Vulnerabilities > Apache > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-01-24 | CVE-2023-50943 | Deserialization of Untrusted Data vulnerability in Apache Airflow Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. | 7.5 |
2024-01-06 | CVE-2023-51441 | Unspecified vulnerability in Apache Axis ** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF This issue affects Apache Axis: through 1.3. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. | 7.2 |
2024-01-03 | CVE-2023-51785 | Unspecified vulnerability in Apache Inlong 1.7.0/1.8.0/1.9.0 Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9331 | 7.5 |
2023-12-30 | CVE-2023-49299 | Unspecified vulnerability in Apache Dolphinscheduler Improper Input Validation vulnerability in Apache DolphinScheduler. | 8.8 |
2023-12-29 | CVE-2023-47804 | Argument Injection or Modification vulnerability in Apache Openoffice Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. | 8.8 |
2023-12-26 | CVE-2023-50968 | Server-Side Request Forgery (SSRF) vulnerability in Apache Ofbiz Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue. | 7.5 |
2023-12-22 | CVE-2023-51387 | Unspecified vulnerability in Apache Hertzbeat Hertzbeat is an open source, real-time monitoring system. | 8.8 |
2023-12-22 | CVE-2023-51650 | Unspecified vulnerability in Apache Hertzbeat Hertzbeat is an open source, real-time monitoring system. | 7.5 |
2023-12-22 | CVE-2022-39337 | Unspecified vulnerability in Apache Hertzbeat Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. | 7.5 |
2023-12-20 | CVE-2023-37544 | Unspecified vulnerability in Apache Pulsar Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0. The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature. 2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5. 2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2. 3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1. 3.1 Pulsar WebSocket Proxy users are unaffected. Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions. | 7.5 |