Vulnerabilities > Apache > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-23 | CVE-2022-33681 | Improper Certificate Validation vulnerability in Apache Pulsar Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. | 5.9 |
| 2022-09-23 | CVE-2022-33682 | Improper Certificate Validation vulnerability in Apache Pulsar TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. | 5.9 |
| 2022-09-23 | CVE-2022-33683 | Improper Certificate Validation vulnerability in Apache Pulsar Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. | 5.9 |
| 2022-09-22 | CVE-2022-38398 | Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. | 5.3 |
| 2022-09-22 | CVE-2022-38648 | Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. | 5.3 |
| 2022-09-21 | CVE-2022-40754 | Open Redirect vulnerability in Apache Airflow In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint. | 6.1 |
| 2022-09-02 | CVE-2022-25370 | Cross-site Scripting vulnerability in Apache Ofbiz Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. | 5.4 |
| 2022-09-02 | CVE-2022-38170 | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Airflow In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. | 4.7 |
| 2022-08-31 | CVE-2022-37023 | Deserialization of Untrusted Data vulnerability in Apache Geode Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. | 6.5 |
| 2022-08-24 | CVE-2021-4040 | Out-of-bounds Write vulnerability in multiple products A flaw was found in AMQ Broker. | 5.3 |