01

    In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.

  • CVE-2022-40604Sep 21, 2022
    risk 0.00cvss epss 0.02

    In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.

  • CVE-2022-40955Sep 20, 2022
    risk 0.00cvss epss 0.02

    In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code…

  • CVE-2022-38170Sep 2, 2022
    risk 0.00cvss epss 0.01

    In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary…

  • CVE-2022-38054Sep 2, 2022
    risk 0.00cvss epss 0.02

    In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.

  • CVE-2022-29158Sep 2, 2022
    risk 0.00cvss epss 0.02

    Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599

  • CVE-2022-25371Sep 2, 2022
    risk 0.00cvss epss 0.04

    Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in…

  • CVE-2022-25370Sep 2, 2022
    risk 0.00cvss epss 0.02

    Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. In Apache OFBiz release 18.12.05, and earlier versions, by leveraging a vulnerability in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142), an…

  • CVE-2022-37435Sep 1, 2022
    risk 0.00cvss epss 0.01

    Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3.

  • CVE-2022-38362Aug 16, 2022
    risk 0.00cvss epss 0.02

    Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.

  • CVE-2022-2838Aug 16, 2022
    risk 0.00cvss epss 0.00

    In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.

  • CVE-2022-37401Aug 13, 2022
    risk 0.00cvss epss 0.01

    Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening…

  • CVE-2022-37400Aug 13, 2022
    risk 0.00cvss epss 0.01

    Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption…

  • CVE-2022-31779Aug 10, 2022
    risk 0.00cvss epss 0.02

    Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

  • CVE-2022-25763Aug 10, 2022
    risk 0.00cvss epss 0.02

    Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

  • CVE-2022-31780Aug 10, 2022
    risk 0.00cvss epss 0.02

    Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

  • CVE-2022-31778Aug 10, 2022
    risk 0.00cvss epss 0.02

    Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 8.0.0 to 9.0.2.

  • CVE-2022-28129Aug 10, 2022
    risk 0.00cvss epss 0.02

    Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

  • CVE-2021-37150Aug 10, 2022
    risk 0.00cvss epss 0.02

    Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

  • CVE-2022-36125Aug 9, 2022
    risk 0.00cvss epss 0.01

    It is possible to crash (panic) an application by providing a corrupted data to be read. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.

  • CVE-2022-36124Aug 9, 2022
    risk 0.00cvss epss 0.01

    It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version…

  • CVE-2022-35724Aug 9, 2022
    risk 0.00cvss epss 0.02

    It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which…

  • CVE-2022-27631Aug 5, 2022
    risk 0.00cvss epss 0.01

    A memory corruption vulnerability exists in the httpd unescape functionality of DD-WRT Revision 32270 - Revision 48599. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.

  • CVE-2022-26437Aug 1, 2022
    risk 0.00cvss epss 0.01

    In httpclient, there is a possible out of bounds write due to uninitialized data. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WSAP00103831; Issue ID: WSAP00103831.

  • CVE-2021-34538Jul 16, 2022
    risk 0.00cvss epss 0.01

    Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized…

  • CVE-2022-31781Jul 13, 2022
    risk 0.00cvss epss 0.02

    Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the…

  • CVE-2021-37839Jul 6, 2022
    risk 0.00cvss epss 0.01

    Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics.

  • CVE-2022-33879Jun 27, 2022
    risk 0.00cvss epss 0.02

    The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.

  • CVE-2022-32549Jun 22, 2022
    risk 0.00cvss epss 0.02

    Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.

Page 39 of 51