Apache Software Foundation — Vulnerabilities & Security Advisories 1859

Browse all 1859 CVE security advisories affecting Apache Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Apache Software Foundation develops and maintains open-source software, primarily known for the widely deployed Apache HTTP Server and foundational Java frameworks. Its extensive portfolio exposes a significant attack surface, evidenced by the 1717 recorded CVEs. Historically, vulnerabilities frequently involve remote code execution, cross-site scripting, and privilege escalation, often stemming from complex configuration errors or input validation failures in legacy components. While the foundation enforces rigorous security review processes, the sheer volume of projects increases the likelihood of undiscovered flaws. Notable incidents include critical flaws in Log4j, which allowed remote code execution via crafted log messages, highlighting risks in dependency management. The organization relies on community-driven patching, requiring administrators to promptly apply updates to mitigate exploitation. This model ensures transparency but demands active vigilance from users to maintain system integrity against evolving threat vectors.

CVEs 1859

CVE ID	Title	CVSS	Severity	Published
CVE-2024-39887	Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions — Apache SupersetCWE-89	4.3	Medium	2024-07-16
CVE-2023-52290	Apache StreamPark (incubating): Unchecked SQL query fields trigger SQL injection vulnerability — Apache StreamPark (incubating)CWE-89	6.5^AI	Medium^AI	2024-07-16
CVE-2023-49566	Apache Linkis DataSource: JDBC Datasource Module with DB2 has JNDI Injection vulnerability — Apache Linkis DataSourceCWE-502	8.1	-	2024-07-15
CVE-2023-46801	Apache Linkis DataSource: DataSource Remote code execution vulnerability — Apache Linkis DataSourceCWE-502	8.1	-	2024-07-15
CVE-2023-41916	Apache Linkis DataSource: DatasourceManager module has a JDBC parameter judgment logic vulnerability that allows for arbitrary file reading — Apache Linkis DataSourceCWE-552	6.5	-	2024-07-15
CVE-2024-36522	Apache Wicket: Remote code execution via XSLT injection — Apache WicketCWE-74	9.8^AI	Critical^AI	2024-07-12
CVE-2024-37389	Apache NiFi: Improper Neutralization of Input in Parameter Context Description — Apache NiFiCWE-79	4.6	Medium	2024-07-08
CVE-2024-38346	Apache CloudStack: Unauthenticated cluster service port leads to remote execution — Apache CloudStackCWE-94	10.0	-	2024-07-05
CVE-2024-39864	Apache CloudStack: Integration API service uses dynamic port when disabled — Apache CloudStackCWE-665	9.1	-	2024-07-05
CVE-2024-39884	Apache HTTP Server: source code disclosure with handlers configured via AddType — Apache HTTP Server	7.5	-	2024-07-04
CVE-2024-34750	Apache Tomcat: HTTP/2 excess header handling DoS — Apache TomcatCWE-755	5.3^AI	Medium^AI	2024-07-03
CVE-2024-39573	Apache HTTP Server: mod_rewrite proxy handler substitution — Apache HTTP ServerCWE-20	9.3^AI	Critical^AI	2024-07-01
CVE-2024-38477	Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request — Apache HTTP ServerCWE-476	7.5	-	2024-07-01
CVE-2024-38476	Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect — Apache HTTP ServerCWE-829	9.1^AI	Critical^AI	2024-07-01
CVE-2024-38475	Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path. — Apache HTTP ServerCWE-116	9.8^AI	Critical^AI	2024-07-01
CVE-2024-38474	Apache HTTP Server weakness with encoded question marks in backreferences — Apache HTTP ServerCWE-116	9.8^AI	Critical^AI	2024-07-01
CVE-2024-38473	Apache HTTP Server proxy encoding problem — Apache HTTP ServerCWE-116	9.8^AI	Critical^AI	2024-07-01
CVE-2024-38472	Apache HTTP Server on WIndows UNC SSRF — Apache HTTP ServerCWE-918	7.5^AI	High^AI	2024-07-01
CVE-2024-36387	Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2 — Apache HTTP ServerCWE-476	7.5^AI	High^AI	2024-07-01
CVE-2024-29868	Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation — Apache StreamPipesCWE-338	8.1^AI	High^AI	2024-06-24
CVE-2024-27136	Apache JSPWiki: Cross-site scripting vulnerability on upload page — Apache JSPWikiCWE-79	6.1^AI	Medium^AI	2024-06-24
CVE-2024-38379	Apache Allura: Stored authenticated XSS — Apache AlluraCWE-79	4.8	-	2024-06-22
CVE-2024-34693	Apache Superset: Server arbitrary file read — Apache SupersetCWE-20	6.8	Medium	2024-06-20
CVE-2024-25142	Apache Airflow: Cache Control - Storage of Sensitive Data in Browser Cache — Apache AirflowCWE-525	7.5^AI	High^AI	2024-06-14
CVE-2024-36265	Apache Submarine Server Core: authorization bypass — Apache Submarine Server CoreCWE-863	7.5^AI	High^AI	2024-06-12
CVE-2024-36264	Apache Submarine Commons Utils: default secret — Apache Submarine Commons UtilsCWE-287	7.5^AI	High^AI	2024-06-12
CVE-2024-36263	Apache Submarine Server Core: SQL injection — Apache Submarine Server CoreCWE-89	9.8^AI	Critical^AI	2024-06-12
CVE-2024-36471	Apache Allura: sensitive information exposure via DNS rebinding — Apache AlluraCWE-20	4.9	-	2024-06-10
CVE-2024-36104	Apache OFBiz: Path traversal leading to a RCE — Apache OFBizCWE-22	7.5^AI	High^AI	2024-06-04
CVE-2024-32077	Apache Airflow: XSS vulnerability in Task Instance Log/Log Details — Apache AirflowCWE-79	7.1	-	2024-05-14

This page lists every published CVE security advisory associated with Apache Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Apache Software Foundation — Vulnerabilities & Security Advisories 1859