Vulnerabilities in Apache Software Foundation

1,894 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2024-27138HIGHApache Archiva: disabling user registration is not effectiveEPSS 1.2%CVE-2022-42735HIGHApache ShenYu Admin ultra viresEPSS 1.2%CVE-2023-51518CRITICALApache James server: Privilege escalation via JMX pre-authentication deserialisationEPSS 1.2%CVE-2021-35940Regression of CVE-2017-12613EPSS 1.2%CVE-2023-31454HIGHApache InLong: IDOR make users can bind any clusterEPSS 1.2%CVE-2023-31453HIGHApache InLong: IDOR make users can delete others' subscriptionEPSS 1.2%CVE-2017-9794When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to eEPSS 1.2%CVE-2022-42466MEDIUMXSS vulnerability, eg for String properties.EPSS 1.2%CVE-2023-49736MEDIUMApache Superset: SQL Injection on where_in JINJA macroEPSS 1.2%CVE-2023-46749MEDIUMApache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting EPSS 1.2%CVE-2024-29831HIGHApache DolphinScheduler: RCE by arbitrary js executionEPSS 1.2%CVE-2024-36268HIGHApache InLong TubeMQ Client: Remote Code Execution vulnerabilityEPSS 1.2%CVE-2023-30465MEDIUMApache InLong: SQL injection in apache inLong 1.5.0EPSS 1.2%CVE-2026-41602HIGHApache Thrift: Go TFramedTransport uint32 overflowEPSS 1.2%CVE-2022-46907Apache JSPWiki: XSS Injection points in several pluginsEPSS 1.2%CVE-2023-28158MEDIUMApache Archiva privilege escalationEPSS 1.2%CVE-2025-64404HIGHApache OpenOffice: Remote documents loaded without prompt via background and bullet imagesEPSS 1.2%CVE-2023-31065CRITICALApache InLong: Insufficient Session Expiration in InLongEPSS 1.2%CVE-2024-34365CRITICALApache Karaf Cave: Cave SSRF and arbitrary file accessEPSS 1.2%CVE-2022-44644MEDIUMApache Linkis (incubating): The DatasourceManager module has a Local File Read VulnerabilityEPSS 1.2%