Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2021-12-10 CVE-2021-44228 Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. 10.0
2021-11-24 CVE-2021-44140 Incorrect Default Permissions vulnerability in Apache Jspwiki
Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance.
network
low complexity
apache CWE-276
critical
9.1
2021-11-19 CVE-2021-36372 Unspecified vulnerability in Apache Ozone
In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key.
network
low complexity
apache
critical
9.8
2021-11-19 CVE-2021-39231 Missing Authorization vulnerability in Apache Ozone
In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.
network
low complexity
apache CWE-862
critical
9.1
2021-11-19 CVE-2021-39233 Unspecified vulnerability in Apache Ozone
In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client.
network
low complexity
apache
critical
9.1
2021-11-16 CVE-2021-37580 Improper Authentication vulnerability in Apache Shenyu 2.3.0/2.4.0
A flaw was found in Apache ShenYu Admin.
network
low complexity
apache CWE-287
critical
9.8
2021-11-11 CVE-2021-43350 Injection vulnerability in Apache Traffic Control
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
network
low complexity
apache CWE-74
critical
9.8
2021-11-03 CVE-2021-43082 Classic Buffer Overflow vulnerability in Apache Traffic Server
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traffic Server allows an attacker to overwrite memory.
network
low complexity
apache CWE-120
critical
9.8
2021-10-25 CVE-2021-38294 OS Command Injection vulnerability in Apache Storm
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4.
network
low complexity
apache CWE-78
critical
9.8
2021-10-25 CVE-2021-40865 Deserialization of Untrusted Data vulnerability in Apache Storm
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE).
network
low complexity
apache CWE-502
critical
9.8