Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Apache Software Foundation — Vulnerabilities & Security Advisories 1725

Browse all 1725 CVE security advisories affecting Apache Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Apache Software Foundation develops and maintains open-source software, primarily known for the widely deployed Apache HTTP Server and foundational Java frameworks. Its extensive portfolio exposes a significant attack surface, evidenced by the 1717 recorded CVEs. Historically, vulnerabilities frequently involve remote code execution, cross-site scripting, and privilege escalation, often stemming from complex configuration errors or input validation failures in legacy components. While the foundation enforces rigorous security review processes, the sheer volume of projects increases the likelihood of undiscovered flaws. Notable incidents include critical flaws in Log4j, which allowed remote code execution via crafted log messages, highlighting risks in dependency management. The organization relies on community-driven patching, requiring administrators to promptly apply updates to mitigate exploitation. This model ensures transparency but demands active vigilance from users to maintain system integrity against evolving threat vectors.

Top products by Apache Software Foundation: Apache HTTP Server Apache Airflow Apache Tomcat Apache Superset Apache Traffic Server Apache NiFi Apache OFBiz Apache InLong Apache CloudStack Apache DolphinScheduler Apache OpenOffice Apache Struts Apache Solr Apache OpenMeetings Apache Zeppelin Apache Camel Apache CXF Apache Hadoop Apache JSPWiki Apache Fineract Apache Geode Apache Pulsar Apache Ambari Apache Dubbo Apache Kylin Apache Hive Apache Thrift Apache Spark Apache Tika Apache ActiveMQ
CVE IDTitleCVSSSeverityPublished
CVE-2022-27949 Apache Airflow prior to 2.3.1 may include sensitive values in rendered template — Apache AirflowCWE-200 7.5 -2022-11-14
CVE-2022-40127 Apache Airflow <2.4.0 has an RCE in a bash example — Apache AirflowCWE-94 8.8 -2022-11-14
CVE-2022-45136 Apache Jena SDB allows arbitrary deserialisation via JDBC — Apache Jena SDBCWE-502 9.8 -2022-11-14
CVE-2022-45378 Apache SOAP allows unauthenticated users to potentially invoke arbitrary code — Apache SOAPCWE-306 9.8 -2022-11-14
CVE-2022-37865 Apache Ivy allows creating/overwriting any file on the system — Apache Ivy 9.1 -2022-11-07
CVE-2022-37866 Apache Ivy allows path traversal in the presence of a malicious repository — Apache IvyCWE-22 7.5 -2022-11-07
CVE-2022-42920 Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing — Apache Commons BCELCWE-787 9.8 -2022-11-07
CVE-2022-33684 Apache Pulsar C++/Python OAuth Clients prior to 3.0.0 were vulnerable to an MITM attack due to Disabled Certificate Validation — Apache PulsarCWE-295 8.1 -2022-11-04
CVE-2022-32287 Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives — Apache UIMACWE-22 9.1 -2022-11-03
CVE-2022-43670 XSS in Sling CMS Reference App Taxonomy Path — Apache Sling App CMSCWE-79 5.4 -2022-11-02
CVE-2022-43982 Apache Airflow prior to 2.4.2 allows reflected XSS via Origin Query Argument in URL — Apache AirflowCWE-79 6.1 -2022-11-02
CVE-2022-43985 Apache Airflow prior to 2.4.2 has an open redirect — Apache AirflowCWE-601 6.1 -2022-11-02
CVE-2022-31777 Apache Spark XSS vulnerability in log viewer UI Javascript — Apache SparkCWE-74 5.4 -2022-11-01
CVE-2022-34662 Apache DolphinScheduler prior to 3.0.0 allows path traversal — Apache DolphinSchedulerCWE-22 6.5 -2022-11-01
CVE-2022-42252 Apache Tomcat request smuggling via malformed content-length — Apache TomcatCWE-444 8.2 -2022-11-01
CVE-2022-26884 Apache DolphinScheduler exposes files without authentication — Apache DolphinSchedulerCWE-22 6.5 -2022-10-28
CVE-2022-39944 The Apache Linkis JDBC EngineConn module has a RCE Vulnerability — Apache Linkis 8.8 -2022-10-26
CVE-2022-42468 Apache Flume prior to 1.11.0 has an Improper Input Validation (JNDI Injection) in JMSSource — Apache FlumeCWE-20 9.8 -2022-10-26
CVE-2022-43766 Apache IoTDB prior to 0.13.3 allows DoS — Apache IoTDB 7.5 -2022-10-26
CVE-2022-34870 Apache Geode stored Cross-Site Scripting (XSS) via data injection vulnerability in Pulse web application — Apache Geode 5.4 -2022-10-25
CVE-2022-41704 Apache Batik prior to 1.16 allows RCE when loading untrusted SVG input — Apache XML Graphics 7.5 -2022-10-25
CVE-2022-42890 Apache Batik prior to 1.16 allows RCE via scripting — Apache XML Graphics 7.5 -2022-10-25
CVE-2021-42010 CRLF log injection — Apache Heron (Incubating) 9.8 -2022-10-24
CVE-2022-42466 XSS vulnerability, eg for String properties. — Apache IsisCWE-79 6.1 -2022-10-19
CVE-2022-42467 h2 webconsole (available only in prototype mode) should nevertheless be disabled by default. — Apache IsisCWE-1188 7.5 -2022-10-19
CVE-2022-39198 Apache Dubbo Hession Deserialization Vulnerability Gadgets Bypass — Apache DubboCWE-502 9.8 -2022-10-18
CVE-2022-24697 Apache Kylin prior to 4.0.2 allows command injection when the configuration overwrites function overwrites system parameters — Apache Kylin 9.8 -2022-10-13
CVE-2022-42889 Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults — Apache Commons Text 9.8 -2022-10-13
CVE-2022-40664 Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher — Apache ShiroCWE-287 9.8 -2022-10-12
CVE-2022-41672 Session still functional after user is deactivated — Apache AirflowCWE-613 8.1 -2022-10-07

This page lists every published CVE security advisory associated with Apache Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.