Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Apache Software Foundation — Vulnerabilities & Security Advisories 1736

Browse all 1736 CVE security advisories affecting Apache Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Apache Software Foundation develops and maintains open-source software, primarily known for the widely deployed Apache HTTP Server and foundational Java frameworks. Its extensive portfolio exposes a significant attack surface, evidenced by the 1717 recorded CVEs. Historically, vulnerabilities frequently involve remote code execution, cross-site scripting, and privilege escalation, often stemming from complex configuration errors or input validation failures in legacy components. While the foundation enforces rigorous security review processes, the sheer volume of projects increases the likelihood of undiscovered flaws. Notable incidents include critical flaws in Log4j, which allowed remote code execution via crafted log messages, highlighting risks in dependency management. The organization relies on community-driven patching, requiring administrators to promptly apply updates to mitigate exploitation. This model ensures transparency but demands active vigilance from users to maintain system integrity against evolving threat vectors.

Found 106 results / 1736Clear Filters
Top products by Apache Software Foundation: Apache HTTP Server Apache Airflow Apache Tomcat Apache Superset Apache Traffic Server Apache NiFi Apache OFBiz Apache InLong Apache CloudStack Apache DolphinScheduler Apache OpenOffice Apache Struts Apache Solr Apache OpenMeetings Apache Zeppelin Apache Camel Apache CXF Apache Hadoop Apache JSPWiki Apache Fineract Apache Geode Apache Pulsar Apache Ambari Apache Dubbo Apache Kylin Apache Hive Apache Thrift Apache Spark Apache Tika Apache ActiveMQ
CVE IDTitleCVSSSeverityPublished
CVE-2024-45784 Apache Airflow: Sensitive configuration values are not masked in the logs by default — Apache AirflowCWE-1295 6.5AIMediumAI2024-11-15
CVE-2024-50378 Apache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cli — Apache AirflowCWE-201 6.5 -2024-11-08
CVE-2024-45034 Apache Airflow: Authenticated DAG authors could execute code on scheduler nodes — Apache AirflowCWE-250 7.8 -2024-09-07
CVE-2024-45498 Apache Airflow: Command Injection in an example DAG — Apache AirflowCWE-116 8.8 -2024-09-07
CVE-2024-41937 Apache Airflow: Stored XSS Vulnerability on provider link — Apache AirflowCWE-79 6.1AIMediumAI2024-08-21
CVE-2024-39877 Apache Airflow: DAG Author Code Execution possibility in airflow-scheduler — Apache AirflowCWE-94 8.8AIHighAI2024-07-17
CVE-2024-39863 Apache Airflow: Potential XSS Vulnerability — Apache AirflowCWE-79 5.4AIMediumAI2024-07-17
CVE-2024-25142 Apache Airflow: Cache Control - Storage of Sensitive Data in Browser Cache — Apache AirflowCWE-525 7.5AIHighAI2024-06-14
CVE-2024-32077 Apache Airflow: XSS vulnerability in Task Instance Log/Log Details — Apache AirflowCWE-79 7.1 -2024-05-14
CVE-2024-31869 Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used — Apache AirflowCWE-200 6.5 -2024-04-18
CVE-2024-29735 Apache Airflow: Potentially harmful permission changing by log task handler — Apache AirflowCWE-281 8.1AIHighAI2024-03-26
CVE-2024-28746 Apache Airflow: Ignored Airflow Permissions — Apache AirflowCWE-281 4.3AIMediumAI2024-03-14
CVE-2024-26280 Apache Airflow: Overly broad default permissions for Viewer/Ops (audit logs) — Apache AirflowCWE-276 2.7 -2024-03-01
CVE-2024-27906 Apache Airflow: Dag Code and Import Error Permissions Ignored — Apache AirflowCWE-862 4.3 -2024-02-29
CVE-2023-50944 Apache Airflow: Bypass permission verification to read code of other dags — Apache AirflowCWE-862 6.5 -2024-01-24
CVE-2023-50943 Apache Airflow: Potential pickle deserialization vulnerability in XComs — Apache AirflowCWE-502 8.2 -2024-01-24
CVE-2023-48291 Apache Airflow: Improper access control to DAG resources — Apache AirflowCWE-668 4.3AIMediumAI2023-12-21
CVE-2023-50783 Apache Airflow: Improper access control vulnerability on the "varimport" endpoint — Apache AirflowCWE-284 6.5AIMediumAI2023-12-21
CVE-2023-47265 Apache Airflow: DAG Params alllow to embed unchecked Javascript — Apache AirflowCWE-79 5.4AIMediumAI2023-12-21
CVE-2023-49920 Apache Airflow: Missing CSRF protection on DAG/trigger — Apache AirflowCWE-352 8.3AIHighAI2023-12-21
CVE-2023-42781 Apache Airflow: Permission verification bypass allows viewing dagruns of other dags — Apache AirflowCWE-200 4.3 -2023-11-12
CVE-2023-47037 Apache Airflow missing fix for CVE-2023-40611 in 2.7.1 (DAG run broken access) — Apache AirflowCWE-863 5.4 -2023-11-12
CVE-2023-46288 Apache Airflow: Sensitive parameters exposed in API when "non-sensitive-only" configuration is set — Apache AirflowCWE-200 4.3 -2023-10-23
CVE-2023-42663 Apache Airflow: Bypass permission verification to view task instances of other dags — Apache AirflowCWE-200 4.3 -2023-10-14
CVE-2023-42792 Apache Airflow: Improper access control to DAG resources — Apache AirflowCWE-668 4.3 -2023-10-14
CVE-2023-45348 Apache Airflow: Configuration information leakage vulnerability — Apache AirflowCWE-200 4.3 -2023-10-14
CVE-2023-42780 Apache Airflow: Improper access control vulnerability in the "List dag warnings" feature — Apache AirflowCWE-200 4.3 -2023-10-14
CVE-2023-40712 Apache Airflow: Secrets can be unmasked in the "Rendered Template" — Apache AirflowCWE-200 4.3 -2023-09-12
CVE-2023-40611 Apache Airflow Dag Runs Broken Access Control Vulnerability — Apache AirflowCWE-863 7.1 -2023-09-12
CVE-2023-37379 Apache Airflow: Exposure of sensitive connection information, DOS and SSRF on "test connection" feature — Apache AirflowCWE-400 8.1 -2023-08-23

This page lists every published CVE security advisory associated with Apache Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.