Vulnerabilities > Apache > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-22 | CVE-2023-51650 | Unspecified vulnerability in Apache Hertzbeat Hertzbeat is an open source, real-time monitoring system. | 7.5 |
| 2023-12-22 | CVE-2022-39337 | Unspecified vulnerability in Apache Hertzbeat Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. | 7.5 |
| 2023-12-20 | CVE-2023-37544 | Unspecified vulnerability in Apache Pulsar Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0. The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature. 2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5. 2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2. 3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1. 3.1 Pulsar WebSocket Proxy users are unaffected. Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions. | 7.5 |
| 2023-12-19 | CVE-2023-43826 | Unspecified vulnerability in Apache Guacamole Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow. | 8.8 |
| 2023-12-19 | CVE-2023-49736 | Unspecified vulnerability in Apache Superset A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue. | 8.8 |
| 2023-12-18 | CVE-2023-41314 | Unspecified vulnerability in Apache Doris The api /api/snapshot and /api/get_log_file would allow unauthenticated access. It could allow a DoS attack or get arbitrary files from FE node. Please upgrade to 2.0.3 to fix these issues. | 8.2 |
| 2023-12-15 | CVE-2023-49898 | Unspecified vulnerability in Apache Streampark 2.0.0/2.1.0/2.1.1 In streampark, there is a project module that integrates Maven's compilation capability. | 7.2 |
| 2023-12-05 | CVE-2023-41835 | Incomplete Cleanup vulnerability in Apache Struts When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue. | 7.5 |
| 2023-11-30 | CVE-2023-49735 | Unspecified vulnerability in Apache Tiles 2.0 ** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. | 7.5 |
| 2023-11-28 | CVE-2022-41678 | Unspecified vulnerability in Apache Activemq Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. | 8.8 |