Filtered by vendor Apache
Subscriptions
Total
2625 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-42010 | 1 Apache | 1 Heron | 2025-05-07 | 9.8 Critical |
| Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue. | ||||
| CVE-2023-50740 | 1 Apache | 1 Linkis | 2025-05-07 | 5.3 Medium |
| In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module. We recommend users upgrade the version of Linkis to version 1.5.0 | ||||
| CVE-2024-26580 | 1 Apache | 1 Inlong | 2025-05-07 | 9.1 Critical |
| Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9673 | ||||
| CVE-2022-43766 | 1 Apache | 1 Iotdb | 2025-05-07 | 7.5 High |
| Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it. | ||||
| CVE-2022-42468 | 1 Apache | 1 Flume | 2025-05-07 | 9.8 Critical |
| Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol. | ||||
| CVE-2024-29735 | 1 Apache | 1 Airflow | 2025-05-07 | 5.3 Medium |
| Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders of log folder, in default configuration adding write access to Unix group of the folders. In the case Airflow is run with the root user (not recommended) it added group write permission to all folders up to the root of the filesystem. If your log files are stored in the home directory, these permission changes might impact your ability to run SSH operations after your home directory becomes group-writeable. This issue does not affect users who use or extend Airflow using Official Airflow Docker reference images ( https://hub.docker.com/r/apache/airflow/ ) - those images require to have group write permission set anyway. You are affected only if you install Airflow using local installation / virtualenv or other Docker images, but the issue has no impact if docker containers are used as intended, i.e. where Airflow components do not share containers with other applications and users. Also you should not be affected if your umask is 002 (group write enabled) - this is the default on many linux systems. Recommendation for users using Airflow outside of the containers: * if you are using root to run Airflow, change your Airflow user to use non-root * upgrade Apache Airflow to 2.8.4 or above * If you prefer not to upgrade, you can change the https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#file-task-handler-new-folder-permissions to 0o755 (original value 0o775). * if you already ran Airflow tasks before and your default umask is 022 (group write disabled) you should stop Airflow components, check permissions of AIRFLOW_HOME/logs in all your components and all parent directories of this directory and remove group write access for all the parent directories | ||||
| CVE-2022-42252 | 2 Apache, Redhat | 2 Tomcat, Jboss Enterprise Web Server | 2025-05-06 | 7.5 High |
| If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. | ||||
| CVE-2024-31860 | 1 Apache | 1 Zeppelin | 2025-05-06 | 6.5 Medium |
| Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access. This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue. | ||||
| CVE-2024-27906 | 1 Apache | 1 Airflow | 2025-05-06 | 5.9 Medium |
| Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability | ||||
| CVE-2024-21742 | 1 Apache | 1 James Mime4j | 2025-05-06 | 5.3 Medium |
| Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages. | ||||
| CVE-2022-34662 | 1 Apache | 1 Dolphinscheduler | 2025-05-06 | 6.5 Medium |
| When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher | ||||
| CVE-2022-31777 | 2 Apache, Redhat | 2 Spark, Camel Spring Boot | 2025-05-06 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI. | ||||
| CVE-2024-25065 | 1 Apache | 1 Ofbiz | 2025-05-05 | 9.1 Critical |
| Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue. | ||||
| CVE-2023-51747 | 1 Apache | 1 James | 2025-05-05 | 7.1 High |
| Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks. The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction. We recommend James users to upgrade to non vulnerable versions. | ||||
| CVE-2023-51518 | 1 Apache | 1 James | 2025-05-05 | 9.8 Critical |
| Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JMX endpoint is only bound locally. We recommend users to: - Upgrade to a non-vulnerable Apache James version - Run Apache James isolated from other processes (docker - dedicated virtual machine) - If possible turn off JMX | ||||
| CVE-2023-50379 | 1 Apache | 1 Ambari | 2025-05-05 | 8.8 High |
| Malicious code injection in Apache Ambari in prior to 2.7.8. Users are recommended to upgrade to version 2.7.8, which fixes this issue. Impact: A Cluster Operator can manipulate the request by adding a malicious code injection and gain a root over the cluster main host. | ||||
| CVE-2024-22393 | 2 Apache, Apache Software Foundation | 2 Answer, Apache Answer | 2025-05-05 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Pixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user can cause such an attack by uploading an image when posting content. Users are recommended to upgrade to version [1.2.5], which fixes the issue. | ||||
| CVE-2021-28656 | 1 Apache | 1 Zeppelin | 2025-05-05 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions. | ||||
| CVE-2022-47894 | 1 Apache | 1 Zeppelin | 2025-05-05 | 5.3 Medium |
| Improper Input Validation vulnerability in Apache Zeppelin SAP.This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. For more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-31862 | 1 Apache | 1 Zeppelin | 2025-05-05 | 5.3 Medium |
| Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue. | ||||