Vulnerabilities in Apache Software Foundation

1,894 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2025-27017MEDIUMApache NiFi: Potential Insertion of MongoDB Password in Provenance RecordEPSS 1.1%CVE-2024-56373HIGHApache Airflow: SSTI to Code Execution in Airflow through Shared DB InformationEPSS 1.1%CVE-2021-37839Improper access to dataset metadata informationEPSS 1.1%CVE-2023-49620Apache DolphinScheduler: Authenticated users could delete UDFs in resource center they were not authorized forEPSS 1.1%CVE-2024-23953MEDIUMApache Hive: Timing Attack Against Signature in LLAP utilEPSS 1.1%CVE-2024-26579CRITICALApache Inlong JDBC VulnerabilityEPSS 1.1%CVE-2024-31141MEDIUMApache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProviderEPSS 1.1%CVE-2023-25601Apache DolphinScheduler 3.0.0 to 3.1.1 python gateway has improper authenticationEPSS 1.1%CVE-2022-45048HIGHApache Ranger: code execution vulnerability in policy expressionsEPSS 1.1%CVE-2022-34870MEDIUMApache Geode stored Cross-Site Scripting (XSS) via data injection vulnerability in Pulse web applicationEPSS 1.1%CVE-2022-45064HIGHApache Sling Engine: Include-based XSSEPSS 1.1%CVE-2022-46870MEDIUMApache Zeppelin: Stored XSS in note permissionsEPSS 1.1%CVE-2024-29737HIGHApache StreamPark (incubating): maven build params could trigger remote command executionEPSS 1.1%CVE-2023-34981HIGHApache Tomcat: AJP response header mix-upEPSS 1.1%CVE-2024-27309HIGHApache Kafka: Potential incorrect access control during migration from ZK mode to KRaft modeEPSS 1.1%CVE-2023-30576MEDIUMApache Guacamole: Use-after-free in handling of RDP audio input bufferEPSS 1.1%CVE-2023-31101Apache InLong: Users who joined later can see the data of deleted usersEPSS 1.1%CVE-2022-37435Apache ShenYu Admin Improper Privilege ManagementEPSS 1.1%CVE-2023-22946MEDIUMApache Spark proxy-user privilege escalation from malicious configuration classEPSS 1.1%CVE-2026-42253MEDIUMApache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message PropertiesEPSS 1.1%