Vulnerabilities > Apache > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-10 | CVE-2023-22832 | XXE vulnerability in Apache Nifi The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. | 7.5 |
| 2023-02-07 | CVE-2023-25194 | Unspecified vulnerability in Apache Kafka Connect A possible security vulnerability has been identified in Apache Kafka Connect API. This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka Connect 2.3.0. When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties. This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath. Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box configurations. | 8.8 |
| 2023-02-04 | CVE-2022-45786 | Unspecified vulnerability in Apache AGE There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. | 8.1 |
| 2023-02-01 | CVE-2023-24977 | Unspecified vulnerability in Apache Inlong Out-of-bounds Read vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7214 https://github.com/apache/inlong/pull/7214 to solve it. | 7.5 |
| 2023-01-31 | CVE-2022-44645 | Unspecified vulnerability in Apache Linkis In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. | 8.8 |
| 2023-01-31 | CVE-2023-24829 | Unspecified vulnerability in Apache Iotdb 0.13.0/0.13.1/0.13.2 Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. | 8.8 |
| 2023-01-30 | CVE-2023-24830 | Unspecified vulnerability in Apache Iotdb 0.13.0/0.13.1/0.13.2 Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects iotdb-web-workbench component: from 0.13.0 before 0.13.3. | 7.5 |
| 2023-01-17 | CVE-2006-20001 | Unspecified vulnerability in Apache Http Server A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. | 7.5 |
| 2023-01-16 | CVE-2022-43719 | Unspecified vulnerability in Apache Superset Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. | 8.8 |
| 2023-01-14 | CVE-2023-22602 | When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. | 7.5 |