Apache Apache The Apache Software Foundation

Do you want an email whenever new security vulnerabilities are reported in any Apache product?

Products by Apache Sorted by Most Security Vulnerabilities since 2018

Apache HTTP Server183 vulnerabilities

Apache Tomcat42 vulnerabilities
JEE Compliant Servlet Container

Apache Cxf32 vulnerabilities

Apache Traffic Server28 vulnerabilities

Apache Airflow23 vulnerabilities

Apache Solr20 vulnerabilities
Search engine written in java

Apache Nifi18 vulnerabilities

Apache Tika17 vulnerabilities

Apache Ofbiz17 vulnerabilities

Apache Struts15 vulnerabilities

Apache Dubbo12 vulnerabilities

Apache Hadoop12 vulnerabilities

Apache Activemq11 vulnerabilities

Apache Camel11 vulnerabilities

Apache Jspwiki11 vulnerabilities

Apache Spark11 vulnerabilities

Apache Openoffice11 vulnerabilities

Apache Zookeeper9 vulnerabilities

Apache Hive9 vulnerabilities

Apache Commons Compress8 vulnerabilities

Apache Superset8 vulnerabilities

Apache Kafka8 vulnerabilities

Apache Karaf8 vulnerabilities

Apache Tapestry8 vulnerabilities

Apache Syncope8 vulnerabilities

Apache Shiro7 vulnerabilities

Apache Fineract7 vulnerabilities

Apache Spamassassin7 vulnerabilities

Apache Mesos7 vulnerabilities

Apache Pdfbox7 vulnerabilities

Apache Cxf Fediz6 vulnerabilities

Apache Xml Security For C6 vulnerabilities

Apache Guacamole6 vulnerabilities

Apache Ignite6 vulnerabilities

Apache Thrift6 vulnerabilities

Apache Tomee6 vulnerabilities

Apache Ambari5 vulnerabilities

Apache Zeppelin5 vulnerabilities

Apache Apr Util5 vulnerabilities

Apache Druid5 vulnerabilities

Apache Kylin5 vulnerabilities

Apache Storm5 vulnerabilities

Apache Ant4 vulnerabilities

Apache Subversion4 vulnerabilities

Apache Commons Fileupload4 vulnerabilities

Apache Couchdb4 vulnerabilities

Apache Portable Runtime4 vulnerabilities

Apache Httpclient4 vulnerabilities

Apache Impala4 vulnerabilities

Apache Netbeans4 vulnerabilities

Apache Olingo4 vulnerabilities

Apache Traffic Control4 vulnerabilities

Apache Activemq Artemis3 vulnerabilities

Apache Allura3 vulnerabilities

Apache Roller3 vulnerabilities

Apache Archiva3 vulnerabilities

Apache Batik3 vulnerabilities

Apache Qpid Broker J3 vulnerabilities

Apache Cassandra3 vulnerabilities

Apache Xml Security For Java3 vulnerabilities

Apache Ranger3 vulnerabilities

Apache Virtual Computing Lab3 vulnerabilities

Apache Xerces2 Java3 vulnerabilities

Apache Wss4j3 vulnerabilities

Apache Groovy3 vulnerabilities

Apache Unomi3 vulnerabilities

Apache Hbase3 vulnerabilities

Apache Jmeter3 vulnerabilities

Apache Log4j3 vulnerabilities

Apache Pluto3 vulnerabilities

Apache Nuttx3 vulnerabilities

Apache Openmeetings3 vulnerabilities

Apache Any232 vulnerabilities

Apache Http Server2 vulnerabilities

Apache Arrow2 vulnerabilities

Apache Wicket2 vulnerabilities

Apache Tomcat Jk Connector2 vulnerabilities

Apache Axis2 vulnerabilities

Apache Beam2 vulnerabilities

Apache Commons Beanutils2 vulnerabilities

Apache Commons Collections2 vulnerabilities

Apache Xerces C2 vulnerabilities

Apache Commons Imaging2 vulnerabilities

Apache Qpid2 vulnerabilities

Apache Cordova2 vulnerabilities

Apache Deltaspike2 vulnerabilities

Apache Directory Studio2 vulnerabilities

Apache Dolphinscheduler2 vulnerabilities

Apache Drill2 vulnerabilities

Apache Geode2 vulnerabilities

Apache Heron2 vulnerabilities

Apache Incubator Superset2 vulnerabilities

Apache Iotdb2 vulnerabilities

Apache Juddi2 vulnerabilities

Apache Poi2 vulnerabilities

Apache Kudu2 vulnerabilities

Apache Maven2 vulnerabilities

Apache Myfaces2 vulnerabilities

Apache Tomcat Native2 vulnerabilities

@TheASF Tweets

RT @cassandra: Say hello to Harry, Apache Cassandra's component, for fuzz testing and verification. Watch Alex Petrov's talk from @ApacheCo…
Fri Oct 22 13:56:42 +0000 2021

RT @CloudStack: #CloudStack community, we have some exciting news! Sebastian Bretschneider from @NTTData will talk about the “Use of taggin…
Fri Oct 22 13:51:52 +0000 2021

Congratulations to Apache Arrow, Apache Solr, and Apache Superset for winning InfoWorld Bossie Awards for the best… https://t.co/SvyBX5aD1q
Thu Oct 21 20:41:19 +0000 2021

The Apache Weekly News Round-up: week ending 15 October https://t.co/0UxnyfVlwX --news from ASF Infrastructure, Com… https://t.co/updpOO08pe
Mon Oct 18 13:17:41 +0000 2021

It's the end of an era, and the beginning of a new one: The ASF moves to a CDN for distribution of software. https://t.co/6rns4rOr0E
Thu Oct 14 19:17:38 +0000 2021

By the Year

In 2021 there have been 154 vulnerabilities in Apache with an average score of 7.5 out of ten. Last year Apache had 148 security vulnerabilities published. That is, 6 more vulnerabilities have already been reported in 2021 as compared to last year. Last year, the average CVE base score was greater by 0.09

Year Vulnerabilities Average Score
2021 154 7.45
2020 148 7.54
2019 143 7.33
2018 136 7.28

It may take a day or so for new Apache vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Security Vulnerabilities

Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default)

CVE-2021-41971 8.8 - High - October 18, 2021

Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.

SQL Injection

Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page

CVE-2021-32609 5.4 - Medium - October 18, 2021

Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (including scripts) into the page.

XSS

In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document

CVE-2021-38295 7.3 - High - October 14, 2021

In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality. This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes. This issue affected Apache CouchDB prior to 3.1.2

Improper Privilege Management

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5

CVE-2021-42340 7.5 - High - October 14, 2021

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Missing Release of Resource after Effective Lifetime

An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email

CVE-2021-42009 4.3 - Medium - October 12, 2021

An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address. Apache Traffic Control 5.1.x users should upgrade to 5.1.3 or 6.0.0. 4.1.x users should upgrade to 5.1.3.

Improper Input Validation

It is possible for an attacker to manipulate documents to appear to be signed by a trusted source

CVE-2021-41832 7.5 - High - October 11, 2021

It is possible for an attacker to manipulate documents to appear to be signed by a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25635 for the LibreOffice advisory.

Improper Verification of Cryptographic Signature

It is possible for an attacker to manipulate the timestamp of signed documents

CVE-2021-41831 5.3 - Medium - October 11, 2021

It is possible for an attacker to manipulate the timestamp of signed documents. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25634 for the LibreOffice advisory.

Improper Verification of Cryptographic Signature

It is possible for an attacker to manipulate signed documents and macros to appear to come from a trusted source

CVE-2021-41830 7.5 - High - October 11, 2021

It is possible for an attacker to manipulate signed documents and macros to appear to come from a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25633 for the LibreOffice advisory.

Improper Verification of Cryptographic Signature

While working on Apache OpenOffice 4.1.8 a developer discovered

CVE-2021-28129 7.8 - High - October 07, 2021

While working on Apache OpenOffice 4.1.8 a developer discovered that the DEB package did not install using root, but instead used a userid and groupid of 500. This both caused issues with desktop integration and could allow a crafted attack on files owned by that user or group if they exist. Users who installed the Apache OpenOffice 4.1.8 DEB packaging should upgrade to the latest version of Apache OpenOffice.

Improper Privilege Management

Apache OpenOffice has a dependency on expat software

CVE-2021-40439 6.5 - Medium - October 07, 2021

Apache OpenOffice has a dependency on expat software. Versions prior to 2.1.0 were subject to CVE-2013-0340 a "Billion Laughs" entity expansion denial of service attack and exploit via crafted XML files. ODF files consist of a set of XML files. All versions of Apache OpenOffice up to 4.1.10 are subject to this issue. expat in version 4.1.11 is patched.

XXE

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient

CVE-2021-42013 9.8 - Critical - October 07, 2021

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

Directory traversal

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49

CVE-2021-41773 7.5 - High - October 05, 2021

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

Directory traversal

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing

CVE-2021-41524 7.5 - High - October 05, 2021

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.

NULL Pointer Dereference

Apache DB DdlUtils 1.0 included a BinaryObjectsHelper

CVE-2021-41616 9.8 - Critical - September 30, 2021

Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for use when migrating database data with a SQL data type of BINARY, VARBINARY, LONGVARBINARY, or BLOB between databases using the ddlutils features. The BinaryObjectsHelper class was insecure and used ObjectInputStream.readObject without validating that the input data was safe to deserialize. Please note that DdlUtils is no longer being actively developed. To address the insecurity of the BinaryObjectHelper class, the following changes to DdlUtils have been made: (1) BinaryObjectsHelper.java has been deleted from the DdlUtils source repository and the DdlUtils feature of propagating data of SQL binary types is therefore no longer present in DdlUtils; (2) The ddlutils-1.0 release has been removed from the Apache Release Distribution Infrastructure; (3) The DdlUtils web site has been updated to indicate that DdlUtils is now available only as source code, not as a packaged release.

Marshaling, Unmarshaling

In the Druid ingestion system, the InputSource is used for reading data from a certain data source

CVE-2021-36749 6.5 - Medium - September 24, 2021

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.

Exposure of Resource to Wrong Sphere

Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets

CVE-2021-33035 7.8 - High - September 23, 2021

Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. DBF are database files with data organized in fields. When reading DBF data the size of certain fields is not checked: the data is just copied into local variables. A carefully crafted document could overflow the allocated space, leading to the execution of arbitrary code by altering the contents of the program stack. This issue affects Apache OpenOffice up to and including version 4.1.10

Classic Buffer Overflow

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks

CVE-2021-38153 5.9 - Medium - September 22, 2021

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

Side Channel Attack

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo

CVE-2021-40690 7.5 - High - September 19, 2021

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Information Disclosure

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass

CVE-2021-41303 9.8 - Critical - September 17, 2021

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

authentification

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS)

CVE-2021-36160 7.5 - High - September 16, 2021

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

Out-of-bounds Read

Malformed requests may cause the server to dereference a NULL pointer

CVE-2021-34798 7.5 - High - September 16, 2021

Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

NULL Pointer Dereference

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user

CVE-2021-40438 9 - Critical - September 16, 2021

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

XSPA

A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may

CVE-2021-39239 7.5 - High - September 16, 2021

A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.

XXE

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets

CVE-2021-41079 7.5 - High - September 16, 2021

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

Improper Input Validation

ap_escape_quotes() may write beyond the end of a buffer when given malicious input

CVE-2021-39275 9.8 - Critical - September 16, 2021

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

Classic Buffer Overflow

A Remote Code Execution (RCE) vulnerability was discovered in the Any23 YAMLExtractor.java file and is known to affect Any23 versions < 2.5

CVE-2021-40146 9.8 - Critical - September 11, 2021

A Remote Code Execution (RCE) vulnerability was discovered in the Any23 YAMLExtractor.java file and is known to affect Any23 versions < 2.5. RCE vulnerabilities allow a malicious actor to execute any code of their choice on a remote machine over LAN, WAN, or internet. RCE belongs to the broader class of arbitrary code execution (ACE) vulnerabilities.

An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5

CVE-2021-38555 9.1 - Critical - September 11, 2021

An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

XXE

The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3

CVE-2021-38540 9.8 - Critical - September 09, 2021

The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.

Missing Authentication for Critical Function

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server

CVE-2021-37579 9.8 - Critical - September 09, 2021

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found.

Marshaling, Unmarshaling

Some component in Dubbo will try to print the formated string of the input arguments

CVE-2021-36161 9.8 - Critical - September 09, 2021

Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13

Use of Externally-Controlled Format String

In Apache Dubbo, users may choose to use the Hessian protocol

CVE-2021-36163 9.8 - Critical - September 07, 2021

In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1

Marshaling, Unmarshaling

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo)

CVE-2021-36162 8.8 - High - September 07, 2021

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers will use SnakeYAML library to load the rules which by default will enable calling arbitrary constructors. An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them. This was fixed in Dubbo 2.7.13, 3.0.2

Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts

CVE-2021-27578 6.1 - Medium - September 02, 2021

Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0.

XSS

Authentication bypass vulnerability in Apache Zeppelin

CVE-2020-13929 7.5 - High - September 02, 2021

Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

authentification

bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings

CVE-2019-10095 9.8 - Critical - September 02, 2021

bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

Command Injection

In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info

CVE-2021-25958 7.5 - High - August 30, 2021

In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.

Generation of Error Message Containing Sensitive Information

From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an "agent-update" command

CVE-2021-33191 9.8 - Critical - August 24, 2021

From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an "agent-update" command which was designed to patch the application binary. This "patching" command defaults to calling a trusted binary, but might be modified to an arbitrary value through a "c2-update" command. Said command is then executed using the same privileges as the application binary. This was addressed in version 0.10.0

Shell injection

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613)

CVE-2021-35940 7.1 - High - August 23, 2021

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

Out-of-bounds Read

jsoup is a Java library for working with HTML

CVE-2021-37714 7.5 - High - August 18, 2021

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Infinite Loop

Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands

CVE-2021-37608 9.8 - Critical - August 18, 2021

Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12297.

Unrestricted File Upload

User controlled `request.getHeader("Referer")`

CVE-2021-33580 7.5 - High - August 18, 2021

User controlled `request.getHeader("Referer")`, `request.getRequestURL()` and `request.getQueryString()` are used to build and run a regex expression. The attacker doesn't have to use a browser and may send a specially crafted Referer header programmatically. Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side. This problem has been fixed in Roller 6.0.2.

Resource Exhaustion

If remote logging is not used

CVE-2021-35936 5.3 - Medium - August 16, 2021

If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.

AuthZ

A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy

CVE-2021-33193 7.5 - High - August 16, 2021

A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

Improper configuration will cause ServiceComb ServiceCenter Directory Traversal problem in ServcieCenter 1.x.x versions and fixed in 2.0.0.

CVE-2021-21501 7.5 - High - August 10, 2021

Improper configuration will cause ServiceComb ServiceCenter Directory Traversal problem in ServcieCenter 1.x.x versions and fixed in 2.0.0.

Directory traversal

Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI)

CVE-2021-37578 9.8 - Critical - July 29, 2021

Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely. For both jUDDI web service applications and jUDDI clients, the usage of RMI is disabled by default. Since this is an optional feature and an extension to the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI related code was removed.

Marshaling, Unmarshaling

While investigating DIRSTUDIO-1219 it was noticed

CVE-2021-33900 7.5 - High - July 26, 2021

While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not applied. This issue affects Apache Directory Studio version 2.0.0.v20210213-M16 and prior versions.

Missing Encryption of Sensitive Data

Impala sessions use a 16 byte secret to verify that the session is not being hijacked by another user

CVE-2021-28131 7.5 - High - July 22, 2021

Impala sessions use a 16 byte secret to verify that the session is not being hijacked by another user. However, these secrets appear in the Impala logs, therefore Impala users with access to the logs can use another authenticated user's sessions with specially constructed requests. This means the attacker is able to execute statements for which they don't have the necessary privileges otherwise. Impala deployments with Apache Sentry or Apache Ranger authorization enabled may be vulnerable to privilege escalation if an authenticated attacker is able to hijack a session or query from another authenticated user with privileges not assigned to the attacker. Impala deployments with audit logging enabled may be vulnerable to incorrect audit logging as a user could undertake actions that were logged under the name of a different authenticated user. Constructing an attack requires a high degree of technical sophistication and access to the Impala system as an authenticated user. Mitigation: If an Impala deployment uses Apache Sentry, Apache Ranger or audit logging, then users should upgrade to a version of Impala with the fix for IMPALA-10600. The Impala 4.0 release includes this fix. This hides session secrets from the logs to eliminate the risk of any attack using this mechanism. In lieu of an upgrade, restricting access to logs that expose secrets will reduce the risk of an attack. Restricting access to the Impala deployment to trusted users will also reduce the risk of an attack. Log redaction techniques can be used to redact secrets from the logs.

authentification

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs

CVE-2021-34429 5.3 - Medium - July 15, 2021

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

Information Disclosure

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory

CVE-2021-36373 5.5 - Medium - July 14, 2021

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory

CVE-2021-36374 5.5 - Medium - July 14, 2021

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory

CVE-2021-36090 7.5 - High - July 13, 2021

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory

CVE-2021-35517 7.5 - High - July 13, 2021

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory

CVE-2021-35516 7.5 - High - July 13, 2021

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop

CVE-2021-35515 7.5 - High - July 13, 2021

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Excessive Iteration

Apache Tomcat 10.0.0-M1 to 10.0.6

CVE-2021-33037 5.3 - Medium - July 12, 2021

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

HTTP Request Smuggling

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service

CVE-2021-30639 7.5 - High - July 12, 2021

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

Improper Handling of Exceptional Conditions

A vulnerability in the JNDI Realm of Apache Tomcat

CVE-2021-30640 6.5 - Medium - July 12, 2021

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

authentification

A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error

CVE-2021-30129 6.5 - Medium - July 12, 2021

A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0

Missing Release of Resource after Effective Lifetime

A vulnerability in the HTML pages of Apache Jena Fuseki allows an attacker to execute arbitrary javascript on certain page views

CVE-2021-33192 6.1 - Medium - July 05, 2021

A vulnerability in the HTML pages of Apache Jena Fuseki allows an attacker to execute arbitrary javascript on certain page views. This issue affects Apache Jena Fuseki from version 2.0.0 to version 4.0.0 (inclusive).

XSS

In the Druid ingestion system, the InputSource is used for reading data from a certain data source

CVE-2021-26920 6.5 - Medium - July 02, 2021

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource.

AuthZ

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server

CVE-2021-32567 7.5 - High - June 30, 2021

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

Improper Input Validation

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server

CVE-2021-32566 7.5 - High - June 30, 2021

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

Improper Input Validation

Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server

CVE-2021-35474 9.8 - Critical - June 30, 2021

Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

Memory Corruption

Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache

CVE-2021-27577 7.5 - High - June 29, 2021

Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

HTTP Request Smuggling

Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests

CVE-2021-32565 7.5 - High - June 29, 2021

Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

HTTP Request Smuggling

Apache Nuttx Versions prior to 10.1.0 are vulnerable to integer wrap-around in functions malloc, realloc and memalign

CVE-2021-26461 9.8 - Critical - June 21, 2021

Apache Nuttx Versions prior to 10.1.0 are vulnerable to integer wrap-around in functions malloc, realloc and memalign. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.

Integer Overflow or Wraparound

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF

CVE-2021-30468 7.5 - High - June 16, 2021

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.

Resource Exhaustion

An XXE issue in SAXBuilder in JDOM through 2.0.6

CVE-2021-33813 7.5 - High - June 16, 2021

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

XXE

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0

CVE-2020-9493 9.8 - Critical - June 16, 2021

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Marshaling, Unmarshaling

Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well

CVE-2021-31618 7.5 - High - June 15, 2021

Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.

NULL Pointer Dereference

In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file

CVE-2021-31812 5.5 - Medium - June 12, 2021

In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

Excessive Iteration

In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file

CVE-2021-31811 5.5 - Medium - June 12, 2021

In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

curl 7.7 through 7.76.1 suffers

CVE-2021-22898 3.1 - Low - June 11, 2021

curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.

Missing Initialization of Resource

Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL

CVE-2019-17567 5.3 - Medium - June 10, 2021

Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.

HTTP Request Smuggling

Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http

CVE-2020-13950 7.5 - High - June 10, 2021

Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service

NULL Pointer Dereference

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest

CVE-2020-35452 7.3 - High - June 10, 2021

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow

Memory Corruption

Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

CVE-2021-30641 5.3 - Medium - June 10, 2021

Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session

CVE-2021-26690 7.5 - High - June 10, 2021

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service

NULL Pointer Dereference

In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow

CVE-2021-26691 9.8 - Critical - June 10, 2021

In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow

Memory Corruption

In Apache APISIX Dashboard version 2.6

CVE-2021-33190 5.3 - Medium - June 08, 2021

In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1

Improper Restriction of Excessive Authentication Attempts

Flask-AppBuilder is a development framework, built on top of Flask

CVE-2021-29621 5.3 - Medium - June 07, 2021

Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.

Side Channel Attack

Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces

CVE-2021-30179 9.8 - Critical - June 01, 2021

Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument.

Marshaling, Unmarshaling

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on

CVE-2021-25641 9.8 - Critical - June 01, 2021

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it.

Marshaling, Unmarshaling

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server

CVE-2021-30181 9.8 - Critical - June 01, 2021

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server

CVE-2021-30180 9.8 - Critical - June 01, 2021

Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.

HTTP Request Smuggling

In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check

CVE-2021-25640 6.1 - Medium - June 01, 2021

In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.

XSPA

Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method

CVE-2020-17514 7.4 - High - May 27, 2021

Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful.

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT)

CVE-2021-22160 9.8 - Critical - May 26, 2021

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).

Improper Verification of Cryptographic Signature

A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket

CVE-2021-23937 7.5 - High - May 25, 2021

A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.

Improper Input Validation

Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin.

CVE-2021-27737 7.5 - High - May 14, 2021

Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin.

Apache Unomi prior to version 1.5.5

CVE-2021-31164 7.5 - High - May 04, 2021

Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements.

Injection

The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit

CVE-2021-28359 6.1 - Medium - May 02, 2021

The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).

XSS

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user

CVE-2021-29200 9.8 - Critical - April 27, 2021

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

Marshaling, Unmarshaling

Apache OFBiz has unsafe deserialization prior to 17.12.07 version

CVE-2021-30128 9.8 - Critical - April 27, 2021

Apache OFBiz has unsafe deserialization prior to 17.12.07 version

Marshaling, Unmarshaling

Information Exposure vulnerability in context asset handling of Apache Tapestry

CVE-2021-30638 7.5 - High - April 27, 2021

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.

Information Disclosure

Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious

CVE-2021-28125 6.1 - Medium - April 27, 2021

Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.

Open Redirect

The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default

CVE-2020-17517 7.5 - High - April 27, 2021

The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release.

AuthZ

Apache Maven will follow repositories

CVE-2021-26291 9.1 - Critical - April 23, 2021

Apache Maven will follow repositories that are defined in a dependencys Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

Origin Validation Error

The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks

CVE-2021-30245 8.8 - High - April 15, 2021

The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink.

Externally Controlled Reference to a Resource in Another Sphere

A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry

CVE-2021-27850 9.8 - Critical - April 15, 2021

A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.

Marshaling, Unmarshaling

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.