Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Apache Software Foundation — Vulnerabilities & Security Advisories 1725

Browse all 1725 CVE security advisories affecting Apache Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Apache Software Foundation develops and maintains open-source software, primarily known for the widely deployed Apache HTTP Server and foundational Java frameworks. Its extensive portfolio exposes a significant attack surface, evidenced by the 1717 recorded CVEs. Historically, vulnerabilities frequently involve remote code execution, cross-site scripting, and privilege escalation, often stemming from complex configuration errors or input validation failures in legacy components. While the foundation enforces rigorous security review processes, the sheer volume of projects increases the likelihood of undiscovered flaws. Notable incidents include critical flaws in Log4j, which allowed remote code execution via crafted log messages, highlighting risks in dependency management. The organization relies on community-driven patching, requiring administrators to promptly apply updates to mitigate exploitation. This model ensures transparency but demands active vigilance from users to maintain system integrity against evolving threat vectors.

Top products by Apache Software Foundation: Apache HTTP Server Apache Airflow Apache Tomcat Apache Superset Apache Traffic Server Apache NiFi Apache OFBiz Apache InLong Apache CloudStack Apache DolphinScheduler Apache OpenOffice Apache Struts Apache Solr Apache OpenMeetings Apache Zeppelin Apache Camel Apache CXF Apache Hadoop Apache JSPWiki Apache Fineract Apache Geode Apache Pulsar Apache Ambari Apache Dubbo Apache Kylin Apache Hive Apache Thrift Apache Spark Apache Tika Apache ActiveMQ
CVE IDTitleCVSSSeverityPublished
CVE-2024-53677 Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks — Apache Struts 9.8 -2024-12-11
CVE-2024-53949 Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled — Apache SupersetCWE-863 8.8 -2024-12-09
CVE-2024-53948 Apache Superset: Error verbosity exposes metadata in analytics databases — Apache SupersetCWE-209 5.3 -2024-12-09
CVE-2024-53947 Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions — Apache SupersetCWE-89 9.8 -2024-12-09
CVE-2024-46901 Apache Subversion: mod_dav_svn denial-of-service via control characters in paths — Apache SubversionCWE-20 3.1 Low2024-12-09
CVE-2022-41137 Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore — Apache HiveCWE-502 8.8 -2024-12-05
CVE-2024-45106 Apache Ozone: Improper authentication when generating S3 secrets — Apache OzoneCWE-287 6.8 -2024-12-03
CVE-2024-52338 Apache Arrow R package: Arbitrary code execution when loading a malicious data file — Apache Arrow R packageCWE-502 9.8AICriticalAI2024-11-28
CVE-2024-51569 Apache NimBLE: Lack of input sanitization leading to out-of-bound reads in Number of Completed Packets HCI event handler — Apache NimBLECWE-125 7.1AIHighAI2024-11-26
CVE-2024-47250 Apache NimBLE: Lack of input validation in HCI advertising report could lead to potential out-of-bound access — Apache NimBLECWE-125 7.5AIHighAI2024-11-26
CVE-2024-47249 Apache NimBLE: Lack of input sanitization leading to out-of-bound reads in multiple advertisement handler — Apache NimBLECWE-129 6.5AIMediumAI2024-11-26
CVE-2024-47248 Apache NimBLE: Buffer overflow in NimBLE MESH Bluetooth stack — Apache NimBLECWE-120 9.8AICriticalAI2024-11-26
CVE-2024-45719 Apache Answer: Predictable Authorization Token Using UUIDv1 — Apache AnswerCWE-326 7.5 -2024-11-22
CVE-2024-52067 Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log — Apache NiFiCWE-532 4.9AIMediumAI2024-11-21
CVE-2024-31141 Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider — Apache Kafka ClientsCWE-552 6.5AIMediumAI2024-11-19
CVE-2024-52318 Apache Tomcat: Incorrect JSP tag recycling leads to XSS — Apache Tomcat 8.2 -2024-11-18
CVE-2024-52317 Apache Tomcat: Request/response mix-up with HTTP/2 — Apache Tomcat 5.3AIMediumAI2024-11-18
CVE-2024-52316 Apache Tomcat: Authentication bypass when using Jakarta Authentication API — Apache TomcatCWE-391 9.1 -2024-11-18
CVE-2024-41151 Apache HertzBeat: RCE by notice template injection vulnerability — Apache HertzBeatCWE-502 8.8AIHighAI2024-11-18
CVE-2024-45791 Apache HertzBeat: Exposure sensitive token via http GET method with query string — Apache HertzBeatCWE-200 7.5AIHighAI2024-11-18
CVE-2024-45505 Apache HertzBeat: Exists Native Deser RCE and file writing vulnerabilities — Apache HertzBeatCWE-77 8.8AIHighAI2024-11-18
CVE-2024-47208 Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE — Apache OFBizCWE-918 9.8AICriticalAI2024-11-18
CVE-2024-48962 Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE) — Apache OFBizCWE-94 8.8AIHighAI2024-11-18
CVE-2024-45784 Apache Airflow: Sensitive configuration values are not masked in the logs by default — Apache AirflowCWE-1295 6.5AIMediumAI2024-11-15
CVE-2024-50306 Apache Traffic Server: Server process can fail to drop privilege — Apache Traffic ServerCWE-252 9.8 -2024-11-14
CVE-2024-50305 Apache Traffic Server: Valid Host field value can cause crashes — Apache Traffic ServerCWE-20 6.5 -2024-11-14
CVE-2024-38479 Apache Traffic Server: Cache key plugin is vulnerable to cache poisoning attack — Apache Traffic ServerCWE-20 9.1 -2024-11-14
CVE-2024-50386 Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure — Apache CloudStackCWE-20 8.5 High2024-11-12
CVE-2024-50378 Apache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cli — Apache AirflowCWE-201 6.5 -2024-11-08
CVE-2024-51504 Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server — Apache ZooKeeperCWE-290 9.1AICriticalAI2024-11-07

This page lists every published CVE security advisory associated with Apache Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.