Vulnerabilidades en Apache Software Foundation

1899 resultados
Análisis Vexday

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2024-45031MEDIUMApache Syncope: Stored XSS in Console and EnduserEPSS 0.6%CVE-2026-23969MEDIUMApache Superset: Exposure of Sensitive Information via Incomplete ClickHouse Function FilteringEPSS 0.6%CVE-2025-30677MEDIUMApache Pulsar IO Kafka Connector, Apache Pulsar IO Kafka Connect Adaptor: Sensitive information logged in Pulsar's Apache Kafka ConnectorsEPSS 0.6%CVE-2018-11760When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the SparkEPSS 0.6%CVE-2024-45720HIGHApache Subversion: Command line argument injection on Windows platformsEPSS 0.6%CVE-2025-33042HIGHApache Avro Java SDK: Code injection on Java generated codeEPSS 0.6%CVE-2024-53868HIGHApache Traffic Server: Malformed chunked message body allows request smugglingEPSS 0.6%CVE-2026-44185HIGHApache HTTP Server: Stack Buffer Over-Read in mod_ssl OCSP `send_request`EPSS 0.6%CVE-2025-59390CRITICALApache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly.EPSS 0.6%CVE-2024-47249MEDIUMApache NimBLE: Lack of input sanitization leading to out-of-bound reads in multiple advertisement handlerEPSS 0.6%CVE-2025-66249MEDIUMApache Livy: Unauthorized directory accessEPSS 0.6%CVE-2022-33682MEDIUMDisabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attackEPSS 0.6%CVE-2017-12618Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to validate the integrity of SDBM database files used by apr_sdbm*() functioEPSS 0.6%CVE-2025-26521HIGHApache CloudStack: CKS cluster in project exposes user API keysEPSS 0.6%CVE-2026-29169HIGHApache HTTP Server: mod_dav_lock indirect lock crashEPSS 0.6%CVE-2023-39441Apache Airflow SMTP Provider, Apache Airflow IMAP Provider, Apache Airflow: SMTP/IMAP client components allowed MITM due to missing Certificate ValidationEPSS 0.6%CVE-2025-50213CRITICALApache Airflow Providers Snowflake: Potential SQL injection in CopyFromExternalStageToSnowflakeOperatorEPSS 0.6%CVE-2022-38170Overly permissive umask for daemonsEPSS 0.6%CVE-2026-41603HIGHApache Thrift: Java TSSLTransportFactory hostname verificationEPSS 0.6%CVE-2026-33858HIGHApache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom APIEPSS 0.6%