Filtered by vendor Apache
Subscriptions
Total
2436 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-21742 | 1 Apache | 1 James Mime4j | 2025-05-06 | 5.3 Medium |
| Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages. | ||||
| CVE-2022-34662 | 1 Apache | 1 Dolphinscheduler | 2025-05-06 | 6.5 Medium |
| When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher | ||||
| CVE-2022-31777 | 2 Apache, Redhat | 2 Spark, Camel Spring Boot | 2025-05-06 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI. | ||||
| CVE-2024-25065 | 1 Apache | 1 Ofbiz | 2025-05-05 | 9.1 Critical |
| Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue. | ||||
| CVE-2023-51747 | 1 Apache | 1 James | 2025-05-05 | 7.1 High |
| Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks. The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction. We recommend James users to upgrade to non vulnerable versions. | ||||
| CVE-2023-51518 | 1 Apache | 1 James | 2025-05-05 | 9.8 Critical |
| Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JMX endpoint is only bound locally. We recommend users to: - Upgrade to a non-vulnerable Apache James version - Run Apache James isolated from other processes (docker - dedicated virtual machine) - If possible turn off JMX | ||||
| CVE-2023-50379 | 1 Apache | 1 Ambari | 2025-05-05 | 8.8 High |
| Malicious code injection in Apache Ambari in prior to 2.7.8. Users are recommended to upgrade to version 2.7.8, which fixes this issue. Impact: A Cluster Operator can manipulate the request by adding a malicious code injection and gain a root over the cluster main host. | ||||
| CVE-2024-22393 | 2 Apache, Apache Software Foundation | 2 Answer, Apache Answer | 2025-05-05 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Pixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user can cause such an attack by uploading an image when posting content. Users are recommended to upgrade to version [1.2.5], which fixes the issue. | ||||
| CVE-2021-28656 | 1 Apache | 1 Zeppelin | 2025-05-05 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions. | ||||
| CVE-2022-47894 | 1 Apache | 1 Zeppelin | 2025-05-05 | 5.3 Medium |
| Improper Input Validation vulnerability in Apache Zeppelin SAP.This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. For more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-31862 | 1 Apache | 1 Zeppelin | 2025-05-05 | 5.3 Medium |
| Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue. | ||||
| CVE-2024-31865 | 1 Apache | 1 Zeppelin | 2025-05-05 | 6.5 Medium |
| Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | ||||
| CVE-2024-31864 | 1 Apache | 1 Zeppelin | 2025-05-05 | 9.8 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | ||||
| CVE-2024-31867 | 1 Apache | 1 Zeppelin | 2025-05-05 | 6.5 Medium |
| Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | ||||
| CVE-2024-31868 | 1 Apache | 1 Zeppelin | 2025-05-05 | 6.1 Medium |
| Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | ||||
| CVE-2024-31866 | 2 Apache, Apache Software Foundation | 2 Zeppelin, Apache Zeppelin | 2025-05-05 | 9.8 Critical |
| Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | ||||
| CVE-2022-43985 | 1 Apache | 1 Airflow | 2025-05-02 | 6.1 Medium |
| In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. | ||||
| CVE-2022-43982 | 1 Apache | 1 Airflow | 2025-05-02 | 6.1 Medium |
| In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. | ||||
| CVE-2022-43670 | 1 Apache | 1 Sling Cms | 2025-05-02 | 5.4 Medium |
| An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature. | ||||
| CVE-2022-32287 | 1 Apache | 1 Uimaj | 2025-05-02 | 7.5 High |
| A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine. | ||||