Vulnerabilities > Apache > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-02 | CVE-2022-29063 | Deserialization of Untrusted Data vulnerability in Apache Ofbiz The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. | 9.8 |
| 2022-09-02 | CVE-2022-38054 | Session Fixation vulnerability in Apache Airflow In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. | 9.8 |
| 2022-08-31 | CVE-2022-37021 | Deserialization of Untrusted Data vulnerability in Apache Geode Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. | 9.8 |
| 2022-08-21 | CVE-2022-34916 | Improper Input Validation vulnerability in Apache Flume Apache Flume versions 1.4.0 through 1.10.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. | 9.8 |
| 2022-08-04 | CVE-2022-25168 | OS Command Injection vulnerability in Apache Hadoop Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. | 9.8 |
| 2022-07-18 | CVE-2022-35741 | XXE vulnerability in Apache Cloudstack Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. | 9.8 |
| 2022-07-06 | CVE-2022-33980 | Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. | 9.8 |
| 2022-07-06 | CVE-2022-32533 | Unspecified vulnerability in Apache Jetspeed Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. | 9.8 |
| 2022-06-29 | CVE-2022-32532 | Incorrect Authorization vulnerability in Apache Shiro Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. | 9.8 |
| 2022-06-14 | CVE-2022-25167 | Unspecified vulnerability in Apache Flume 1.4.0/1.9.0 Apache Flume versions 1.4.0 through 1.9.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. | 9.8 |