Vulnerabilities in Apache Software Foundation

1,894 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2024-28746HIGHApache Airflow: Ignored Airflow PermissionsEPSS 1.3%CVE-2023-24830HIGHApache IoTDB Workbench: apache/iotdb-web-workbench: create a user without authorizationEPSS 1.3%CVE-2022-26112CRITICALPinot query endpoint and the realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function supportEPSS 1.3%CVE-2024-27139HIGHApache Archiva: incorrect authentication potentially leading to account takeoverEPSS 1.3%CVE-2022-47894MEDIUMApache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXEEPSS 1.3%CVE-2023-22665Apache Jena: Exposure of arbitrary execution in script engine expressions.EPSS 1.3%CVE-2023-34434HIGHApache InLong: JDBC URL bypassing by allowLoadLocalInfileInPath paramEPSS 1.3%CVE-2024-23673HIGHApache Sling Servlets Resolver: Malicious code execution via path traversalEPSS 1.3%CVE-2016-8737In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web sitEPSS 1.3%CVE-2025-64403HIGHApache OpenOffice: Remote documents loaded without prompt via "external data sources" in CalcEPSS 1.3%CVE-2024-31868MEDIUMApache Zeppelin: XSS vulnerability in the helium moduleEPSS 1.3%CVE-2018-8028An authenticated user can execute ALTER TABLE EXCHANGE PARTITIONS without being authorized by Apache Sentry before 2.0.1. This can allow an EPSS 1.3%CVE-2022-45802CRITICALApache StreamPark (incubating): Upload any file to any directoryEPSS 1.3%CVE-2023-50270MEDIUMApache DolphinScheduler: Session do not expire after password changeEPSS 1.3%CVE-2023-40611MEDIUMApache Airflow Dag Runs Broken Access Control VulnerabilityEPSS 1.3%CVE-2024-24780CRITICALApache IoTDB: Remote Code Execution with untrusted URI of User-defined functionEPSS 1.3%CVE-2023-31103HIGHApache InLong: Attackers can change the immutable name and type of clusterEPSS 1.3%CVE-2022-43718MEDIUMApache Superset: Cross-Site Scripting vulnerability on upload formsEPSS 1.3%CVE-2021-36152Insecure TrustManager used in LDAP connectionsEPSS 1.3%CVE-2022-32749HIGHApache Traffic Server: Improperly handled requests can cause crashes in specific pluginsEPSS 1.3%