Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-05-08 CVE-2023-25754 Unspecified vulnerability in Apache Airflow
Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0.
network
low complexity
apache
critical
9.8
2023-05-08 CVE-2023-31039 Unspecified vulnerability in Apache Brpc
Security vulnerability in Apache bRPC <1.5.0 on all platforms allows attackers to execute arbitrary code via ServerOptions::pid_file. An attacker that can influence the ServerOptions pid_file parameter with which the bRPC server is started can execute arbitrary code with the permissions of the bRPC process. Solution: 1.
network
low complexity
apache
critical
9.8
2023-05-01 CVE-2022-45802 Unspecified vulnerability in Apache Streampark
Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later
network
low complexity
apache
critical
9.8
2023-05-01 CVE-2022-46365 Unspecified vulnerability in Apache Streampark
Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.
network
low complexity
apache
critical
9.1
2023-04-24 CVE-2023-27524 Insecure Default Initialization of Resource vulnerability in Apache Superset
Session Validation attacks in Apache Superset versions up to and including 2.0.1.
network
low complexity
apache CWE-1188
critical
9.8
2023-04-17 CVE-2023-22946 Unspecified vulnerability in Apache Spark
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges.
network
low complexity
apache
critical
9.9
2023-04-17 CVE-2023-30771 Unspecified vulnerability in Apache Iotdb web Workbench 0.13.3
Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component on 0.13.3.
network
low complexity
apache
critical
9.8
2023-04-17 CVE-2023-24831 Unspecified vulnerability in Apache Iotdb 0.13.0/0.13.1/0.13.2
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3. Attackers could login without authorization.
network
low complexity
apache
critical
9.8
2023-04-13 CVE-2022-45064 Unspecified vulnerability in Apache Sling
The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level.
network
low complexity
apache
critical
9.0
2023-04-10 CVE-2023-27602 Unspecified vulnerability in Apache Linkis
In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2.  For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties `wds.linkis.workspace.filesystem.owner.check=true` `wds.linkis.workspace.filesystem.path.check=true`
network
low complexity
apache
critical
9.8