Apache Apache The Apache Software Foundation

Do you want an email whenever new security vulnerabilities are reported in any Apache product?

Products by Apache Sorted by Most Security Vulnerabilities since 2018

Apache HTTP Server196 vulnerabilities

Apache Tomcat51 vulnerabilities
JEE Compliant Servlet Container

Apache Openoffice39 vulnerabilities

Apache Traffic Server36 vulnerabilities

Apache Cxf33 vulnerabilities

Apache Airflow26 vulnerabilities

Apache Solr21 vulnerabilities
Search engine written in java

Apache Nifi21 vulnerabilities

Apache Tika20 vulnerabilities

Apache Ofbiz17 vulnerabilities

Apache Struts16 vulnerabilities

Apache Hadoop15 vulnerabilities

Apache Jspwiki15 vulnerabilities

Apache Dubbo14 vulnerabilities

Apache Activemq13 vulnerabilities

Apache Spark13 vulnerabilities

Apache Camel12 vulnerabilities

Apache Superset12 vulnerabilities

Apache Log4j12 vulnerabilities

Apache Zookeeper11 vulnerabilities

Apache Kylin11 vulnerabilities

Apache Karaf10 vulnerabilities

Apache Ozone9 vulnerabilities

Apache Guacamole9 vulnerabilities

Apache Hive9 vulnerabilities

Apache Kafka9 vulnerabilities

Apache Commons Compress8 vulnerabilities

Apache Tapestry8 vulnerabilities

Apache Syncope8 vulnerabilities

Apache Pdfbox7 vulnerabilities

Apache Fineract7 vulnerabilities

Apache Storm7 vulnerabilities

Apache Tomee7 vulnerabilities

Apache Pluto7 vulnerabilities

Apache Mesos7 vulnerabilities

Apache Spamassassin7 vulnerabilities

Apache Shiro7 vulnerabilities

Apache Traffic Control6 vulnerabilities

Apache Xml Security For C6 vulnerabilities

Apache Thrift6 vulnerabilities

Apache Shenyu6 vulnerabilities

Apache Cxf Fediz6 vulnerabilities

Apache Subversion6 vulnerabilities

Apache Ignite6 vulnerabilities

Apache James6 vulnerabilities

Apache Ambari5 vulnerabilities

Apache Apisix5 vulnerabilities

Apache Apr Util5 vulnerabilities

Apache Couchdb5 vulnerabilities

Apache Druid5 vulnerabilities

Apache Zeppelin5 vulnerabilities

Apache Activemq Artemis4 vulnerabilities

Apache Ant4 vulnerabilities

Apache Archiva4 vulnerabilities

Apache Cassandra4 vulnerabilities

Apache Commons Fileupload4 vulnerabilities

Apache Portable Runtime4 vulnerabilities

Apache Dolphinscheduler4 vulnerabilities

Apache Drill4 vulnerabilities

Apache Geode4 vulnerabilities

Apache Groovy4 vulnerabilities

Apache Olingo4 vulnerabilities

Apache Httpclient4 vulnerabilities

Apache Impala4 vulnerabilities

Apache Netbeans4 vulnerabilities

Apache Openmeetings3 vulnerabilities

Apache Allura3 vulnerabilities

Apache Any233 vulnerabilities

Apache Unomi3 vulnerabilities

Apache Batik3 vulnerabilities

Apache Bookkeeper3 vulnerabilities

Apache Xml Security For Java3 vulnerabilities

Apache Wss4j3 vulnerabilities

Apache Ranger3 vulnerabilities

Apache Hbase3 vulnerabilities

Apache Virtual Computing Lab3 vulnerabilities

Apache Xerces2 Java3 vulnerabilities

Apache Poi3 vulnerabilities

Apache Qpid Broker J3 vulnerabilities

Apache Jmeter3 vulnerabilities

Apache Roller3 vulnerabilities

Apache Nuttx3 vulnerabilities

Apache Http Server2 vulnerabilities

Apache Arrow2 vulnerabilities

Apache Atlas2 vulnerabilities

Apache Axis22 vulnerabilities

Apache Beam2 vulnerabilities

Apache Cayenne2 vulnerabilities

Apache Chainsaw2 vulnerabilities

Apache Commons Beanutils2 vulnerabilities

Apache Commons Collections2 vulnerabilities

Apache Pulsar2 vulnerabilities

Apache Deltaspike2 vulnerabilities

Apache Directory Studio2 vulnerabilities

Apache Gobblin2 vulnerabilities

Apache Juddi2 vulnerabilities

Apache Kudu2 vulnerabilities

Apache Qpid2 vulnerabilities

Apache Maven2 vulnerabilities

Apache Mina2 vulnerabilities

@TheASF Tweets

The Apache Weekly News Round-up: week ending 24 June --updates from ApacheCon and Apache projects that include Airf… https://t.co/Rf5yDGEvb6
Mon Jun 27 11:46:49 +0000 2022

FINAL CALL: applications for Travel Assistance to ApacheCon North America due by 1 July https://t.co/vrMADokWrC… https://t.co/SEA30atPzx
Fri Jun 24 17:01:08 +0000 2022

The Apache Software Foundation Announces Apache InLong as a Top-Level Project https://t.co/Jb24xM7dCl #Apache… https://t.co/FAJkHmdLUh
Wed Jun 22 13:37:35 +0000 2022

RT @cassandra: With Cassandra 4.1 coming soon, we are curious to know which version of #ApacheCassandra you run in production? #Database #n…
Tue Jun 21 13:09:03 +0000 2022

The Apache Weekly News Round-up: week ending 17 June -updates from ApacheCon and #Apache projects that include Airf… https://t.co/WwUHAkIduI
Mon Jun 20 20:24:51 +0000 2022

By the Year

In 2022 there have been 88 vulnerabilities in Apache with an average score of 7.7 out of ten. Last year Apache had 198 security vulnerabilities published. Right now, Apache is on track to have less security vulnerabilities in 2022 than it did last year. However, the average CVE base score of the vulnerabilities in 2022 is greater by 0.17.

Year Vulnerabilities Average Score
2022 88 7.71
2021 198 7.53
2020 155 7.56
2019 149 7.33
2018 136 7.28

It may take a day or so for new Apache vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Security Vulnerabilities

In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who

CVE-2021-33036 8.8 - High - June 15, 2022

In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

Directory traversal

Apache Flume versions 1.4.0 through 1.9.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server

CVE-2022-25167 9.8 - Critical - June 14, 2022

Apache Flume versions 1.4.0 through 1.9.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.

There is a potential heap buffer overflow in Apache Hadoop libhdfs native code

CVE-2021-37404 9.8 - Critical - June 13, 2022

There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

Classic Buffer Overflow

Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread()

CVE-2022-30556 7.5 - High - June 09, 2022

Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.

Information Disclosure

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism

CVE-2022-31813 9.8 - Critical - June 09, 2022

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.

Insufficient Verification of Data Authenticity

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server

CVE-2022-26377 7.5 - High - June 09, 2022

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.

HTTP Request Smuggling

The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker

CVE-2022-28614 5.3 - Medium - June 09, 2022

The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue.

Integer Overflow or Wraparound

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer

CVE-2022-28615 9.1 - Critical - June 09, 2022

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.

Integer Overflow or Wraparound

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script

CVE-2022-29404 7.5 - High - June 09, 2022

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.

Allocation of Resources Without Limits or Throttling

If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large

CVE-2022-30522 7.5 - High - June 09, 2022

If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.

Allocation of Resources Without Limits or Throttling

bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check

CVE-2022-24969 6.1 - Medium - June 09, 2022

bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.

Open Redirect

We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release

CVE-2022-30973 5.5 - Medium - May 31, 2022

We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3.

In Apache Archiva, any registered user can reset password for any users

CVE-2022-29405 6.5 - Medium - May 25, 2022

In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8

Incorrect Permission Assignment for Critical Resource

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping

CVE-2022-29599 9.8 - Critical - May 23, 2022

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

Command Injection

In Apache ShenYui

CVE-2022-26650 7.5 - High - May 17, 2022

In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.

AuthZ

The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.

CVE-2022-25169 5.5 - Medium - May 16, 2022

The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.

Allocation of Resources Without Limits or Throttling

In Apache Tika

CVE-2022-30126 5.5 - Medium - May 16, 2022

In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0

If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible

CVE-2022-25762 8.6 - High - May 13, 2022

If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.

Improper Resource Shutdown or Release

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14

CVE-2022-29885 7.5 - High - May 12, 2022

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved

CVE-2022-28890 9.8 - Critical - May 05, 2022

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.

XXE

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration

CVE-2022-29265 7.5 - High - April 30, 2022

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.

XXE

Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password

CVE-2022-23942 7.5 - High - April 26, 2022

Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure.

Use of Hard-coded Credentials

In Apache CouchDB prior to 3.2.2, an attacker

CVE-2022-24706 9.8 - Critical - April 26, 2022

In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.

Insecure Default Initialization of Resource

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue

CVE-2022-29266 7.5 - High - April 20, 2022

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.

Generation of Error Message Containing Sensitive Information

Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests

CVE-2022-27479 9.8 - Critical - April 13, 2022

Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue.

SQL Injection

Subversion's mod_dav_svn is vulnerable to memory corruption

CVE-2022-24070 7.5 - High - April 12, 2022

Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected.

Dangling pointer

Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths

CVE-2021-28544 4.3 - Medium - April 12, 2022

Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.

AuthZ

The fix issued for CVE-2020-17530 was incomplete

CVE-2021-31805 9.8 - Critical - April 12, 2022

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tags attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

EL Injection

When creating or updating credentials for single-user access

CVE-2022-26850 4.3 - Medium - April 06, 2022

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.

Insufficiently Protected Credentials

In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables

CVE-2022-23974 7.5 - High - April 05, 2022

In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service. Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0

Stack Exhaustion

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks

CVE-2022-25598 7.5 - High - March 30, 2022

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.

Resource Exhaustion

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result

CVE-2022-25757 9.8 - Critical - March 28, 2022

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{"string_payload":"bad","string_payload":"good"}` can be used to hide the "bad" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions.

Improper Input Validation

Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests

CVE-2021-44040 7.5 - High - March 23, 2022

Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1.

Improper Input Validation

Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server

CVE-2021-44759 8.1 - High - March 23, 2022

Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle attack. This issue affects Apache Traffic Server 8.0.0 to 8.1.0.

authentification

Apache CloudStack prior to 4.16.1.0 used insecure random number generation for project invitation tokens

CVE-2022-26779 7.5 - High - March 15, 2022

Apache CloudStack prior to 4.16.1.0 used insecure random number generation for project invitation tokens. If a project invite is created based only on an email address, a random token is generated. An attacker with knowledge of the project ID and the fact that the invite is sent, could generate time deterministic tokens and brute force attempt to use them prior to the legitimate receiver accepting the invite. This feature is not enabled by default, the attacker is required to know or guess the project ID for the invite in addition to the invitation token, and the attacker would need to be an existing authorized user of CloudStack.

PRNG

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash

CVE-2022-22719 7.5 - High - March 14, 2022

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.

Improper Initialization

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body

CVE-2022-22720 9.8 - Critical - March 14, 2022

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

HTTP Request Smuggling

If LimitXMLRequestBody is set to

CVE-2022-22721 9.8 - Critical - March 14, 2022

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

Integer Overflow or Wraparound

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server

CVE-2022-23943 9.8 - Critical - March 14, 2022

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.

Memory Corruption

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled"

CVE-2021-38296 7.5 - High - March 10, 2022

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later

Authentication Bypass by Capture-replay

An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7

CVE-2022-25312 9.1 - Critical - March 05, 2022

An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Any23 2.7.

XXE

A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception

CVE-2022-26336 5.5 - Medium - March 04, 2022

A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.

Allocation of Resources Without Limits or Throttling

It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument

CVE-2021-45229 6.1 - Medium - February 25, 2022

It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.

XSS

In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection

CVE-2022-24288 8.8 - High - February 25, 2022

In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.

Shell injection

Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover

CVE-2022-24947 8.8 - High - February 25, 2022

Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later.

Session Riding

A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could

CVE-2022-24948 6.1 - Medium - February 25, 2022

A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.

XSS

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host

CVE-2021-44521 9.1 - Critical - February 11, 2022

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

Code Injection

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API

CVE-2022-24112 9.8 - Critical - February 11, 2022

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Authentication Bypass by Spoofing

Hessian serialization is a network protocol that supports object-based transmission

CVE-2022-24289 8.8 - High - February 11, 2022

Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution.

Marshaling, Unmarshaling

Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations

CVE-2022-22931 4.3 - Medium - February 07, 2022

Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used).

Directory traversal

In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server

CVE-2022-23206 7.5 - High - February 06, 2022

In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.

XSPA

In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1

CVE-2022-23913 7.5 - High - February 04, 2022

In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.

Resource Exhaustion

Apache Gobblin trusts all certificates used for LDAP connections in Gobblin-as-a-Service

CVE-2021-36152 9.8 - Critical - February 04, 2022

Apache Gobblin trusts all certificates used for LDAP connections in Gobblin-as-a-Service. This affects versions <= 0.15.0. Users should update to version 0.16.0 which addresses this issue.

In Apache Gobblin, the Hadoop token is written to a temp file that is visible to all local users on Unix-like systems

CVE-2021-36151 5.5 - Medium - February 04, 2022

In Apache Gobblin, the Hadoop token is written to a temp file that is visible to all local users on Unix-like systems. This affects versions <= 0.15.0. Users should update to version 0.16.0 which addresses this issue.

Information Disclosure

Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users

CVE-2021-44451 6.5 - Medium - February 01, 2022

Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgrade to Apache Superset 1.4.0 or higher.

Insufficiently Protected Credentials

In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user

CVE-2021-41571 6.5 - Medium - February 01, 2022

In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions.

Improper Input Validation

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73

CVE-2022-23181 7 - High - January 27, 2022

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

TOCTTOU

Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX)

CVE-2021-41766 8.1 - High - January 26, 2022

Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX). JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened against unauthenticated deserialization attacks, the implementation used by Apache Karaf is not protected against this kind of attack. The impact of Java deserialization vulnerabilities strongly depends on the classes that are available within the targets class path. Generally speaking, deserialization of untrusted data does always represent a high security risk and should be prevented. The risk is low as, by default, Karaf uses a limited set of classes in the JMX server class path. It depends of system scoped classes (e.g. jar in the lib folder).

Marshaling, Unmarshaling

Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder

CVE-2022-22932 5.3 - Medium - January 26, 2022

Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326

Directory traversal

Missing authentication on ShenYu Admin when register by HTTP

CVE-2022-23945 7.5 - High - January 25, 2022

Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Missing Authentication for Critical Function

The HTTP response will disclose the user password

CVE-2022-23223 7.5 - High - January 25, 2022

The HTTP response will disclose the user password. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Insufficiently Protected Credentials

User can access /plugin api without authentication

CVE-2022-23944 9.1 - Critical - January 25, 2022

User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Missing Authentication for Critical Function

Groovy Code Injection & SpEL Injection which lead to Remote Code Execution

CVE-2021-45029 9.8 - Critical - January 25, 2022

Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Code Injection

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads

CVE-2022-23437 6.5 - Medium - January 24, 2022

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

aka Blind XPath Injection

In Apache Airflow prior to 2.2.0

CVE-2021-45230 6.5 - Medium - January 20, 2022

In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.

Improper Privilege Management

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI

CVE-2022-22733 6.5 - Medium - January 20, 2022

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions.

Information Disclosure

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to

CVE-2022-23302 8.8 - High - January 18, 2022

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Marshaling, Unmarshaling

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters

CVE-2022-23305 9.8 - Critical - January 18, 2022

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

SQL Injection

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw

CVE-2022-23307 8.8 - High - January 18, 2022

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Marshaling, Unmarshaling

When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing

CVE-2021-42357 6.1 - Medium - January 17, 2022

When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign.

XSS

Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses

CVE-2021-41767 6.5 - Medium - January 11, 2022

Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user's active use of that same connection.

Information Disclosure

Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider

CVE-2021-43999 8.8 - High - January 11, 2022

Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.

authentification

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution

CVE-2021-43297 9.8 - Critical - January 10, 2022

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.

Marshaling, Unmarshaling

A vulnerability in the .NET SDK of Apache Avro

CVE-2021-43045 7.5 - High - January 06, 2022

A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.

Allocation of Resources Without Limits or Throttling

All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which

CVE-2021-27738 7.5 - High - January 06, 2022

All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.

XSPA

Apache Kylin allows users to read data from other database systems using JDBC

CVE-2021-36774 6.5 - Medium - January 06, 2022

Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions.

Exposure of Resource to Wrong Sphere

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user

CVE-2021-45456 9.8 - Critical - January 06, 2022

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.

Command Injection

In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin

CVE-2021-45457 7.5 - High - January 06, 2022

In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

Insufficiently Protected Credentials

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords

CVE-2021-45458 7.5 - High - January 06, 2022

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

Inadequate Encryption Strength

Kylin can receive user input and load any class through Class.forName(

CVE-2021-31522 9.8 - Critical - January 06, 2022

Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

Reflection Injection

The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.

CVE-2021-36739 6.1 - Medium - January 06, 2022

The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.

XSS

The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks

CVE-2021-36738 6.1 - Medium - January 06, 2022

The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact

XSS

The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks

CVE-2021-36737 6.1 - Medium - January 06, 2022

The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifact

XSS

Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command

CVE-2021-38542 5.9 - Medium - January 04, 2022

Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information.

Command Injection

In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover

CVE-2021-40111 6.5 - Medium - January 04, 2022

In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade.

Infinite Loop

In Apache James, using Jazzer fuzzer, we identified

CVE-2021-40110 7.5 - High - January 04, 2022

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values

CVE-2021-34797 7.5 - High - January 04, 2022

Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords and security properties with the prefix "sysprop-", "javax.net.ssl", or "security-". This issue is fixed by overhauling the log file redaction in Apache Geode versions 1.12.5, 1.13.5, and 1.14.0.

Insertion of Sensitive Information into Log File

Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal

CVE-2021-40525 9.1 - Critical - January 04, 2022

Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.

Directory traversal

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server

CVE-2021-44832 6.6 - Medium - December 28, 2021

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Improper Input Validation

In Apache APISIX Dashboard before 2.10.1

CVE-2021-45232 9.8 - Critical - December 27, 2021

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.

Missing Authentication for Critical Function

Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files

CVE-2021-41561 7.5 - High - December 20, 2021

Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files. This issue affects Apache Parquet-MR version 1.9.0 and later versions.

Improper Input Validation

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can

CVE-2021-44224 8.2 - High - December 20, 2021

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).

NULL Pointer Dereference

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts)

CVE-2021-44790 9.8 - Critical - December 20, 2021

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

Memory Corruption

Apache PLC4X - PLC4C (Only the C language implementation was effected) was vulnerable to an unsigned integer underflow flaw inside the tcp transport

CVE-2021-43083 8.8 - High - December 19, 2021

Apache PLC4X - PLC4C (Only the C language implementation was effected) was vulnerable to an unsigned integer underflow flaw inside the tcp transport. Users should update to 0.9.1, which addresses this issue. However, in order to exploit this vulnerability, a user would have to actively connect to a mallicious device which could send a response with invalid content. Currently we consider the probability of this being exploited as quite minimal, however this could change in the future, especially with the industrial networks growing more and more together.

Integer underflow

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect

CVE-2021-45105 5.9 - Medium - December 18, 2021

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Improper Input Validation

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file

CVE-2021-44145 6.5 - Medium - December 17, 2021

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

Information Disclosure

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations

CVE-2021-45046 9 - Critical - December 14, 2021

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Marshaling, Unmarshaling

Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS

CVE-2021-44549 7.4 - High - December 14, 2021

Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429

Improper Certificate Validation

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration

CVE-2021-4104 7.5 - High - December 14, 2021

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Marshaling, Unmarshaling

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2

CVE-2021-44228 10 - Critical - December 10, 2021

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Marshaling, Unmarshaling

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.