Vulnerabilities in Apache Software Foundation
1,872 resultsCVE-2017-15701—In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the broker does not properly enforce a maximum frame size in AMQP 1.0 frameEPSS 4.4%CVE-2021-23901—An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParserEPSS 4.4%CVE-2021-41973—Apache MINA HTTP listener DOSEPSS 4.3%CVE-2020-17513—In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.EPSS 4.3%CVE-2022-23223—Apache ShenYu Password leakageEPSS 4.3%CVE-2022-26612—Arbitrary file write in FileUtil#unpackEntries on WindowsEPSS 4.3%CVE-2021-23937—DNS proxy and possible amplification attackEPSS 4.3%CVE-2018-8020—Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lisEPSS 4.2%CVE-2017-7676—Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can reEPSS 4.2%CVE-2021-30179—Apache Dubbo Pre-auth RCE via Java deserialization in the Generic filterEPSS 4.2%CVE-2025-31651CRITICALApache Tomcat: Bypass of rules in Rewrite ValveEPSS 4.2%CVE-2017-9795—When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster mEPSS 4.2%CVE-2024-40725MEDIUMApache HTTP Server: source code disclosure with handlers configured via AddTypeEPSS 4.1%CVE-2018-17198—Server-side Request Forgery (SSRF) and File Enumeration vulnerability in Apache Roller 5.2.1, 5.2.0 and earlier unsupported versions relies EPSS 4.1%CVE-2017-5662—In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send malicioEPSS 4.1%CVE-2021-37578—Remote code execution via RMIEPSS 4.1%CVE-2018-8019—When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This alloEPSS 4.1%CVE-2020-13924—In Apache Ambari versions 2.6.2.2 and earlier, malicious users can construct file names for directory traversal and traverse to other directEPSS 4.0%CVE-2022-29599—Commandline class shell injection vulnerabilitiesEPSS 4.0%CVE-2021-33191—MiNiFi CPP arbitrary script execution is possible on the agent's host machine through the c2 protocolEPSS 4.0%