Vulnerabilities in Apache Software Foundation

1,895 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2023-26512CRITICALApache EventMesh RabbitMQ-Connector plugin allows RCE through deserialization of untrusted dataEPSS 1.0%CVE-2023-49920Apache Airflow: Missing CSRF protection on DAG/triggerEPSS 1.0%CVE-2024-29736HIGHApache CXF: SSRF vulnerability via WADL stylesheet parameterEPSS 1.0%CVE-2018-11790When loading a document with Apache Open Office 4.1.5 and earlier with smaller end line termination than the operating system uses, the defeEPSS 1.0%CVE-2024-27349CRITICALApache HugeGraph-Server: Bypass whitelist in Auth modeEPSS 1.0%CVE-2022-32531MEDIUMApache BookKeeper: Java Client Uses Connection to Host that Failed Hostname VerificationEPSS 1.0%CVE-2018-20245The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checEPSS 1.0%CVE-2023-41313CRITICALApache Doris: Timing Attack weaknessEPSS 1.0%CVE-2023-51785HIGHApache InLong: Arbitrary File Read Vulnerability in Apache InLong ManagerEPSS 1.0%CVE-2026-35337HIGHApache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential HandlingEPSS 1.0%CVE-2023-43668Apache InLong: Jdbc Connection Security Bypass in InLongEPSS 1.0%CVE-2023-42505MEDIUMApache Superset: Sensitive information disclosure on db connection detailsEPSS 1.0%CVE-2024-36264CRITICALApache Submarine Commons Utils: default secretEPSS 1.0%CVE-2024-31863MEDIUMApache Zeppelin: Replacing other users notebook, bypassing any permissionsEPSS 1.0%CVE-2016-3083Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the EPSS 1.0%CVE-2023-43701MEDIUMApache Superset: Stored XSS on API endpointEPSS 1.0%CVE-2024-28168HIGHApache XML Graphics FOP: XML External Entity (XXE) ProcessingEPSS 1.0%CVE-2024-39863HIGHApache Airflow: Potential XSS VulnerabilityEPSS 1.0%CVE-2024-27347MEDIUMApache HugeGraph-Hubble: SSRF in Hubble connection pageEPSS 1.0%CVE-2022-43721MEDIUMApache Superset: Open Redirect VulnerabilityEPSS 1.0%