Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-14 | CVE-2020-17511 | Cleartext Storage of Sensitive Information vulnerability in Apache Airflow In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. | 6.5 |
| 2020-12-11 | CVE-2020-17515 | Cross-site Scripting vulnerability in Apache Airflow The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. | 6.1 |
| 2020-12-11 | CVE-2020-17530 | Expression Language Injection vulnerability in multiple products Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. | 9.8 |
| 2020-12-09 | CVE-2020-17529 | Out-of-bounds Write vulnerability in Apache Nuttx Out-of-bounds Write vulnerability in TCP Stack of Apache NuttX (incubating) versions up to and including 9.1.0 and 10.0.0 allows attacker to corrupt memory by supplying and invalid fragmentation offset value specified in the IP header. | 9.8 |
| 2020-12-09 | CVE-2020-17528 | Out-of-bounds Write vulnerability in Apache Nuttx Out-of-bounds Write vulnerability in TCP stack of Apache NuttX (incubating) versions up to and including 9.1.0 and 10.0.0 allows attacker to corrupt memory by supplying arbitrary urgent data pointer offsets within TCP packets including beyond the length of the packet. | 9.1 |
| 2020-12-08 | CVE-2020-17531 | Unspecified vulnerability in Apache Tapestry A Java Serialization vulnerability was found in Apache Tapestry 4. | 9.8 |
| 2020-12-07 | CVE-2020-17521 | Apache Groovy provides extension methods to aid with creating temporary directories. | 5.5 |
| 2020-12-07 | CVE-2020-13945 | Unspecified vulnerability in Apache Apisix In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. | 6.5 |
| 2020-12-03 | CVE-2020-17527 | Information Exposure vulnerability in multiple products While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. | 7.5 |
| 2020-12-03 | CVE-2020-25649 | XXE vulnerability in multiple products A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. | 7.5 |