Apache Security Vulnerabilities (CVEs)

Apache HertzBeat versions before 1.6.1 contain an information disclosure vulnerability that allows unauthorized actors to access sensitive information...

Apache Airflow versions before 2.10.3 contain a vulnerability where sensitive configuration variables (secrets) can be exposed in task logs. This allo...

A vulnerability in Apache Traffic Server allows a specially crafted Host header to cause a denial-of-service crash. This affects Apache Traffic Server...

Apache Traffic Server has an improper input validation vulnerability (CWE-20) that could allow attackers to cause denial of service or potentially exe...

This vulnerability in Apache CloudStack allows attackers who can register templates to deploy malicious instances on KVM-based environments, potential...

This vulnerability in Apache Tomcat allows attackers to cause denial of service by exploiting the TLS handshake process to trigger OutOfMemoryError co...

This stored cross-site scripting (XSS) vulnerability in Apache Syncope allows attackers to inject malicious scripts through incomplete HTML tags that ...

Apache CloudStack has a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to trick authenticated users into performing unauthorize...

Apache CloudStack has a vulnerability where users can upload malicious KVM-compatible templates or volumes that bypass validation checks. This allows ...

This CVE describes a session expiration vulnerability in Apache CloudStack's web interface where logout doesn't properly invalidate user sessions. An ...

Apache ActiveMQ Artemis versions before 2.29.0 expose the Log4J2 MBean through the authenticated Jolokia endpoint, allowing authenticated non-administ...

This CSRF vulnerability in Apache Roller allows attackers to escalate privileges on multi-blog/user websites. By exploiting the CSRF protection defici...

On Windows, Subversion's command-line argument processing can misinterpret specially crafted arguments due to character encoding issues, potentially a...

This vulnerability in Apache Commons IO allows attackers to cause denial of service by consuming excessive CPU resources through maliciously crafted i...

This vulnerability in Apache Avro's Java SDK allows attackers to execute arbitrary code by exploiting schema parsing flaws. It affects all users of Ap...

The Maven Archetype Plugin versions 3.2.1 through 3.2.x expose sensitive credentials by copying the user's settings.xml file into test artifacts. This...

This vulnerability in Apache Answer uses weak MD5 hashing of user email addresses for Gravatar integration, potentially exposing email addresses throu...

Apache Linkis versions up to 1.5.0 use a cryptographically weak random string generator (Commons Lang's RandomStringUtils) for Py4j token generation i...

This vulnerability allows local users on Unix-like systems to view and modify shared memory containing mod_jk configuration due to incorrect default p...

This vulnerability allows authorized attackers to execute arbitrary code on Apache HertzBeat servers by exploiting insecure deserialization in SnakeYa...

A padding oracle vulnerability in Apache Druid's optional druid-pac4j extension could allow attackers to manipulate session cookies. This affects Drui...

This CVE describes a Direct Request (Forced Browsing) vulnerability in Apache OFBiz that allows attackers to access restricted resources by directly r...

This CVE allows local users on Unix systems to read Apache Portable Runtime (APR) named shared memory segments due to overly permissive permissions. T...

Apache Airflow versions before 2.10.0 contain a cross-site scripting (XSS) vulnerability in provider documentation links. Malicious providers can exec...

Apache Helix Front (UI) contains a hard-coded secret that allows attackers to forge authentication cookies and spoof user sessions. This affects all v...

CVE-2024-42361 is a SQL injection vulnerability in Hertzbeat's monitoring endpoint that allows attackers to execute arbitrary SQL commands. This affec...

This vulnerability allows attackers to intercept SSH traffic and drop specific packets, potentially downgrading or disabling security features in Apac...

Apache Answer versions through 1.3.5 have a vulnerability where password reset links remain valid after being used, allowing potential account takeove...

This vulnerability in Apache DolphinScheduler allows authenticated users to read and write files they shouldn't have access to, potentially exposing s...

A privilege escalation vulnerability in Apache CloudStack allows domain admin accounts to query API and secret keys of all account-users, including ro...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Workbench, allowing attackers to make unauthorized requests from...

Apache Linkis versions up to 1.5.0 contain a privilege escalation vulnerability where trusted accounts can access token information they shouldn't hav...

Apache Traffic Server versions 8.0.0-8.1.10 and 9.0.0-9.2.4 have a vulnerability where specially crafted Accept-Encoding headers can bypass cache look...

Apache Traffic Server improperly validates HTTP field names, allowing characters that violate HTTP specifications. This enables attackers to craft mal...

This vulnerability allows attackers to perform XML External Entity (XXE) attacks through Apache Drill's XML Format Plugin. By uploading a malicious XM...

This vulnerability allows attackers to inject HTML tags into text fields in Apache Syncope's Console and Enduser interfaces. When exploited, it enable...

This vulnerability in Apache Flink allows authenticated regular users to bypass authorization controls and access sensitive user information they shou...