Vulnerabilities > Apache > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-10-13 | CVE-2018-20243 | Insufficiently Protected Credentials vulnerability in Apache Fineract The implementation of POST with the username and password in the URL parameters exposed the credentials. | 7.5 |
2020-10-01 | CVE-2020-9491 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Apache Nifi In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. | 7.5 |
2020-10-01 | CVE-2020-9487 | Missing Authentication for Critical Function vulnerability in Apache Nifi In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. | 7.5 |
2020-10-01 | CVE-2020-9486 | Information Exposure Through Log Files vulnerability in Apache Nifi In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. | 7.5 |
2020-10-01 | CVE-2020-11979 | As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. | 7.5 |
2020-09-30 | CVE-2020-13952 | Unspecified vulnerability in Apache Superset In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. | 8.1 |
2020-09-30 | CVE-2020-13951 | Unspecified vulnerability in Apache Openmeetings Attackers can use public NetTest web service of Apache OpenMeetings 4.0.0-5.0.0 to organize denial of service attack. | 7.5 |
2020-09-30 | CVE-2018-11765 | Improper Authentication vulnerability in Apache Hadoop In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled. | 7.5 |
2020-09-17 | CVE-2020-13948 | Unspecified vulnerability in Apache Superset While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s `os` package in the web application process in versions < 0.37.1. | 8.8 |
2020-09-15 | CVE-2020-11977 | Unspecified vulnerability in Apache Syncope In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution. | 7.2 |