Vulnerabilities in Apache Software Foundation

1,894 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2018-1286In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to dEPSS 1.1%CVE-2024-31411MEDIUMApache StreamPipes: Potential remote code execution (RCE) via file uploadEPSS 1.1%CVE-2017-12630In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effeEPSS 1.1%CVE-2022-38370No authorization of DatabaseConnectController in grafana-connector. EPSS 1.1%CVE-2017-7661Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request ForEPSS 1.1%CVE-2024-23537HIGHApache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role.EPSS 1.1%CVE-2022-45801Apache StreamPark (incubating): LDAP Injection VulnerabilityEPSS 1.1%CVE-2022-37392MEDIUMApache Traffic Server: Improperly reading the client requestsEPSS 1.1%CVE-2023-35701MEDIUMApache Hive: Arbitrary command execution via JDBC driverEPSS 1.1%CVE-2022-45135CRITICALApache Cocoon: SQL injection in DatabaseCookieAuthenticatorActionEPSS 1.1%CVE-2023-33008MEDIUMApache Johnzon: Prevent inefficient internal conversion from BigDecimal at large scaleEPSS 1.1%CVE-2023-31469HIGHApache StreamPipes: Privilege escalation through non-admin userEPSS 1.1%CVE-2024-43394HIGHApache HTTP Server: SSRF on Windows due to UNC pathsEPSS 1.1%CVE-2023-29032HIGHApache OpenMeetings: allows bypass authenticationEPSS 1.1%CVE-2024-47552CRITICALApache Seata (incubating): Deserialization of untrusted Data in jraft mode in Apache Seata ServerEPSS 1.1%CVE-2023-33934CRITICALApache Traffic Server: Differential fuzzing for HTTP request parsing discrepanciesEPSS 1.1%CVE-2024-35296HIGHApache Traffic Server: Invalid Accept-Encoding can force forwarding requestsEPSS 1.1%CVE-2025-54812LOWApache Log4cxx: Improper HTML escaping in HTMLLayoutEPSS 1.1%CVE-2024-21742MEDIUMApache James Mime4J: Mime4J DOM header injectionEPSS 1.1%CVE-2022-40743MEDIUMApache Traffic Server: Security issues with the xdebug pluginEPSS 1.1%