Vulnerabilities > Apache > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-12 | CVE-2022-40664 | Unspecified vulnerability in Apache Shiro Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher. | 9.8 |
| 2022-09-23 | CVE-2022-26112 | Unspecified vulnerability in Apache Pinot In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. | 9.8 |
| 2022-09-11 | CVE-2022-39135 | Unspecified vulnerability in Apache Calcite Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. | 9.8 |
| 2022-09-02 | CVE-2022-25371 | Unspecified vulnerability in Apache Ofbiz Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. | 9.8 |
| 2022-09-02 | CVE-2022-29063 | Deserialization of Untrusted Data vulnerability in Apache Ofbiz The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. | 9.8 |
| 2022-09-02 | CVE-2022-38054 | Session Fixation vulnerability in Apache Airflow In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. | 9.8 |
| 2022-08-31 | CVE-2022-37021 | Deserialization of Untrusted Data vulnerability in Apache Geode Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. | 9.8 |
| 2022-08-21 | CVE-2022-34916 | Unspecified vulnerability in Apache Flume 1.10.0/1.4.0/1.9.0 Apache Flume versions 1.4.0 through 1.10.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. | 9.8 |
| 2022-08-04 | CVE-2022-25168 | Unspecified vulnerability in Apache Hadoop Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. | 9.8 |
| 2022-07-18 | CVE-2022-35741 | XXE vulnerability in Apache Cloudstack Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. | 9.8 |