Vulnerabilities > Apache > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-20 | CVE-2022-46337 | Injection vulnerability in Apache Derby A cleverly devised username might bypass LDAP authentication checks. | 9.8 |
| 2023-11-20 | CVE-2023-46302 | Unspecified vulnerability in Apache Submarine 0.7.0 Apache Software Foundation Apache Submarine has a bug when serializing against yaml. | 9.8 |
| 2023-11-09 | CVE-2023-47248 | Unspecified vulnerability in Apache Pyarrow Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. | 9.8 |
| 2023-10-27 | CVE-2023-46604 | The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. | 9.8 |
| 2023-10-16 | CVE-2023-43668 | Authorization Bypass Through User-Controlled Key vulnerability in Apache Inlong Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... . Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8604 | 9.8 |
| 2023-10-11 | CVE-2023-44981 | Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. | 9.1 |
| 2023-09-05 | CVE-2023-40743 | Unspecified vulnerability in Apache Axis ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. | 9.8 |
| 2023-08-09 | CVE-2023-33934 | Unspecified vulnerability in Apache Traffic Server Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1. | 9.1 |
| 2023-07-26 | CVE-2023-38647 | Unspecified vulnerability in Apache Helix 0.9.10/0.9.9/1.2.0 An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. | 9.8 |
| 2023-07-25 | CVE-2023-37895 | Unspecified vulnerability in Apache Jackrabbit Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component "commons-beanutils", which contains a class that can be used for remote code execution over RMI. Users are advised to immediately update to versions 2.20.11 or 2.21.18. | 9.8 |