Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-01 | CVE-2020-9487 | Missing Authentication for Critical Function vulnerability in Apache Nifi In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. | 7.5 |
| 2020-10-01 | CVE-2020-9486 | Information Exposure Through Log Files vulnerability in Apache Nifi In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. | 7.5 |
| 2020-10-01 | CVE-2020-13940 | XXE vulnerability in Apache Nifi In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. | 5.5 |
| 2020-10-01 | CVE-2020-11979 | As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. | 7.5 |
| 2020-09-30 | CVE-2020-13952 | Unspecified vulnerability in Apache Superset In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. | 8.1 |
| 2020-09-30 | CVE-2020-13953 | Files or Directories Accessible to External Parties vulnerability in Apache Tapestry In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run. | 5.3 |
| 2020-09-30 | CVE-2020-13951 | Unspecified vulnerability in Apache Openmeetings Attackers can use public NetTest web service of Apache OpenMeetings 4.0.0-5.0.0 to organize denial of service attack. | 7.5 |
| 2020-09-30 | CVE-2018-11765 | Improper Authentication vulnerability in Apache Hadoop In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled. | 7.5 |
| 2020-09-17 | CVE-2020-13944 | Cross-site Scripting vulnerability in Apache Airflow In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. | 6.1 |
| 2020-09-17 | CVE-2020-13948 | Unspecified vulnerability in Apache Superset While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s `os` package in the web application process in versions < 0.37.1. | 8.8 |