Vulnerabilities > Apache

DATE CVE VULNERABILITY TITLE RISK
2021-02-17 CVE-2021-26697 Improper Authentication vulnerability in Apache Airflow 2.0.0
The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0.
network
low complexity
apache CWE-287
5.0
2021-02-17 CVE-2021-26559 Improper Privilege Management vulnerability in Apache Airflow 2.0.0
Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`.
network
low complexity
apache CWE-269
4.0
2021-02-12 CVE-2020-13949 Resource Exhaustion vulnerability in Apache Thrift
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
network
low complexity
apache CWE-400
5.0
2021-02-08 CVE-2020-13947 Cross-Site Scripting vulnerability in Apache Activemq
An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0.
network
apache CWE-79
4.3
2021-02-03 CVE-2020-17523 Incorrect Authorization vulnerability in Apache Shiro
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
network
low complexity
apache CWE-863
critical
9.0
2021-02-03 CVE-2020-17516 Authentication Bypass BY Spoofing vulnerability in Apache Cassandra
Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections.
network
apache CWE-290
4.3
2021-01-29 CVE-2021-25646 Incorrect Permission Assignment for Critical Resource vulnerability in Apache Druid
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests.
network
low complexity
apache CWE-732
critical
9.0
2021-01-27 CVE-2021-26118 Improper Authentication vulnerability in Apache Activemq Artemis 2.15.0
While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session.
network
low complexity
apache CWE-287
5.0
2021-01-27 CVE-2021-26117 Improper Authentication vulnerability in Apache Activemq and Activemq Artemis
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server.
network
low complexity
apache CWE-287
5.0
2021-01-26 CVE-2020-9492 Improper Privilege Management vulnerability in Apache Hadoop
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
network
low complexity
apache CWE-269
6.5