Vulnerabilities > Apache > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-09-17 | CVE-2021-41303 | Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. | 9.8 |
| 2021-09-16 | CVE-2021-39275 | Out-of-bounds Write vulnerability in multiple products ap_escape_quotes() may write beyond the end of a buffer when given malicious input. | 9.8 |
| 2021-09-16 | CVE-2021-40438 | Server-Side Request Forgery (SSRF) vulnerability in multiple products A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. | 9.0 |
| 2021-09-11 | CVE-2021-38555 | XXE vulnerability in Apache Any23 An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. | 9.1 |
| 2021-09-11 | CVE-2021-40146 | Unspecified vulnerability in Apache Any23 A Remote Code Execution (RCE) vulnerability was discovered in the Any23 YAMLExtractor.java file and is known to affect Any23 versions < 2.5. | 9.8 |
| 2021-09-09 | CVE-2021-38540 | Missing Authentication for Critical Function vulnerability in Apache Airflow The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. | 9.8 |
| 2021-09-09 | CVE-2021-36161 | Use of Externally-Controlled Format String vulnerability in Apache Dubbo Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. | 9.8 |
| 2021-09-09 | CVE-2021-37579 | Deserialization of Untrusted Data vulnerability in Apache Dubbo The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. | 9.8 |
| 2021-09-07 | CVE-2021-36163 | Deserialization of Untrusted Data vulnerability in Apache Dubbo In Apache Dubbo, users may choose to use the Hessian protocol. | 9.8 |
| 2021-09-02 | CVE-2019-10095 | Command Injection vulnerability in Apache Zeppelin bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. | 9.8 |