Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Apache Software Foundation — Vulnerabilities & Security Advisories 1684

Browse all 1684 CVE security advisories affecting Apache Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by Apache Software Foundation:Apache AirflowApache HTTP ServerApache TomcatApache SupersetApache Traffic ServerApache NiFiApache OFBizApache InLongApache DolphinSchedulerApache OpenOfficeApache StrutsApache CloudStackApache SolrApache OpenMeetingsApache ZeppelinApache CamelApache CXFApache HadoopApache JSPWikiApache GeodeApache FineractApache DubboApache PulsarApache AmbariApache KylinApache HiveApache SparkApache ActiveMQApache TikaApache Ranger
CVE IDTitleCVSSSeverityPublished
CVE-2024-45478 Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input — Apache RangerCWE-79 5.4 -2025-01-21
CVE-2024-51941 Apache Ambari: Remote Code Injection in Ambari Metrics and AMS Alerts — Apache AmbariCWE-94 8.8 -2025-01-21
CVE-2025-23196 Apache Ambari: Code Injection Vulnerability in Ambari Alert Definition — Apache AmbariCWE-77 8.8 -2025-01-21
CVE-2025-23195 Apache Ambari: XML External Entity (XXE) Vulnerability in Ambari/Oozie — Apache AmbariCWE-611 7.5 -2025-01-21
CVE-2025-23184 Apache CXF: Denial of Service vulnerability with temporary files — Apache CXFCWE-400 5.9 Medium2025-01-21
CVE-2024-45627 Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability — Apache Linkis Metadata Query Service JDBCCWE-552 6.5 -2025-01-14
CVE-2025-22828 Apache CloudStack: Unauthorised access to annotations — Apache CloudStackCWE-200 4.2 -2025-01-13
CVE-2024-45033 Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli — Apache Airflow Fab ProviderCWE-613 8.8 -2025-01-08
CVE-2024-54676 Apache OpenMeetings: Deserialisation of untrusted data in cluster mode — Apache OpenMeetingsCWE-502 9.8 -2025-01-08
CVE-2024-56512 Apache NiFi: Missing Complete Authorization for Parameter and Service References — Apache NiFiCWE-638 6.5 -2024-12-28
CVE-2024-52046 Apache MINA: MINA applications using unbounded deserialization may allow RCE — Apache MINACWE-502 9.8 -2024-12-25
CVE-2024-43441 Apache HugeGraph-Server: Fixed JWT Token(Secret) — Apache HugeGraph-ServerCWE-302 9.8 -2024-12-24
CVE-2024-45387 Apache Traffic Control: SQL Injection in Traffic Ops endpoint PUT deliveryservice_request_comments — Apache Traffic ControlCWE-89 9.9 Critical2024-12-23
CVE-2024-23945 Apache Hive, Apache Spark, Apache Spark: CookieSigner exposes the correct signature when message verification fails — Apache HiveCWE-209 8.2 -2024-12-23
CVE-2024-56337 Apache Tomcat: RCE due to TOCTOU issue in JSP compilation - CVE-2024-50379 mitigation was incomplete — Apache TomcatCWE-367 8.1 -2024-12-20
CVE-2024-56128 Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption — Apache KafkaCWE-303 7.5 -2024-12-18
CVE-2024-54677 Apache Tomcat: DoS in examples web application — Apache TomcatCWE-400 7.5 -2024-12-17
CVE-2024-50379 Apache Tomcat: RCE due to TOCTOU issue in JSP compilation — Apache TomcatCWE-367 8.1 -2024-12-17
CVE-2024-55633 Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access — Apache SupersetCWE-863 8.8 -2024-12-12
CVE-2024-53677 Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks — Apache Struts 9.8 -2024-12-11
CVE-2024-53949 Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled — Apache SupersetCWE-863 8.8 -2024-12-09
CVE-2024-53948 Apache Superset: Error verbosity exposes metadata in analytics databases — Apache SupersetCWE-209 5.3 -2024-12-09
CVE-2024-53947 Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions — Apache SupersetCWE-89 9.8 -2024-12-09
CVE-2024-46901 Apache Subversion: mod_dav_svn denial-of-service via control characters in paths — Apache SubversionCWE-20 3.1 Low2024-12-09
CVE-2022-41137 Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore — Apache HiveCWE-502 8.8 -2024-12-05
CVE-2024-45106 Apache Ozone: Improper authentication when generating S3 secrets — Apache OzoneCWE-287 6.8 -2024-12-03
CVE-2024-52338 Apache Arrow R package: Arbitrary code execution when loading a malicious data file — Apache Arrow R packageCWE-502 9.8AICriticalAI2024-11-28
CVE-2024-51569 Apache NimBLE: Lack of input sanitization leading to out-of-bound reads in Number of Completed Packets HCI event handler — Apache NimBLECWE-125 7.1AIHighAI2024-11-26
CVE-2024-47250 Apache NimBLE: Lack of input validation in HCI advertising report could lead to potential out-of-bound access — Apache NimBLECWE-125 7.5AIHighAI2024-11-26
CVE-2024-47249 Apache NimBLE: Lack of input sanitization leading to out-of-bound reads in multiple advertisement handler — Apache NimBLECWE-129 6.5AIMediumAI2024-11-26

This page lists every published CVE security advisory associated with Apache Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.