Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Apache Software Foundation — Vulnerabilities & Security Advisories 1736

Browse all 1736 CVE security advisories affecting Apache Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Apache Software Foundation develops and maintains open-source software, primarily known for the widely deployed Apache HTTP Server and foundational Java frameworks. Its extensive portfolio exposes a significant attack surface, evidenced by the 1717 recorded CVEs. Historically, vulnerabilities frequently involve remote code execution, cross-site scripting, and privilege escalation, often stemming from complex configuration errors or input validation failures in legacy components. While the foundation enforces rigorous security review processes, the sheer volume of projects increases the likelihood of undiscovered flaws. Notable incidents include critical flaws in Log4j, which allowed remote code execution via crafted log messages, highlighting risks in dependency management. The organization relies on community-driven patching, requiring administrators to promptly apply updates to mitigate exploitation. This model ensures transparency but demands active vigilance from users to maintain system integrity against evolving threat vectors.

Top products by Apache Software Foundation: Apache HTTP Server Apache Airflow Apache Tomcat Apache Superset Apache Traffic Server Apache NiFi Apache OFBiz Apache InLong Apache CloudStack Apache DolphinScheduler Apache OpenOffice Apache Struts Apache Solr Apache OpenMeetings Apache Zeppelin Apache Camel Apache CXF Apache Hadoop Apache JSPWiki Apache Fineract Apache Geode Apache Pulsar Apache Ambari Apache Dubbo Apache Kylin Apache Hive Apache Thrift Apache Spark Apache Tika Apache ActiveMQ
CVE IDTitleCVSSSeverityPublished
CVE-2022-23305 SQL injection in JDBC Appender in Apache Log4j V1 — Apache Log4j 1.xCWE-89 9.8 -2022-01-18
CVE-2022-23302 Deserialization of untrusted data in JMSSink in Apache Log4j 1.x — Apache Log4j 1.xCWE-502 8.8 -2022-01-18
CVE-2021-42357 DOM based XSS Vulnerability in Apache Knox — Apache KnoxCWE-79 6.1 -2022-01-17
CVE-2021-43999 Improper validation of SAML responses — Apache GuacamoleCWE-287 8.8 -2022-01-11
CVE-2021-41767 Private tunnel identifier may be included in the non-private details of active connections — Apache GuacamoleCWE-200 6.5 -2022-01-11
CVE-2021-43297 Dubbo Hessian cause RCE when parse error — Apache DubboCWE-502 9.8 -2022-01-10
CVE-2021-43045 Possible DOS vulnerabilities in C# Avro SDK — Apache AvroCWE-770 7.5 -2022-01-06
CVE-2021-45458 Hardcoded credentials — Apache KylinCWE-798 7.5 -2022-01-06
CVE-2021-45457 Overly broad CORS configuration — Apache Kylin 7.5 -2022-01-06
CVE-2021-45456 Command injection — Apache Kylin 9.8 -2022-01-06
CVE-2021-36774 Mysql JDBC Connector Deserialize RCE — Apache Kylin 6.5 -2022-01-06
CVE-2021-31522 Apache Kylin unsafe class loading — Apache Kylin 9.8 -2022-01-06
CVE-2021-27738 Improper Access Control to Streaming Coordinator & SSRF — Apache KylinCWE-918 7.5 -2022-01-06
CVE-2021-36739 XSS vulnerability in the MVCBean JSP portlet maven archetype — Apache PortalsCWE-79 6.1 -2022-01-06
CVE-2021-36738 XSS vulnerability in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet — Apache PortalsCWE-79 6.1 -2022-01-06
CVE-2021-36737 XSS in V3 Demo Portlet — Apache PortalsCWE-79 6.1 -2022-01-06
CVE-2021-40525 Sieve file storage vulnerable to path traversal attacks — Apache JamesCWE-22 9.1 -2022-01-04
CVE-2021-40111 Apache James IMAP parsing Denial Of Service — Apache James 6.5 -2022-01-04
CVE-2021-40110 Apache James IMAP vulnerable to a ReDoS — Apache James 7.5 -2022-01-04
CVE-2021-38542 Apache James vulnerable to STARTTLS command injection (IMAP and POP3) — Apache JamesCWE-77 5.9 -2022-01-04
CVE-2021-34797 Apache Geode project log file redaction of sensitive information vulnerability — Apache GeodeCWE-532 7.5 -2022-01-04
CVE-2021-44832 Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration — Apache Log4j2CWE-20 6.6 -2021-12-28
CVE-2021-45232 security vulnerability on unauthorized access. — Apache APISIX DashboardCWE-306 9.8 -2021-12-27
CVE-2021-44548 Apache Solr information disclosure vulnerability through DataImportHandler — Apache SolrCWE-40 8.8 -2021-12-23
CVE-2021-44224 Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier — Apache HTTP ServerCWE-476 8.2 -2021-12-20
CVE-2021-41561 Apache Parquet-MR potential DoS in case of malicious Parquet file — Apache ParquetCWE-20 7.5 -2021-12-20
CVE-2021-44790 Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier — Apache HTTP ServerCWE-787 9.8 -2021-12-20
CVE-2021-43083 Apache PLC4X 0.9.0 Buffer overflow in PLC4C via crafted server response — Apache PLC4XCWE-119 8.1 -2021-12-19
CVE-2021-45105 Apache Log4j2 does not always protect from infinite recursion in lookup evaluation — Apache Log4j2CWE-20 5.9 -2021-12-18
CVE-2021-44145 Apache NiFi information disclosure by XXE — Apache NiFi 6.5 -2021-12-17

This page lists every published CVE security advisory associated with Apache Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.