Vulnerabilities > Apache > High

DATE CVE VULNERABILITY TITLE RISK
2024-01-24 CVE-2023-50943 Deserialization of Untrusted Data vulnerability in Apache Airflow
Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization.
network
low complexity
apache CWE-502
7.5
2024-01-06 CVE-2023-51441 Unspecified vulnerability in Apache Axis
** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF This issue affects Apache Axis: through 1.3. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java.
network
low complexity
apache
7.2
2024-01-03 CVE-2023-51785 Unspecified vulnerability in Apache Inlong 1.7.0/1.8.0/1.9.0
Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1]  https://github.com/apache/inlong/pull/9331
network
low complexity
apache
7.5
2023-12-30 CVE-2023-49299 Unspecified vulnerability in Apache Dolphinscheduler
Improper Input Validation vulnerability in Apache DolphinScheduler.
network
low complexity
apache
8.8
2023-12-29 CVE-2023-47804 Argument Injection or Modification vulnerability in Apache Openoffice
Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments.
network
low complexity
apache CWE-88
8.8
2023-12-26 CVE-2023-50968 Server-Side Request Forgery (SSRF) vulnerability in Apache Ofbiz
Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.
network
low complexity
apache CWE-918
7.5
2023-12-22 CVE-2023-51387 Unspecified vulnerability in Apache Hertzbeat
Hertzbeat is an open source, real-time monitoring system.
network
low complexity
apache
8.8
2023-12-22 CVE-2023-51650 Unspecified vulnerability in Apache Hertzbeat
Hertzbeat is an open source, real-time monitoring system.
network
low complexity
apache
7.5
2023-12-22 CVE-2022-39337 Unspecified vulnerability in Apache Hertzbeat
Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless.
network
low complexity
apache
7.5
2023-12-20 CVE-2023-37544 Unspecified vulnerability in Apache Pulsar
Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0. The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature. 2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5. 2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2. 3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1. 3.1 Pulsar WebSocket Proxy users are unaffected. Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.
network
low complexity
apache
7.5