Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-09 | CVE-2021-43410 | Improper Encoding or Escaping of Output vulnerability in Apache Airavata Django Portal Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. | 5.3 |
| 2021-11-24 | CVE-2021-40369 | Cross-site Scripting vulnerability in Apache Jspwiki A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | 6.1 |
| 2021-11-24 | CVE-2021-44140 | Incorrect Default Permissions vulnerability in Apache Jspwiki Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. | 9.1 |
| 2021-11-22 | CVE-2021-43557 | Command Injection vulnerability in Apache Apisix The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. | 7.5 |
| 2021-11-19 | CVE-2021-36372 | Unspecified vulnerability in Apache Ozone In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. | 9.8 |
| 2021-11-19 | CVE-2021-39231 | Missing Authorization vulnerability in Apache Ozone In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration. | 9.1 |
| 2021-11-19 | CVE-2021-39232 | Missing Authorization vulnerability in Apache Ozone In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins. | 8.8 |
| 2021-11-19 | CVE-2021-39233 | Unspecified vulnerability in Apache Ozone In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client. | 9.1 |
| 2021-11-19 | CVE-2021-39234 | Incorrect Authorization vulnerability in Apache Ozone In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL. | 6.8 |
| 2021-11-19 | CVE-2021-39235 | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Ozone In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. | 6.5 |