Vulnerabilities > Apache
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-11-03 | CVE-2022-32287 | Path Traversal vulnerability in Apache Uimaj A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. | 7.5 |
2022-11-02 | CVE-2022-43670 | Cross-site Scripting vulnerability in Apache Sling CMS An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature. | 5.4 |
2022-11-02 | CVE-2022-43982 | Cross-site Scripting vulnerability in Apache Airflow In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. | 6.1 |
2022-11-02 | CVE-2022-43985 | Open Redirect vulnerability in Apache Airflow In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. | 6.1 |
2022-11-01 | CVE-2022-31777 | Injection vulnerability in Apache Spark A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI. | 5.4 |
2022-11-01 | CVE-2022-34662 | Path Traversal vulnerability in Apache Dolphinscheduler When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. | 6.5 |
2022-11-01 | CVE-2022-42252 | HTTP Request Smuggling vulnerability in Apache Tomcat If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. | 7.5 |
2022-10-28 | CVE-2022-26884 | Path Traversal vulnerability in Apache Dolphinscheduler Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher. | 6.5 |
2022-10-26 | CVE-2022-39944 | Deserialization of Untrusted Data vulnerability in Apache Linkis In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. | 8.8 |
2022-10-26 | CVE-2022-42468 | Injection vulnerability in Apache Flume 1.10.0/1.4.0/1.9.0 Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. | 9.8 |