Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Apache Software Foundation — Vulnerabilities & Security Advisories 1725

Browse all 1725 CVE security advisories affecting Apache Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Apache Software Foundation develops and maintains open-source software, primarily known for the widely deployed Apache HTTP Server and foundational Java frameworks. Its extensive portfolio exposes a significant attack surface, evidenced by the 1717 recorded CVEs. Historically, vulnerabilities frequently involve remote code execution, cross-site scripting, and privilege escalation, often stemming from complex configuration errors or input validation failures in legacy components. While the foundation enforces rigorous security review processes, the sheer volume of projects increases the likelihood of undiscovered flaws. Notable incidents include critical flaws in Log4j, which allowed remote code execution via crafted log messages, highlighting risks in dependency management. The organization relies on community-driven patching, requiring administrators to promptly apply updates to mitigate exploitation. This model ensures transparency but demands active vigilance from users to maintain system integrity against evolving threat vectors.

Top products by Apache Software Foundation: Apache HTTP Server Apache Airflow Apache Tomcat Apache Superset Apache Traffic Server Apache NiFi Apache OFBiz Apache InLong Apache CloudStack Apache DolphinScheduler Apache OpenOffice Apache Struts Apache Solr Apache OpenMeetings Apache Zeppelin Apache Camel Apache CXF Apache Hadoop Apache JSPWiki Apache Fineract Apache Geode Apache Pulsar Apache Ambari Apache Dubbo Apache Kylin Apache Hive Apache Thrift Apache Spark Apache Tika Apache ActiveMQ
CVE IDTitleCVSSSeverityPublished
CVE-2021-39234 Raw block data can be read bypassing ACL/authorization — Apache OzoneCWE-20 6.8 -2021-11-19
CVE-2021-39233 Container-related datanode operations can be called without authorization — Apache OzoneCWE-306 7.5 -2021-11-19
CVE-2021-39232 Missing admin check for SCM related admin commands — Apache OzoneCWE-862 8.8 -2021-11-19
CVE-2021-39231 Missing authentication/authorization on internal RPC endpoints — Apache OzoneCWE-862 9.1 -2021-11-19
CVE-2021-36372 Original block tokens are persisted and can be retrieved — Apache OzoneCWE-273 9.8 -2021-11-19
CVE-2021-42250 Possible log injection — Apache SupersetCWE-117 6.5 -2021-11-17
CVE-2021-37580 Apache ShenYu Admin bypass JWT authentication — Apache ShenYu AdminCWE-287 9.8 -2021-11-16
CVE-2021-41972 Credentials leak — Apache SupersetCWE-522 6.5 -2021-11-12
CVE-2021-43350 LDAP filter injection vulnerability in Traffic Ops — Apache Traffic ControlCWE-90 9.8 -2021-11-11
CVE-2021-26558 Deserialization of Untrusted Data — Apache ShardingSphere-UICWE-502 7.5 -2021-11-11
CVE-2021-43082 heap-buffer-overflow with stats-over-http plugin — Apache Traffic ServerCWE-120 9.8 -2021-11-03
CVE-2021-41585 ATS stops accepting connections on FreeBSD — Apache Traffic Server 7.5 -2021-11-03
CVE-2021-38161 Not validating origin TLS certificate — Apache Traffic ServerCWE-287 7.7 -2021-11-03
CVE-2021-37149 Request Smuggling - multiple attacks — Apache Traffic ServerCWE-20 7.5 -2021-11-03
CVE-2021-37148 Request Smuggling - transfer encoding validation — Apache Traffic ServerCWE-20 7.5 -2021-11-03
CVE-2021-37147 Request Smuggling - LF line ending — Apache Traffic ServerCWE-20 7.5 -2021-11-03
CVE-2021-27644 DolphinScheduler mysql jdbc connector parameters deserialize remote code execution — Apache DolphinSchedulerCWE-264 8.8 -2021-11-01
CVE-2021-41973 Apache MINA HTTP listener DOS — Apache MINACWE-835 6.5 -2021-11-01
CVE-2021-40865 Unsafe Pre-Authentication Deserialization In Workers — Apache StormCWE-502 9.8 -2021-10-25
CVE-2021-38294 Shell Command Injection Vulnerability in Nimbus Thrift Server — Apache StormCWE-74 9.8 -2021-10-25
CVE-2021-41971 Possible SQL Injection when template processing is enabled — Apache SupersetCWE-89 8.8 -2021-10-18
CVE-2021-32609 XSS vulnerability on Explore page — Apache SupersetCWE-79 6.4 -2021-10-18
CVE-2021-42340 DoS via memory leak with WebSocket connections — Apache TomcatCWE-772 7.5 -2021-10-14
CVE-2021-38295 Privilege escalation vulnerability when using HTML attachments — Apache CouchDB 7.3 -2021-10-14
CVE-2021-42009 Apache Traffic Control Traffic Ops Email Injection Vulnerability — Apache Traffic ControlCWE-20 4.3 -2021-10-12
CVE-2021-41832 Content Manipulation with Certificate Validation Attack — Apache OpenOfficeCWE-347 7.5 -2021-10-11
CVE-2021-41831 Timestamp Manipulation with Signature Wrapping — Apache OpenOfficeCWE-347 4.0 -2021-10-11
CVE-2021-41830 Double Certificate Attack — Apache OpenOfficeCWE-347 7.5 -2021-10-11
CVE-2021-42013 Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) — Apache HTTP ServerCWE-22 9.8 -2021-10-07
CVE-2021-40439 Billion Laughs — Apache OpenOfficeCWE-611 8.1 -2021-10-07

This page lists every published CVE security advisory associated with Apache Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.