Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2025-03-10 CVE-2025-24813 Use of Incorrectly-Resolved Name or Reference vulnerability in Apache Tomcat
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
network
low complexity
apache CWE-706
critical
9.8
2025-01-08 CVE-2024-54676 Unspecified vulnerability in Apache Openmeetings
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html  doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
network
low complexity
apache
critical
9.8
2024-12-25 CVE-2024-52046 Deserialization of Untrusted Data vulnerability in Apache Mina
The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses.
network
low complexity
apache CWE-502
critical
9.8
2024-11-12 CVE-2024-50386 Unspecified vulnerability in Apache Cloudstack
Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances.
network
low complexity
apache
critical
9.9
2024-09-16 CVE-2024-22399 Unspecified vulnerability in Apache Seata
Deserialization of Untrusted Data vulnerability in Apache Seata.  When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.
network
low complexity
apache
critical
9.8
2024-09-04 CVE-2024-45507 Unspecified vulnerability in Apache Ofbiz
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.
network
low complexity
apache
critical
9.8
2024-08-20 CVE-2024-42361 SQL Injection vulnerability in Apache Hertzbeat
Hertzbeat is an open source, real-time monitoring system.
network
low complexity
apache CWE-89
critical
9.8
2024-08-20 CVE-2024-43202 Unspecified vulnerability in Apache Dolphinscheduler
Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.2.
network
low complexity
apache
critical
9.8
2024-08-05 CVE-2024-38856 Unspecified vulnerability in Apache Ofbiz
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
network
low complexity
apache
critical
9.8
2024-08-05 CVE-2024-42447 Unspecified vulnerability in Apache Apache-Airflow-Providers-Fab 1.2.0/1.2.1
Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions.
network
low complexity
apache
critical
9.8