Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Apache Software Foundation — Vulnerabilities & Security Advisories 1754

Browse all 1754 CVE security advisories affecting Apache Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Apache Software Foundation develops and maintains open-source software, primarily known for the widely deployed Apache HTTP Server and foundational Java frameworks. Its extensive portfolio exposes a significant attack surface, evidenced by the 1717 recorded CVEs. Historically, vulnerabilities frequently involve remote code execution, cross-site scripting, and privilege escalation, often stemming from complex configuration errors or input validation failures in legacy components. While the foundation enforces rigorous security review processes, the sheer volume of projects increases the likelihood of undiscovered flaws. Notable incidents include critical flaws in Log4j, which allowed remote code execution via crafted log messages, highlighting risks in dependency management. The organization relies on community-driven patching, requiring administrators to promptly apply updates to mitigate exploitation. This model ensures transparency but demands active vigilance from users to maintain system integrity against evolving threat vectors.

Top products by Apache Software Foundation: Apache HTTP Server Apache Airflow Apache Tomcat Apache Superset Apache Traffic Server Apache OFBiz Apache NiFi Apache InLong Apache CloudStack Apache DolphinScheduler Apache OpenOffice Apache Struts Apache Solr Apache OpenMeetings Apache Zeppelin Apache Camel Apache CXF Apache Hadoop Apache JSPWiki Apache Fineract Apache Geode Apache Pulsar Apache Ambari Apache Dubbo Apache Kylin Apache Hive Apache Thrift Apache Spark Apache Tika Apache ActiveMQ
CVE IDTitleCVSSSeverityPublished
CVE-2022-29265 Improper Restriction of XML External Entity References in Multiple Components — Apache NiFiCWE-611 7.5 -2022-04-30
CVE-2022-23942 Apache Doris hardcoded cryptography initialization — Apache Doris(Incubating)CWE-798 7.5 -2022-04-26
CVE-2022-24706 Remote Code Execution Vulnerability in Packaging — Apache CouchDBCWE-1188 9.8 -2022-04-26
CVE-2022-29266 apisix/jwt-auth may leak secrets in error response — Apache APISIXCWE-209 7.5 -2022-04-20
CVE-2022-27479 SQL injection vulnerability in chart data API — Apache SupersetCWE-89 9.8 -2022-04-13
CVE-2022-24070 Apache Subversion mod_dav_svn is vulnerable to memory corruption — Apache SubversionCWE-416 9.8 -2022-04-12
CVE-2021-28544 Apache Subversion SVN authz protected copyfrom paths regression — Apache SubversionCWE-200 4.3 -2022-04-12
CVE-2021-31805 Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE. — Apache StrutsCWE-917 9.8 -2022-04-12
CVE-2022-26612 Arbitrary file write in FileUtil#unpackEntries on Windows — Apache Hadoop 9.1 -2022-04-07
CVE-2022-26850 Insufficiently protected credentials — Apache NiFi 4.3 -2022-04-06
CVE-2022-23974 Pinot segment push endpoint has a vulnerability in unprotected environments — Apache PinotCWE-674 7.5 -2022-04-05
CVE-2022-25598 Apache DolphinScheduler user registration is vulnerable to ReDoS attacks — Apache DolphinSchedulerCWE-1333 7.5 -2022-03-30
CVE-2022-25757 Apache APISIX: the body_schema check in request-validation plugin can be bypassed — Apache APISIXCWE-20 9.8 -2022-03-28
CVE-2021-44759 Improper authentication vulnerability in TLS origin verification — Apache Traffic ServerCWE-287 7.7 -2022-03-23
CVE-2021-44040 HTTP request line fuzzing attacks — Apache Traffic ServerCWE-20 7.5 -2022-03-23
CVE-2022-26779 Apache Cloudstack insecure random number generation affects project email invitation — Apache CloudStack 8.8 -2022-03-15
CVE-2022-23943 mod_sed: Read/write beyond bounds — Apache HTTP ServerCWE-787 9.1 -2022-03-14
CVE-2022-22721 core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody — Apache HTTP ServerCWE-190 9.1 -2022-03-14
CVE-2022-22720 HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier — Apache HTTP ServerCWE-444 9.8 -2022-03-14
CVE-2022-22719 mod_lua Use of uninitialized value of in r:parsebody — Apache HTTP ServerCWE-665 7.5 -2022-03-14
CVE-2021-38296 Apache Spark Key Negotiation Vulnerability — Apache SparkCWE-294 7.5 -2022-03-10
CVE-2022-25312 An XML external entity (XXE) injection vulnerability exists in the Apache Any23 RDFa XSLTStylesheet extractor — Apache Any23 9.1 -2022-03-04
CVE-2022-26336 A carefully crafted TNEF file can cause an out of memory exception — poi-scratchpadCWE-770 5.5 -2022-03-04
CVE-2022-24948 Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen — Apache JSPWiki 6.1 -2022-02-25
CVE-2022-24947 Apache JSPWiki CSRF Account Takeover — Apache JSPWiki 8.8 -2022-02-25
CVE-2022-24288 Apache Airflow: RCE in example DAGs — Apache AirflowCWE-78 8.8 -2022-02-25
CVE-2021-45229 Apache Airflow: Reflected XSS via Origin Query Argument in URL — Apache AirflowCWE-79 6.1 -2022-02-25
CVE-2022-24289 Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions — Apache CayenneCWE-502 8.8 -2022-02-11
CVE-2022-24112 apisix/batch-requests plugin allows overwriting the X-REAL-IP header — Apache APISIXCWE-290 9.8 -2022-02-11
CVE-2021-44521 Remote code execution for scripted UDFs — Apache CassandraCWE-94 9.1 -2022-02-11

This page lists every published CVE security advisory associated with Apache Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.