Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-06 | CVE-2022-40160 | Out-of-bounds Write vulnerability in Apache Commons Jxpath ** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. | 6.5 |
| 2022-09-28 | CVE-2021-43980 | Race Condition vulnerability in multiple products The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. | 3.7 |
| 2022-09-22 | CVE-2022-38398 | Server-Side Request Forgery (SSRF) vulnerability in multiple products Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. | 5.3 |
| 2022-09-22 | CVE-2022-38648 | Server-Side Request Forgery (SSRF) vulnerability in multiple products Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. | 5.3 |
| 2022-09-22 | CVE-2022-40146 | Server-Side Request Forgery (SSRF) vulnerability in multiple products Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. | 7.5 |
| 2022-09-22 | CVE-2022-40705 | XXE vulnerability in Apache Soap 2.2/2.3 An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. | 7.5 |
| 2022-09-20 | CVE-2022-40955 | Deserialization of Untrusted Data vulnerability in Apache Inlong In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. | 8.8 |
| 2022-09-11 | CVE-2022-39135 | XXE vulnerability in Apache Calcite Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. | 9.8 |
| 2022-09-08 | CVE-2022-28220 | Command Injection vulnerability in Apache James Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. | 7.5 |
| 2022-09-02 | CVE-2022-25371 | Path Traversal vulnerability in Apache Ofbiz Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. | 9.8 |