Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2024-09-16 CVE-2024-22399 Unspecified vulnerability in Apache Seata
Deserialization of Untrusted Data vulnerability in Apache Seata.  When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.
network
low complexity
apache
critical
9.8
2024-09-04 CVE-2024-45507 Unspecified vulnerability in Apache Ofbiz
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.
network
low complexity
apache
critical
9.8
2024-08-20 CVE-2024-42361 SQL Injection vulnerability in Apache Hertzbeat
Hertzbeat is an open source, real-time monitoring system.
network
low complexity
apache CWE-89
critical
9.8
2024-08-05 CVE-2024-38856 Unspecified vulnerability in Apache Ofbiz
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
network
low complexity
apache
critical
9.8
2024-08-05 CVE-2024-42447 Unspecified vulnerability in Apache Apache-Airflow-Providers-Fab 1.2.0/1.2.1
Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions.
network
low complexity
apache
critical
9.8
2024-08-02 CVE-2024-36268 Unspecified vulnerability in Apache Inlong 1.10.0/1.11.0/1.12.0
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution.
network
low complexity
apache
critical
9.8
2024-07-19 CVE-2024-29736 Unspecified vulnerability in Apache CXF
A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices.
network
low complexity
apache
critical
9.1
2024-07-05 CVE-2024-38346 Unspecified vulnerability in Apache Cloudstack
The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts.
network
low complexity
apache
critical
9.8
2024-07-05 CVE-2024-39864 Unspecified vulnerability in Apache Cloudstack
The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes.
network
low complexity
apache
critical
9.8
2024-07-01 CVE-2024-38474 Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
network
low complexity
apache netapp
critical
9.8