Vulnerabilities > Apache

DATE CVE VULNERABILITY TITLE RISK
2022-01-26 CVE-2022-22932 Path Traversal vulnerability in Apache Karaf
Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder.
network
low complexity
apache CWE-22
5.0
5.0
2022-01-25 CVE-2021-45029 Code Injection vulnerability in Apache Shenyu 2.4.0/2.4.1
Groovy Code Injection & SpEL Injection which lead to Remote Code Execution.
network
low complexity
apache CWE-94
7.5
7.5
2022-01-25 CVE-2022-23223 Insufficiently Protected Credentials vulnerability in Apache Shenyu 2.4.0/2.4.1
On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users.
network
low complexity
apache CWE-522
7.5
7.5
2022-01-25 CVE-2022-23944 Missing Authentication for Critical Function vulnerability in Apache Shenyu 2.4.0/2.4.1
User can access /plugin api without authentication.
network
low complexity
apache CWE-306
6.4
6.4
2022-01-25 CVE-2022-23945 Missing Authentication for Critical Function vulnerability in Apache Shenyu 2.4.0/2.4.1
Missing authentication on ShenYu Admin when register by HTTP.
network
low complexity
apache CWE-306
5.0
5.0
2022-01-24 CVE-2022-23437 Infinite Loop vulnerability in multiple products
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads.
network
low complexity
apache oracle netapp CWE-835
6.5
6.5
2022-01-20 CVE-2021-45230 Unspecified vulnerability in Apache Airflow
In Apache Airflow prior to 2.2.0.
network
low complexity
apache
4.0
4.0
2022-01-20 CVE-2022-22733 Information Exposure vulnerability in Apache Shardingsphere Elasticjob-Ui 3.0.0
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation.
network
low complexity
apache CWE-200
4.0
4.0
2022-01-18 CVE-2022-23302 Deserialization of Untrusted Data vulnerability in multiple products
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to.
network
low complexity
apache netapp broadcom qos oracle CWE-502
8.8
8.8
2022-01-18 CVE-2022-23305 SQL Injection vulnerability in multiple products
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout.
network
low complexity
apache netapp broadcom qos oracle CWE-89
critical
 9.8
9.8