Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Apache Software Foundation — Vulnerabilities & Security Advisories 1725

Browse all 1725 CVE security advisories affecting Apache Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Apache Software Foundation develops and maintains open-source software, primarily known for the widely deployed Apache HTTP Server and foundational Java frameworks. Its extensive portfolio exposes a significant attack surface, evidenced by the 1717 recorded CVEs. Historically, vulnerabilities frequently involve remote code execution, cross-site scripting, and privilege escalation, often stemming from complex configuration errors or input validation failures in legacy components. While the foundation enforces rigorous security review processes, the sheer volume of projects increases the likelihood of undiscovered flaws. Notable incidents include critical flaws in Log4j, which allowed remote code execution via crafted log messages, highlighting risks in dependency management. The organization relies on community-driven patching, requiring administrators to promptly apply updates to mitigate exploitation. This model ensures transparency but demands active vigilance from users to maintain system integrity against evolving threat vectors.

Top products by Apache Software Foundation: Apache HTTP Server Apache Airflow Apache Tomcat Apache Superset Apache Traffic Server Apache NiFi Apache OFBiz Apache InLong Apache CloudStack Apache DolphinScheduler Apache OpenOffice Apache Struts Apache Solr Apache OpenMeetings Apache Zeppelin Apache Camel Apache CXF Apache Hadoop Apache JSPWiki Apache Fineract Apache Geode Apache Pulsar Apache Ambari Apache Dubbo Apache Kylin Apache Hive Apache Thrift Apache Spark Apache Tika Apache ActiveMQ
CVE IDTitleCVSSSeverityPublished
CVE-2023-46851 Apache Allura: sensitive information exposure via import — Apache AlluraCWE-20 9.8 -2023-11-07
CVE-2023-46215 Apache Airflow Celery provider, Apache Airflow: Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend — Apache Airflow Celery providerCWE-532 7.5 -2023-10-28
CVE-2023-46604 Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack — Apache ActiveMQCWE-502 10.0 Critical2023-10-27
CVE-2023-46288 Apache Airflow: Sensitive parameters exposed in API when "non-sensitive-only" configuration is set — Apache AirflowCWE-200 4.3 -2023-10-23
CVE-2023-31122 Apache HTTP Server: mod_macro buffer over-read — Apache HTTP ServerCWE-125 7.5 -2023-10-23
CVE-2023-43622 Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 — Apache HTTP ServerCWE-400 7.5 -2023-10-23
CVE-2023-45802 Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST — Apache HTTP ServerCWE-404 5.9 -2023-10-23
CVE-2023-44483 Apache Santuario: Private Key disclosure in debug-log output — Apache SantuarioCWE-532 7.5 -2023-10-20
CVE-2023-46227 Apache inlong has an Arbitrary File Read Vulnerability — Apache InLongCWE-502 9.8 -2023-10-19
CVE-2023-25753 Server-Side Request Forgery in Apache ShenYu — Apache ShenYuCWE-918 9.1 -2023-10-19
CVE-2023-39456 Apache Traffic Server: Malformed http/2 frames can cause an abort — Apache Traffic ServerCWE-20 7.5 -2023-10-17
CVE-2023-41752 Apache Traffic Server: s3_auth plugin problem with hash calculation — Apache Traffic ServerCWE-200 7.5 -2023-10-17
CVE-2023-43666 Apache InLong: General user Unauthorized access User Management — Apache InLongCWE-345 6.5 -2023-10-16
CVE-2023-43667 Apache InLong: Log Injection in Global functions — Apache InLongCWE-74 5.3 -2023-10-16
CVE-2023-43668 Apache InLong: Jdbc Connection Security Bypass in InLong — Apache InLongCWE-639 9.8 -2023-10-16
CVE-2023-45757 Apache bRPC: The builtin service rpcz page has an XSS attack vulnerability — Apache bRPCCWE-79 6.1 -2023-10-16
CVE-2023-42663 Apache Airflow: Bypass permission verification to view task instances of other dags — Apache AirflowCWE-200 4.3 -2023-10-14
CVE-2023-42792 Apache Airflow: Improper access control to DAG resources — Apache AirflowCWE-668 4.3 -2023-10-14
CVE-2023-45348 Apache Airflow: Configuration information leakage vulnerability — Apache AirflowCWE-200 4.3 -2023-10-14
CVE-2023-42780 Apache Airflow: Improper access control vulnerability in the "List dag warnings" feature — Apache AirflowCWE-200 4.3 -2023-10-14
CVE-2023-44981 Apache ZooKeeper: Authorization bypass in SASL Quorum Peer Authentication — Apache ZooKeeperCWE-639 9.1 -2023-10-11
CVE-2023-45648 Apache Tomcat: Trailer header parsing too lenient — Apache TomcatCWE-20 7.5 -2023-10-10
CVE-2023-42795 Apache Tomcat: Failure during request clean-up leads to sensitive data leaking to subsequent requests — Apache TomcatCWE-459 5.3 -2023-10-10
CVE-2023-42794 Apache Tomcat: FileUpload: DoS due to accumulation of temporary files on Windows — Apache TomcatCWE-459 7.5 -2023-10-10
CVE-2023-39410 Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK — Apache Avro Java SDKCWE-502 7.5 -2023-09-29
CVE-2023-41834 Apache Flink Stateful Functions allowed HTTP header injection due to Improper Neutralization of CRLF Sequences — Apache Flink Stateful FunctionsCWE-113 5.4 -2023-09-19
CVE-2023-41267 Apache HDFS Provider error message suggested installation of incorrect pip package — Apache Airflow HDFS ProviderCWE-829 8.8 -2023-09-14
CVE-2023-42503 Apache Commons Compress: Denial of service via CPU consumption for malformed TAR file — Apache Commons CompressCWE-20 7.5 -2023-09-14
CVE-2023-41081 Apache Tomcat Connectors: Unexpected use of first declared worker in mod_jk for unmapped request — Apache Tomcat Connectors 6.5 -2023-09-13
CVE-2023-40712 Apache Airflow: Secrets can be unmasked in the "Rendered Template" — Apache AirflowCWE-200 4.3 -2023-09-12

This page lists every published CVE security advisory associated with Apache Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.