Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-06 | CVE-2021-36738 | Cross-site Scripting vulnerability in Apache Pluto The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. | 6.1 |
| 2022-01-06 | CVE-2021-36739 | Cross-site Scripting vulnerability in Apache Pluto 3.1.0 The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks. | 6.1 |
| 2022-01-04 | CVE-2021-34797 | Information Exposure Through Log Files vulnerability in Apache Geode Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords and security properties with the prefix "sysprop-", "javax.net.ssl", or "security-". | 7.5 |
| 2022-01-04 | CVE-2021-38542 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Apache James 2.2.0/3.3.0/3.4.0 Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. | 5.9 |
| 2022-01-04 | CVE-2021-40110 | Unspecified vulnerability in Apache James 2.2.0/3.3.0/3.4.0 In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. | 7.5 |
| 2022-01-04 | CVE-2021-40111 | Infinite Loop vulnerability in Apache James 2.2.0/3.3.0/3.4.0 In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. | 6.5 |
| 2022-01-04 | CVE-2021-40525 | Path Traversal vulnerability in Apache James Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. | 9.1 |
| 2021-12-28 | CVE-2021-44832 | Improper Input Validation vulnerability in multiple products Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. | 6.6 |
| 2021-12-27 | CVE-2021-45232 | Missing Authentication for Critical Function vulnerability in Apache Apisix Dashboard In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication. | 9.8 |
| 2021-12-23 | CVE-2021-44548 | Path Traversal vulnerability in Apache Solr An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. | 9.8 |