Filtered by vendor Apache
Subscriptions
Total
2321 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-40189 | 1 Apache | 2 Airflow, Apache-airflow-providers-apache-pig | 2024-08-03 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version. | ||||
| CVE-2022-40127 | 1 Apache | 1 Airflow | 2024-08-03 | 8.8 High |
| A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0. | ||||
| CVE-2022-39944 | 1 Apache | 1 Linkis | 2024-08-03 | 8.8 High |
| In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.2.0 will be affected, We recommend users to update to 1.3.0. | ||||
| CVE-2022-39198 | 1 Apache | 1 Dubbo | 2024-08-03 | 9.8 Critical |
| A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions. | ||||
| CVE-2022-39135 | 1 Apache | 1 Calcite | 2024-08-03 | 9.8 Critical |
| Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators. | ||||
| CVE-2022-38745 | 2 Apache, Redhat | 2 Openoffice, Enterprise Linux | 2024-08-03 | 7.8 High |
| Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory. | ||||
| CVE-2022-38649 | 1 Apache | 2 Airflow, Apache-airflow-providers-apache-pinot | 2024-08-03 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version. | ||||
| CVE-2022-38648 | 3 Apache, Debian, Redhat | 4 Batik, Debian Linux, Camel Spring Boot and 1 more | 2024-08-03 | 5.3 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14. | ||||
| CVE-2022-38370 | 1 Apache | 1 Iotdb | 2024-08-03 | 7.5 High |
| Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue. | ||||
| CVE-2022-38362 | 1 Apache | 1 Apache-airflow-providers-docker | 2024-08-03 | 8.8 High |
| Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host. | ||||
| CVE-2022-38369 | 1 Apache | 1 Iotdb | 2024-08-03 | 8.8 High |
| Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue. | ||||
| CVE-2022-38398 | 3 Apache, Debian, Redhat | 4 Batik, Debian Linux, Camel Spring Boot and 1 more | 2024-08-03 | 5.3 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. | ||||
| CVE-2022-38170 | 1 Apache | 1 Airflow | 2024-08-03 | 4.7 Medium |
| In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. | ||||
| CVE-2022-38054 | 1 Apache | 1 Airflow | 2024-08-03 | 9.8 Critical |
| In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. | ||||
| CVE-2022-37866 | 2 Apache, Redhat | 2 Ivy, Camel Spring Boot | 2024-08-03 | 7.5 High |
| When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characters for Ivy coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or repository or can overwrite different artifacts inside of the local cache. In order to exploit this vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests containing ".." sequences and a "normal" repository will not interpret them as part of the artifact coordinates. Users of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1. | ||||
| CVE-2022-37865 | 2 Apache, Redhat | 2 Ivy, Camel Spring Boot | 2024-08-03 | 9.1 Critical |
| With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path when extracting the archive. An archive containing absolute paths or paths that try to traverse "upwards" using ".." sequences can then write files to any location on the local fie system that the user executing Ivy has write access to. Ivy users of version 2.4.0 to 2.5.0 should upgrade to Ivy 2.5.1. | ||||
| CVE-2022-37392 | 1 Apache | 1 Traffic Server | 2024-08-03 | 5.3 Medium |
| Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. | ||||
| CVE-2022-37401 | 1 Apache | 1 Openoffice | 2024-08-03 | 8.8 High |
| Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice | ||||
| CVE-2022-37435 | 1 Apache | 1 Shenyu | 2024-08-03 | 8.8 High |
| Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3. | ||||
| CVE-2022-37436 | 2 Apache, Redhat | 3 Http Server, Enterprise Linux, Jboss Core Services | 2024-08-03 | 5.3 Medium |
| Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. | ||||