Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Apache Software Foundation — Vulnerabilities & Security Advisories 1725

Browse all 1725 CVE security advisories affecting Apache Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Apache Software Foundation develops and maintains open-source software, primarily known for the widely deployed Apache HTTP Server and foundational Java frameworks. Its extensive portfolio exposes a significant attack surface, evidenced by the 1717 recorded CVEs. Historically, vulnerabilities frequently involve remote code execution, cross-site scripting, and privilege escalation, often stemming from complex configuration errors or input validation failures in legacy components. While the foundation enforces rigorous security review processes, the sheer volume of projects increases the likelihood of undiscovered flaws. Notable incidents include critical flaws in Log4j, which allowed remote code execution via crafted log messages, highlighting risks in dependency management. The organization relies on community-driven patching, requiring administrators to promptly apply updates to mitigate exploitation. This model ensures transparency but demands active vigilance from users to maintain system integrity against evolving threat vectors.

Found 106 results / 1725Clear Filters
Top products by Apache Software Foundation: Apache HTTP Server Apache Airflow Apache Tomcat Apache Superset Apache Traffic Server Apache NiFi Apache OFBiz Apache InLong Apache CloudStack Apache DolphinScheduler Apache OpenOffice Apache Struts Apache Solr Apache OpenMeetings Apache Zeppelin Apache Camel Apache CXF Apache Hadoop Apache JSPWiki Apache Fineract Apache Geode Apache Pulsar Apache Ambari Apache Dubbo Apache Kylin Apache Hive Apache Thrift Apache Spark Apache Tika Apache ActiveMQ
CVE IDTitleCVSSSeverityPublished
CVE-2023-40273 Session fixation in Apache Airflow web interface — Apache AirflowCWE-384 8.8 -2023-08-23
CVE-2023-39508 Apache Airflow: Airflow "Run task" feature allows execution with unnecessary priviledges — Apache AirflowCWE-250 8.8 -2023-08-05
CVE-2023-22888 Apache Airflow: Scheduler remote DoS — Apache AirflowCWE-20 6.5 -2023-07-12
CVE-2023-36543 Apache Airflow: ReDoS via dags function — Apache AirflowCWE-1333 6.5 -2023-07-12
CVE-2022-46651 Apache Airflow: Security vulnerability on AirFlow Connections — Apache AirflowCWE-200 6.5 -2023-07-12
CVE-2023-22887 Apache Airflow path traversal by authenticated user — Apache AirflowCWE-22 6.5 -2023-07-12
CVE-2023-35908 Apache Airflow: Access to DAGs without relevant permission — Apache AirflowCWE-863 5.3 -2023-07-12
CVE-2023-35005 Apache Airflow: Information disclosure on configuration view — Apache AirflowCWE-200 7.5 -2023-06-19
CVE-2023-25754 Apache Airflow: Privilege escalation using airflow logs — Apache AirflowCWE-270 7.5 -2023-05-08
CVE-2023-29247 Stored XSS on Apache Airflow — Apache AirflowCWE-79 6.1 -2023-05-08
CVE-2023-25695 Information disclosure in Apache Airflow — Apache AirflowCWE-209 5.3 -2023-03-15
CVE-2023-22884 Apache Airflow, Apache Airflow MySQL Provider: Arbitrary file read via MySQL provider in Apache Airflow — Apache AirflowCWE-77 9.8 -2023-01-21
CVE-2022-45402 Apache Airflow: Open redirect during login — Apache AirflowCWE-601 6.1 -2022-11-15
CVE-2022-27949 Apache Airflow prior to 2.3.1 may include sensitive values in rendered template — Apache AirflowCWE-200 7.5 -2022-11-14
CVE-2022-40127 Apache Airflow <2.4.0 has an RCE in a bash example — Apache AirflowCWE-94 8.8 -2022-11-14
CVE-2022-43982 Apache Airflow prior to 2.4.2 allows reflected XSS via Origin Query Argument in URL — Apache AirflowCWE-79 6.1 -2022-11-02
CVE-2022-43985 Apache Airflow prior to 2.4.2 has an open redirect — Apache AirflowCWE-601 6.1 -2022-11-02
CVE-2022-41672 Session still functional after user is deactivated — Apache AirflowCWE-613 8.1 -2022-10-07
CVE-2022-40754 Open Redirect — Apache AirflowCWE-601 6.1 -2022-09-21
CVE-2022-40604 Format String Vulnerability — Apache AirflowCWE-134 7.5 -2022-09-21
CVE-2022-38054 Session Fixation — Apache AirflowCWE-384 9.8 -2022-09-02
CVE-2022-38170 Overly permissive umask for daemons — Apache Airflow 4.7 -2022-09-02
CVE-2022-38362 Docker Provider <3.0 RCE vulnerability in example dag — Apache Airflow 8.8 -2022-08-16
CVE-2022-24288 Apache Airflow: RCE in example DAGs — Apache AirflowCWE-78 8.8 -2022-02-25
CVE-2021-45229 Apache Airflow: Reflected XSS via Origin Query Argument in URL — Apache AirflowCWE-79 6.1 -2022-02-25
CVE-2021-45230 Apache Airflow: Creating DagRuns didn't respect Dag-level permissions in the Webserver — Apache Airflow 6.5 -2022-01-20
CVE-2021-38540 Apache Airflow: Variable Import endpoint missed authentication check — Apache AirflowCWE-269 9.8 -2021-09-09
CVE-2021-35936 No Authentication on Logging Server — Apache AirflowCWE-200 5.3 -2021-08-16
CVE-2021-28359 Apache Airflow Reflected XSS via Origin Query Argument in URL — Apache Airflow 6.1 -2021-05-02
CVE-2021-26697 Apache Airflow: Lineage API endpoint for Experimental API missed authentication check — Apache AirflowCWE-269 5.3 -2021-02-17

This page lists every published CVE security advisory associated with Apache Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.