Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Apache Software Foundation — Vulnerabilities & Security Advisories 1676

Browse all 1676 CVE security advisories affecting Apache Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by Apache Software Foundation:Apache AirflowApache HTTP ServerApache TomcatApache SupersetApache Traffic ServerApache NiFiApache OFBizApache InLongApache DolphinSchedulerApache OpenOfficeApache CloudStackApache StrutsApache SolrApache OpenMeetingsApache ZeppelinApache CamelApache CXFApache HadoopApache GeodeApache FineractApache JSPWikiApache KylinApache PulsarApache DubboApache AmbariApache HiveApache SparkApache ActiveMQApache TikaApache Ranger
CVE IDTitleCVSSSeverityPublished
CVE-2022-34870 Apache Geode stored Cross-Site Scripting (XSS) via data injection vulnerability in Pulse web application — Apache Geode 5.4 -2022-10-25
CVE-2022-41704 Apache Batik prior to 1.16 allows RCE when loading untrusted SVG input — Apache XML Graphics 7.5 -2022-10-25
CVE-2022-42890 Apache Batik prior to 1.16 allows RCE via scripting — Apache XML Graphics 7.5 -2022-10-25
CVE-2021-42010 CRLF log injection — Apache Heron (Incubating) 9.8 -2022-10-24
CVE-2022-42466 XSS vulnerability, eg for String properties. — Apache IsisCWE-79 6.1 -2022-10-19
CVE-2022-42467 h2 webconsole (available only in prototype mode) should nevertheless be disabled by default. — Apache IsisCWE-1188 7.5 -2022-10-19
CVE-2022-39198 Apache Dubbo Hession Deserialization Vulnerability Gadgets Bypass — Apache DubboCWE-502 9.8 -2022-10-18
CVE-2022-24697 Apache Kylin prior to 4.0.2 allows command injection when the configuration overwrites function overwrites system parameters — Apache Kylin 9.8 -2022-10-13
CVE-2022-42889 Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults — Apache Commons Text 9.8 -2022-10-13
CVE-2022-40664 Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher — Apache ShiroCWE-287 9.8 -2022-10-12
CVE-2022-41672 Session still functional after user is deactivated — Apache AirflowCWE-613 8.1 -2022-10-07
CVE-2021-43980 Apache Tomcat: Information disclosure — Apache TomcatCWE-362 3.7 -2022-09-28
CVE-2022-33683 Disabled Certificate Validation makes Broker, Proxy Admin Clients vulnerable to MITM attack — Apache PulsarCWE-295 5.9 -2022-09-23
CVE-2022-33682 Disabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attack — Apache PulsarCWE-295 5.9 -2022-09-23
CVE-2022-33681 Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM — Apache PulsarCWE-295 5.9 -2022-09-23
CVE-2022-24280 Apache Pulsar Proxy target broker address isn't validated — Apache PulsarCWE-20 7.5 -2022-09-23
CVE-2022-26112 Pinot query endpoint and the realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support — Apache Pinot 9.8 -2022-09-23
CVE-2022-40705 Apache SOAP: XML External Entity Injection (XXE) allows unauthenticated users to read arbitrary files via HTTP — Apache SOAPCWE-611 7.5 -2022-09-22
CVE-2022-38398 Server-Side Request Forgery Information Disclosure Vulnerability — Apache XML GraphicsCWE-918 7.5 -2022-09-22
CVE-2022-38648 PDFTranscoder does not block external resources — Apache XML GraphicsCWE-918 5.3 -2022-09-22
CVE-2022-40146 Jar url should be blocked by DefaultScriptSecurity — Apache XML GraphicsCWE-918 7.5 -2022-09-22
CVE-2022-40754 Open Redirect — Apache AirflowCWE-601 6.1 -2022-09-21
CVE-2022-40604 Format String Vulnerability — Apache AirflowCWE-134 7.5 -2022-09-21
CVE-2022-40955 Deserialization attack in Apache InLong prior to version 1.3.0 allows RCE via JDBC — Apache InLongCWE-502 8.8 -2022-09-20
CVE-2022-34917 Unauthenticated clients may cause OutOfMemoryError on Apache Kafka Brokers — Apache KafkaCWE-789 7.5 -2022-09-20
CVE-2022-39135 Apache Calcite: potential XEE attacks — Apache CalciteCWE-611 9.8 -2022-09-11
CVE-2022-28220 STARTTLS command injection in Apache JAMES — Apache JamesCWE-77 7.5 -2022-09-08
CVE-2022-38370 No authorization of DatabaseConnectController in grafana-connector. — Apache IoTDB 5.3 -2022-09-05
CVE-2022-38369 Login check vulnerability by session Id — Apache IoTDB 8.1 -2022-09-05
CVE-2022-38054 Session Fixation — Apache AirflowCWE-384 9.8 -2022-09-02

This page lists every published CVE security advisory associated with Apache Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.