Vulnerabilities in Apache Software Foundation
1,872 resultsCVE-2018-1302—When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer poEPSS 13.4%CVE-2021-36090—Apache Commons Compress 1.0 to 1.20 denial of service vulnerabilityEPSS 13.3%CVE-2016-8743—Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response liEPSS 13.3%CVE-2017-5648—While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.EPSS 13.2%CVE-2021-35516—Apache Commons Compress 1.6 to 1.20 denial of service vulnerabilityEPSS 12.7%CVE-2018-8037—If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existedEPSS 12.1%CVE-2021-35515—Apache Commons Compress 1.6 to 1.20 denial of service vulnerabilityEPSS 11.9%CVE-2020-13938—Improper Handling of Insufficient PrivilegesEPSS 11.8%CVE-2018-8007—Apache CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied EPSS 11.7%CVE-2021-26117—ActiveMQ: LDAP-Authentication does not verify passwords on servers with anonymous bindEPSS 11.2%CVE-2017-5653—JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encryptEPSS 11.2%CVE-2023-22884CRITICALApache Airflow, Apache Airflow MySQL Provider: Arbitrary file read via MySQL provider in Apache AirflowEPSS 11.1%CVE-2021-42340—DoS via memory leak with WebSocket connectionsEPSS 11.0%CVE-2021-35517—Apache Commons Compress 1.1 to 1.20 denial of service vulnerabilityEPSS 10.9%CVE-2017-9787—When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache StruEPSS 10.8%CVE-2018-11780—A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.EPSS 10.8%CVE-2018-8038—Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations (DTDs) when either parsing the Identity ProviderEPSS 10.7%CVE-2019-17563—When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where anEPSS 10.7%CVE-2021-29425—Possible limited path traversal vulnerabily in Apache Commons IOEPSS 10.6%CVE-2016-8749—Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.EPSS 10.6%