Vulnerabilities > Apache

DATE CVE VULNERABILITY TITLE RISK
2022-09-23 CVE-2022-33682 Improper Certificate Validation vulnerability in Apache Pulsar
TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients.
network
high complexity
apache CWE-295
5.9
2022-09-23 CVE-2022-33683 Improper Certificate Validation vulnerability in Apache Pulsar
Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration.
network
high complexity
apache CWE-295
5.9
2022-09-23 CVE-2022-26112 Unspecified vulnerability in Apache Pinot
In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support.
network
low complexity
apache
critical
9.8
2022-09-22 CVE-2022-38398 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol.
network
low complexity
apache debian
5.3
2022-09-22 CVE-2022-38648 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources.
network
low complexity
apache debian
5.3
2022-09-22 CVE-2022-40146 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url.
network
low complexity
apache debian
7.5
2022-09-22 CVE-2022-40705 XXE vulnerability in Apache Soap 2.2/2.3
An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP.
network
low complexity
apache CWE-611
7.5
2022-09-21 CVE-2022-40604 Use of Externally-Controlled Format String vulnerability in Apache Airflow
In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.
network
low complexity
apache CWE-134
7.5
2022-09-21 CVE-2022-40754 Open Redirect vulnerability in Apache Airflow
In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.
network
low complexity
apache CWE-601
6.1
2022-09-20 CVE-2022-40955 Unspecified vulnerability in Apache Inlong
In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server.
network
low complexity
apache
8.8