Vulnerabilities in Apache Software Foundation

1,894 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2024-45219HIGHApache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructureEPSS 1.2%CVE-2022-45438MEDIUMApache Superset: Dashboard metadata information leakEPSS 1.2%CVE-2022-37022Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 11EPSS 1.2%CVE-2023-46801HIGHApache Linkis DataSource: DataSource Remote code execution vulnerabilityEPSS 1.2%CVE-2023-31058HIGHApache InLong: JDBC URL bypassing by adding blanksEPSS 1.2%CVE-2023-43667HIGHApache InLong: Log Injection in Global functionsEPSS 1.2%CVE-2025-61733HIGHApache Kylin: Authentication bypassEPSS 1.2%CVE-2023-24831CRITICALApache IoTDB grafana-connector Login Bypass VulnerabilityEPSS 1.2%CVE-2024-41888MEDIUMApache Answer: The link for resetting user password is not Single-UseEPSS 1.2%CVE-2017-3158A race condition in Guacamole's terminal emulator in versions 0.9.5 through 0.9.10-incubating could allow writes of blocks of printed data tEPSS 1.2%CVE-2018-11785Missing authorization check in Apache Impala before 3.0.1 allows a Kerberos-authenticated but unauthorized user to inject random data into aEPSS 1.2%CVE-2019-12418When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacEPSS 1.2%CVE-2022-24280MEDIUMApache Pulsar Proxy target broker address isn't validatedEPSS 1.2%CVE-2023-41752HIGHApache Traffic Server: s3_auth plugin problem with hash calculationEPSS 1.2%CVE-2024-26580CRITICALApache InLong: Logged-in user could exploit an arbitrary file read vulnerabilityEPSS 1.2%CVE-2022-34917HIGHUnauthenticated clients may cause OutOfMemoryError on Apache Kafka BrokersEPSS 1.2%CVE-2017-5652During a routine security analysis, it was found that one of the ports in Apache Impala (incubating) 2.7.0 to 2.8.0 sent data in plaintext eEPSS 1.2%CVE-2023-51441HIGHApache Axis 1.x (EOL) may allow SSRF when untrusted input is passed to the service admin HTTP APIEPSS 1.2%CVE-2023-49145HIGHApache NiFi: Improper Neutralization of Input in Advanced User Interface for JoltEPSS 1.2%CVE-2023-44483Apache Santuario: Private Key disclosure in debug-log outputEPSS 1.2%