Vulnerabilities > Apache > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-01-08 | CVE-2024-54676 | Unspecified vulnerability in Apache Openmeetings Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation. | 9.8 |
| 2024-12-25 | CVE-2024-52046 | Deserialization of Untrusted Data vulnerability in Apache Mina The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. | 9.8 |
| 2024-11-12 | CVE-2024-50386 | Unspecified vulnerability in Apache Cloudstack Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. | 9.9 |
| 2024-09-16 | CVE-2024-22399 | Unspecified vulnerability in Apache Seata Deserialization of Untrusted Data vulnerability in Apache Seata. When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue. | 9.8 |
| 2024-09-04 | CVE-2024-45507 | Unspecified vulnerability in Apache Ofbiz Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. | 9.8 |
| 2024-08-20 | CVE-2024-42361 | SQL Injection vulnerability in Apache Hertzbeat Hertzbeat is an open source, real-time monitoring system. | 9.8 |
| 2024-08-05 | CVE-2024-38856 | Unspecified vulnerability in Apache Ofbiz Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints). | 9.8 |
| 2024-08-05 | CVE-2024-42447 | Unspecified vulnerability in Apache Apache-Airflow-Providers-Fab 1.2.0/1.2.1 Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. | 9.8 |
| 2024-08-02 | CVE-2024-36268 | Unspecified vulnerability in Apache Inlong 1.10.0/1.11.0/1.12.0 Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. | 9.8 |
| 2024-07-19 | CVE-2024-29736 | Unspecified vulnerability in Apache CXF A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. | 9.1 |