Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-11-09 CVE-2023-47248 Unspecified vulnerability in Apache Pyarrow
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution.
network
low complexity
apache
critical
9.8
2023-10-27 CVE-2023-46604 The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution.
network
low complexity
apache debian netapp
critical
9.8
2023-10-16 CVE-2023-43668 Authorization Bypass Through User-Controlled Key vulnerability in Apache Inlong
Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,  some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... .   Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1]  https://github.com/apache/inlong/pull/8604
network
low complexity
apache CWE-639
critical
9.8
2023-10-11 CVE-2023-44981 Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper.
network
low complexity
apache debian
critical
9.1
2023-09-05 CVE-2023-40743 Unspecified vulnerability in Apache Axis
** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP.
network
low complexity
apache
critical
9.8
2023-08-09 CVE-2023-33934 Unspecified vulnerability in Apache Traffic Server
Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1.
network
low complexity
apache
critical
9.1
2023-07-26 CVE-2023-38647 Unspecified vulnerability in Apache Helix 0.9.10/0.9.9/1.2.0
An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader.
network
low complexity
apache
critical
9.8
2023-07-25 CVE-2023-37895 Unspecified vulnerability in Apache Jackrabbit
Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component "commons-beanutils", which contains a class that can be used for remote code execution over RMI. Users are advised to immediately update to versions 2.20.11 or 2.21.18.
network
low complexity
apache
critical
9.8
2023-07-25 CVE-2023-35088 Unspecified vulnerability in Apache Inlong
Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0.  In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query statement, which may lead to SQL injection attacks. Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8198
network
low complexity
apache
critical
9.8
2023-07-24 CVE-2023-34478 Unspecified vulnerability in Apache Shiro
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
network
low complexity
apache
critical
9.8