| 2021-01-14 | CVE-2021-24122 | Use of Incorrectly-Resolved Name or Reference vulnerability in multiple products
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. | 5.9 |
| 2021-01-11 | CVE-2020-13922 | Incorrect Default Permissions vulnerability in Apache Dolphinscheduler 1.2.0/1.2.1/1.3.1
Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface. | 6.5 |
| 2020-12-18 | CVE-2020-17520 | Unspecified vulnerability in Apache Pulsar Manager 0.1.0
In the Pulsar manager 0.1.0 version, malicious users will be able to bypass pulsar-manager's admin, permission verification mechanism by constructing special URLs, thereby accessing any HTTP API. | 6.5 |
| 2020-12-14 | CVE-2020-17513 | Server-Side Request Forgery (SSRF) vulnerability in Apache Airflow
In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. | 5.3 |
| 2020-12-14 | CVE-2020-17511 | Cleartext Storage of Sensitive Information vulnerability in Apache Airflow
In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. | 6.5 |
| 2020-12-11 | CVE-2020-17515 | Cross-site Scripting vulnerability in Apache Airflow
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. | 6.1 |
| 2020-12-07 | CVE-2020-17521 | Apache Groovy provides extension methods to aid with creating temporary directories. | 5.5 |
| 2020-12-07 | CVE-2020-13945 | Unspecified vulnerability in Apache Apisix
In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. | 6.5 |
| 2020-12-02 | CVE-2020-13956 | Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. | 5.3 |
| 2020-11-28 | CVE-2020-27218 | In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. | 4.8 |