Vendor CVEs
Apache
All CVEs
2,550 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-33140 | 0.00 | — | 0.04 | Jun 15, 2022 | The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is… | |||
| CVE-2022-31813 | 0.00 | — | 0.03 | Jun 8, 2022 | Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. | |||
| CVE-2022-30556 | 0.00 | — | 0.05 | Jun 8, 2022 | Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. | |||
| CVE-2022-29404 | 0.00 | — | 0.06 | Jun 8, 2022 | In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. | |||
| CVE-2022-28615 | 0.00 | — | 0.06 | Jun 8, 2022 | Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua… | |||
| CVE-2022-28614 | 0.00 | — | 0.04 | Jun 8, 2022 | The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from… | |||
| CVE-2022-28330 | 0.00 | — | 0.03 | Jun 8, 2022 | Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. | |||
| CVE-2022-30973 | 0.00 | — | 0.02 | May 31, 2022 | We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted… | |||
| CVE-2022-29405 | 0.00 | — | 0.02 | May 25, 2022 | In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8 | |||
| CVE-2022-26650 | 0.00 | — | 0.02 | May 17, 2022 | In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters… | |||
| CVE-2022-30126 | 0.00 | — | 0.03 | May 16, 2022 | In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler,… | |||
| CVE-2022-25169 | 0.00 | — | 0.02 | May 16, 2022 | The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files. | |||
| CVE-2022-28890 | 0.00 | — | 0.02 | May 5, 2022 | A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities. | |||
| CVE-2022-29265 | 0.00 | — | 0.02 | Apr 30, 2022 | Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors… | |||
| CVE-2022-27479 | 0.00 | — | 0.03 | Apr 13, 2022 | Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue. | |||
| CVE-2022-24070 | 0.00 | — | 0.09 | Apr 12, 2022 | Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do… | |||
| CVE-2021-28544 | 0.00 | — | 0.03 | Apr 12, 2022 | Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy… | |||
| CVE-2022-26850 | 0.00 | — | 0.01 | Apr 6, 2022 | When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi… | |||
| CVE-2022-25598 | 0.00 | — | 0.02 | Mar 30, 2022 | Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher. | |||
| CVE-2022-25757 | 0.00 | — | 0.02 | Mar 28, 2022 | In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example,… | |||
| CVE-2021-44759 | 0.00 | — | 0.02 | Mar 23, 2022 | Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle attack. This issue affects Apache Traffic Server 8.0.0 to 8.1.0. | |||
| CVE-2021-44040 | 0.00 | — | 0.02 | Mar 23, 2022 | Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1. | |||
| CVE-2022-26779 | 0.00 | — | 0.03 | Mar 15, 2022 | Apache CloudStack prior to 4.16.1.0 used insecure random number generation for project invitation tokens. If a project invite is created based only on an email address, a random token is generated. An attacker with knowledge of the project ID and the fact that the invite is… | |||
| CVE-2022-25312 | 0.00 | — | 0.03 | Mar 4, 2022 | An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with… | |||
| CVE-2021-45229 | 0.00 | — | 0.03 | Feb 25, 2022 | It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below. | |||
| CVE-2021-20325 | 0.00 | — | 0.02 | Feb 18, 2022 | Missing fixes for CVE-2021-40438 and CVE-2021-26691 in the versions of httpd, as shipped in Red Hat Enterprise Linux 8.5.0, causes a security regression compared to the versions shipped in Red Hat Enterprise Linux 8.4. A user who installs or updates to Red Hat Enterprise Linux… | |||
| CVE-2022-23206 | 0.00 | — | 0.02 | Feb 6, 2022 | In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach. | |||
| CVE-2021-41571 | 0.00 | — | 0.02 | Feb 1, 2022 | In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed… | |||
| CVE-2022-23945 | 0.00 | — | 0.04 | Jan 25, 2022 | Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1. | |||
| CVE-2022-23223 | 0.00 | — | 0.04 | Jan 25, 2022 | On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later. | |||
| CVE-2021-45230 | 0.00 | — | 0.02 | Jan 20, 2022 | In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for. | |||
| CVE-2021-42357 | 0.00 | — | 0.03 | Jan 17, 2022 | When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This… | |||
| CVE-2021-43999 | 0.00 | — | 0.02 | Jan 11, 2022 | Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user. | |||
| CVE-2021-41767 | 0.00 | — | 0.02 | Jan 11, 2022 | Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user's… | |||
| CVE-2021-43045 | 0.00 | — | 0.03 | Jan 6, 2022 | A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0… | |||
| CVE-2021-44548 | 0.00 | — | 0.05 | Dec 23, 2021 | An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this… | |||
| CVE-2021-43083 | 0.00 | — | 0.02 | Dec 19, 2021 | Apache PLC4X - PLC4C (Only the C language implementation was effected) was vulnerable to an unsigned integer underflow flaw inside the tcp transport. Users should update to 0.9.1, which addresses this issue. However, in order to exploit this vulnerability, a user would have to… | |||
| CVE-2021-44145 | 0.00 | — | 0.02 | Dec 17, 2021 | In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information. | |||
| CVE-2021-44549 | 0.00 | — | 0.02 | Dec 14, 2021 | Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility… | |||
| CVE-2021-43410 | 0.00 | — | 0.02 | Dec 9, 2021 | Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. In particular, some HTTP request parameters are logged without first being escaped. Versions affected: master branch before commit 3c5d8c7 [1] of airavata-django-portal [1]… | |||
| CVE-2021-42250 | 0.00 | — | 0.02 | Nov 17, 2021 | Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs. | |||
| CVE-2021-37580 | 0.00 | — | 0.40 | Nov 16, 2021 | A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0 | |||
| CVE-2021-41972 | 0.00 | — | 0.01 | Nov 12, 2021 | Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way. | |||
| CVE-2021-43350 | 0.00 | — | 0.04 | Nov 11, 2021 | An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter. | |||
| CVE-2021-26558 | 0.00 | — | 0.02 | Nov 11, 2021 | Deserialization of Untrusted Data vulnerability of Apache ShardingSphere-UI allows an attacker to inject outer link resources. This issue affects Apache ShardingSphere-UI Apache ShardingSphere-UI version 4.1.1 and later versions; Apache ShardingSphere-UI versions prior to 5.0.0. | |||
| CVE-2021-33800 | 0.00 | — | 0.01 | Nov 3, 2021 | In Druid 1.2.3, visiting the path with parameter in a certain function can lead to directory traversal. | |||
| CVE-2021-43082 | 0.00 | — | 0.02 | Nov 3, 2021 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traffic Server allows an attacker to overwrite memory. This issue affects Apache Traffic Server 9.1.0. | |||
| CVE-2021-41585 | 0.00 | — | 0.02 | Nov 3, 2021 | Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the server stop accepting new connections. This issue affects Apache Traffic Server 5.0.0 to 9.1.0. | |||
| CVE-2021-38161 | 0.00 | — | 0.02 | Nov 3, 2021 | Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8. | |||
| CVE-2021-37149 | 0.00 | — | 0.03 | Nov 3, 2021 | Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0. |
- CVE-2022-33140Jun 15, 2022risk 0.00cvss —epss 0.04
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is…
- CVE-2022-31813Jun 8, 2022risk 0.00cvss —epss 0.03
Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.
- CVE-2022-30556Jun 8, 2022risk 0.00cvss —epss 0.05
Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.
- CVE-2022-29404Jun 8, 2022risk 0.00cvss —epss 0.06
In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.
- CVE-2022-28615Jun 8, 2022risk 0.00cvss —epss 0.06
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua…
- CVE-2022-28614Jun 8, 2022risk 0.00cvss —epss 0.04
The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from…
- CVE-2022-28330Jun 8, 2022risk 0.00cvss —epss 0.03
Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module.
- CVE-2022-30973May 31, 2022risk 0.00cvss —epss 0.02
We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted…
- CVE-2022-29405May 25, 2022risk 0.00cvss —epss 0.02
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
- CVE-2022-26650May 17, 2022risk 0.00cvss —epss 0.02
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters…
- CVE-2022-30126May 16, 2022risk 0.00cvss —epss 0.03
In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler,…
- CVE-2022-25169May 16, 2022risk 0.00cvss —epss 0.02
The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.
- CVE-2022-28890May 5, 2022risk 0.00cvss —epss 0.02
A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.
- CVE-2022-29265Apr 30, 2022risk 0.00cvss —epss 0.02
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors…
- CVE-2022-27479Apr 13, 2022risk 0.00cvss —epss 0.03
Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue.
- CVE-2022-24070Apr 12, 2022risk 0.00cvss —epss 0.09
Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do…
- CVE-2021-28544Apr 12, 2022risk 0.00cvss —epss 0.03
Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy…
- CVE-2022-26850Apr 6, 2022risk 0.00cvss —epss 0.01
When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi…
- CVE-2022-25598Mar 30, 2022risk 0.00cvss —epss 0.02
Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.
- CVE-2022-25757Mar 28, 2022risk 0.00cvss —epss 0.02
In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example,…
- CVE-2021-44759Mar 23, 2022risk 0.00cvss —epss 0.02
Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle attack. This issue affects Apache Traffic Server 8.0.0 to 8.1.0.
- CVE-2021-44040Mar 23, 2022risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1.
- CVE-2022-26779Mar 15, 2022risk 0.00cvss —epss 0.03
Apache CloudStack prior to 4.16.1.0 used insecure random number generation for project invitation tokens. If a project invite is created based only on an email address, a random token is generated. An attacker with knowledge of the project ID and the fact that the invite is…
- CVE-2022-25312Mar 4, 2022risk 0.00cvss —epss 0.03
An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with…
- CVE-2021-45229Feb 25, 2022risk 0.00cvss —epss 0.03
It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.
- CVE-2021-20325Feb 18, 2022risk 0.00cvss —epss 0.02
Missing fixes for CVE-2021-40438 and CVE-2021-26691 in the versions of httpd, as shipped in Red Hat Enterprise Linux 8.5.0, causes a security regression compared to the versions shipped in Red Hat Enterprise Linux 8.4. A user who installs or updates to Red Hat Enterprise Linux…
- CVE-2022-23206Feb 6, 2022risk 0.00cvss —epss 0.02
In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.
- CVE-2021-41571Feb 1, 2022risk 0.00cvss —epss 0.02
In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed…
- CVE-2022-23945Jan 25, 2022risk 0.00cvss —epss 0.04
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
- CVE-2022-23223Jan 25, 2022risk 0.00cvss —epss 0.04
On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.
- CVE-2021-45230Jan 20, 2022risk 0.00cvss —epss 0.02
In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.
- CVE-2021-42357Jan 17, 2022risk 0.00cvss —epss 0.03
When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This…
- CVE-2021-43999Jan 11, 2022risk 0.00cvss —epss 0.02
Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.
- CVE-2021-41767Jan 11, 2022risk 0.00cvss —epss 0.02
Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user's…
- CVE-2021-43045Jan 6, 2022risk 0.00cvss —epss 0.03
A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0…
- CVE-2021-44548Dec 23, 2021risk 0.00cvss —epss 0.05
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this…
- CVE-2021-43083Dec 19, 2021risk 0.00cvss —epss 0.02
Apache PLC4X - PLC4C (Only the C language implementation was effected) was vulnerable to an unsigned integer underflow flaw inside the tcp transport. Users should update to 0.9.1, which addresses this issue. However, in order to exploit this vulnerability, a user would have to…
- CVE-2021-44145Dec 17, 2021risk 0.00cvss —epss 0.02
In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.
- CVE-2021-44549Dec 14, 2021risk 0.00cvss —epss 0.02
Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility…
- CVE-2021-43410Dec 9, 2021risk 0.00cvss —epss 0.02
Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. In particular, some HTTP request parameters are logged without first being escaped. Versions affected: master branch before commit 3c5d8c7 [1] of airavata-django-portal [1]…
- CVE-2021-42250Nov 17, 2021risk 0.00cvss —epss 0.02
Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs.
- CVE-2021-37580Nov 16, 2021risk 0.00cvss —epss 0.40
A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0
- CVE-2021-41972Nov 12, 2021risk 0.00cvss —epss 0.01
Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
- CVE-2021-43350Nov 11, 2021risk 0.00cvss —epss 0.04
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
- CVE-2021-26558Nov 11, 2021risk 0.00cvss —epss 0.02
Deserialization of Untrusted Data vulnerability of Apache ShardingSphere-UI allows an attacker to inject outer link resources. This issue affects Apache ShardingSphere-UI Apache ShardingSphere-UI version 4.1.1 and later versions; Apache ShardingSphere-UI versions prior to 5.0.0.
- CVE-2021-33800Nov 3, 2021risk 0.00cvss —epss 0.01
In Druid 1.2.3, visiting the path with parameter in a certain function can lead to directory traversal.
- CVE-2021-43082Nov 3, 2021risk 0.00cvss —epss 0.02
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traffic Server allows an attacker to overwrite memory. This issue affects Apache Traffic Server 9.1.0.
- CVE-2021-41585Nov 3, 2021risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the server stop accepting new connections. This issue affects Apache Traffic Server 5.0.0 to 9.1.0.
- CVE-2021-38161Nov 3, 2021risk 0.00cvss —epss 0.02
Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8.
- CVE-2021-37149Nov 3, 2021risk 0.00cvss —epss 0.03
Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.
Page 40 of 51