Vulnerabilidades en Apache Software Foundation

1938 resultados
Análisis Vexday

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2026-46456CRITICALApache Camel: Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange without an inbound HeaderFilterStrategy, allowing a message sender to inject Camel control headersEPSS 0.2%CVE-2026-56140CRITICALApache Camel AWS2 SNS: An inbound Camel-namespace filter was added to Sns2HeaderFilterStrategy to align it with sibling componentsEPSS 0.2%CVE-2026-56139MEDIUMApache Camel Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clientsEPSS 0.2%CVE-2026-49365Apache Camel: Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clientsEPSS 0.2%CVE-2026-27173HIGHApache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line ArgumentsEPSS 0.2%CVE-2026-24012HIGHApache IoTDB: Denial of Service via Resource Exhaustion in Aggregation QueryEPSS 0.2%CVE-2026-45188LOWApache Kvrocks: Replication Fullsync Path Traversal via Unvalidated Filename HandlingEPSS 0.2%CVE-2026-55994HIGHApache Camel Iggy: The inbound consumer maps externally-supplied Iggy message user-headers into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling control over internal behaviourEPSS 0.2%CVE-2026-46592HIGHApache Camel: Camel-CXF: The SOAP operation-selection headers used non-Camel-prefixed names (operationName, operationNamespace) that bypass the HTTP header filter, allowing an HTTP client to redirect the invoked SOAP operationEPSS 0.2%CVE-2026-46455CRITICALApache Camel: Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be acceptedEPSS 0.2%CVE-2026-48205CRITICALApache Camel DNS: The dns.* and term Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to influence internal behaviourEPSS 0.2%CVE-2026-24014CRITICALApache IoTDB: Path Traversal in DataNode Internal RPC Trigger JAR Upload Allows Arbitrary File WriteEPSS 0.1%CVE-2026-47898MEDIUMApache Lucene.Net: XXE vulnerability in Lucene.Net.Analysis.Common PatternParserEPSS 0.1%CVE-2026-46587HIGHApache Camel: Couchbase: Non-Camel-prefixed Exchange headers bypass HeaderFilterStrategy allowing operation override from untrusted inputEPSS CVE-2026-46588HIGHApache Camel: CouchDB: Non-Camel-prefixed Exchange headers bypass HeaderFilterStrategy allowing operation override from untrusted inputEPSS CVE-2026-49297HIGHApache Airflow Google provider: Path traversal via GCS object names → local/SFTP filesystem (GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)EPSS CVE-2026-43825HIGHApache OpenNLP :: Core :: ML :: LibSVM: Unsafe Java Deserialization in SvmDoccatModelEPSS CVE-2026-49042HIGHApache Camel: langchain4j-tools: filter tool argument headers against declared parametersEPSS