Vulnerabilities > Apache

DATE CVE VULNERABILITY TITLE RISK
2024-10-14 CVE-2023-50780 Unspecified vulnerability in Apache Activemq Artemis
Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint.
network
low complexity
apache
8.8
2024-10-09 CVE-2024-45720 Unspecified vulnerability in Apache Subversion
On Windows platforms, a "best fit" character encoding conversion of command line arguments to Subversion's executables (e.g., svn.exe, etc.) may lead to unexpected command line argument interpretation, including argument injection and execution of other programs, if a specially crafted command line argument string is processed. All versions of Subversion up to and including Subversion 1.14.3 are affected on Windows platforms only.
local
low complexity
apache
7.8
2024-09-30 CVE-2024-45772 Deserialization of Untrusted Data vulnerability in Apache Lucene
Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. The deserialization can only be triggered if users actively deploy an network-accessible implementation and a corresponding client using a HTTP library that uses the API (e.g., a custom servlet and HTTPClient).
low complexity
apache CWE-502
8.0
2024-09-26 CVE-2024-47197 Insecure Storage of Sensitive Information vulnerability in Apache Maven Archetype 3.2.1
Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin. This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0. Users are recommended to upgrade to version 3.3.0, which fixes the issue. Archetype integration testing creates a file called ./target/classes/archetype-it/archetype-settings.xml This file contains all the content from the users ~/.m2/settings.xml file, which often contains information they do not want to publish.
network
low complexity
apache CWE-922
7.5
2024-09-17 CVE-2024-45384 Unspecified vulnerability in Apache Druid
Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability. While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.
network
low complexity
apache
5.3
2024-09-17 CVE-2024-45537 Unspecified vulnerability in Apache Druid
Apache Druid allows users with certain permissions to read data from other database systems using JDBC.
network
low complexity
apache
6.5
2024-09-16 CVE-2024-22399 Unspecified vulnerability in Apache Seata
Deserialization of Untrusted Data vulnerability in Apache Seata.  When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.
network
low complexity
apache
critical
9.8
2024-09-04 CVE-2024-45195 Forced Browsing vulnerability in Apache Ofbiz
Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.
network
low complexity
apache CWE-425
7.5
2024-09-04 CVE-2024-45507 Unspecified vulnerability in Apache Ofbiz
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.
network
low complexity
apache
critical
9.8
2024-08-26 CVE-2023-49582 Unspecified vulnerability in Apache Portable Runtime
Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data.
local
low complexity
apache
5.5