apache · threatengine.sh

CVE-2026-43515

>= 7.0.0 and <= 7.0.109

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomca

9.1CRITICAL

CVE-2026-43514

>= 7.0.0 and <= 7.0.109

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 1

3.7LOW

CVE-2026-43513

>= 7.0.0 and <= 7.0.109

Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0

7.5HIGH

CVE-2026-43512

>= 7.0.0 and <= 7.0.109

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomca

9.8CRITICAL

CVE-2026-42498

>= 7.0.0 and <= 7.0.109

Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This i

7.3HIGH

CVE-2026-41293

>= 8.5.0 and <= 8.5.100

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from

9.8CRITICAL

CVE-2026-41284

>= 4.0.0 and <= 7.0.109

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.

7.5HIGH

CVE-2026-28780

< 2.4.67

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP serv

9.8CRITICAL

CVE-2026-29168

>= 2.4.30 and < 2.4.67

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This

7.3HIGH

CVE-2026-33523

>= 2.4.0 and < 2.4.67

HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This

6.5MEDIUM

CVE-2026-33007

>= 2.4.0 and < 2.4.67

A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user

5.3MEDIUM

CVE-2026-33006

< 2.4.67

A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker

4.8MEDIUM

CVE-2026-29169

< 2.4.67

A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with

7.5HIGH

CVE-2026-23918

all versions

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server:

8.8HIGH

CVE-2026-34032

< 2.4.67

Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through

5.3MEDIUM

CVE-2026-33857

< 2.4.67

Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66.

5.3MEDIUM

CVE-2026-34059

< 2.4.67

Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommend

7.5HIGH

CVE-2026-24072

< 2.4.67

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files w

8.8HIGH

CVE-2026-41016

>= 2.0.0 and < 3.0.0

Apache Airflow's SMTP provider SmtpHook called Python's smtplib.SMTP.starttls() without an SSL context, so no certificate vali

5.9MEDIUM

CVE-2026-40690

< 3.2.1

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DA

4.3MEDIUM

CVE-2026-38743

< 3.2.1

The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance

4.3MEDIUM

CVE-2026-41044

< 5.19.6

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache Acti

8.8HIGH

CVE-2026-41043

< 5.19.6

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ We

6.5MEDIUM

CVE-2026-40466

< 5.19.6

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apac

8.8HIGH

CVE-2026-32690

>= 3.0.0 and < 3.2.0

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the

3.7LOW

CVE-2026-32228

>= 3.0.0 and < 3.2.0

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow

7.5HIGH

CVE-2026-30912

< 3.2.0

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That

7.5HIGH

CVE-2026-30898

< 3.2.0

An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitize

8.8HIGH

CVE-2026-25917

< 3.2.0

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserv

7.2HIGH

CVE-2026-31987

>= 3.0.0 and < 3.2.0

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to A

7.5HIGH

CVE-2026-25219

< 3.2.0

The access_key and connection_string connection properties were not marked as sensitive names in secrets masker. This means th

6.5MEDIUM

CVE-2025-54550

< 3.2.0

The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the

8.1HIGH

CVE-2026-33858

>= 3.1.8 and < 3.2.0

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserv

8.8HIGH

CVE-2025-66236

>= 3.0.0 and < 3.2.0

Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions an

7.5HIGH

CVE-2026-39304

< 5.19.4

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NI

7.5HIGH

CVE-2026-34500

>= 9.0.92 and < 9.0.117

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomca

6.5MEDIUM

CVE-2026-34487

>= 9.0.13 and < 9.0.117

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat e

7.5HIGH

CVE-2026-34486

all versions

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the

7.5HIGH

CVE-2026-34483

>= 9.0.40 and < 9.0.117

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Ap

7.5HIGH

CVE-2026-32990

>= 9.0.113 and < 9.0.116

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache To

5.3MEDIUM

CVE-2026-29146

>= 7.0.100 and <= 7.0.109

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat:

7.5HIGH

CVE-2026-29145

>= 9.0.83 and < 9.0.116

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat,

9.1CRITICAL

CVE-2026-29129

>= 9.0.114 and < 9.0.116

Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 t

7.5HIGH

CVE-2026-25854

>= 9.0.1 and < 9.0.116

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.

6.1MEDIUM

CVE-2026-24880

>= 9.0.0 and < 9.0.116

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk

7.5HIGH

CVE-2025-57735

>= 3.0.0 and < 3.2.0

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token

9.1CRITICAL

CVE-2026-34538

>= 3.0.0 and < 3.2.0

Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run re

6.5MEDIUM

CVE-2026-34197

< 5.19.4

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apac

8.8HIGH

CVE-2026-33227

< 5.19.3

Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, A

4.3MEDIUM

CVE-2025-65114

>= 9.0.0 and < 9.2.13

Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: fro

7.5HIGH

CVE-2025-58136

>= 9.0.0 and < 9.2.13

A bug in POST request handling causes a crash under a certain condition. This issue affects Apache Traffic Server: from 10.0.0 th

7.5HIGH

CVE-2026-30911

>= 3.1.0 and < 3.1.8

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) en

8.1HIGH

CVE-2026-28779

>= 3.0.0 and < 3.1.8

Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webs

7.5HIGH

CVE-2026-28563

>= 3.0.0 and < 3.1.8

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by a

4.3MEDIUM

CVE-2026-26929

>= 3.0.0 and < 3.1.8

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when th

6.5MEDIUM

CVE-2025-66168

< 5.19.2

WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases. See the following for m

5.4MEDIUM

CVE-2026-23984

< 6.0.0

An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypas

6.5MEDIUM

CVE-2026-23983

< 6.0.0

A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user informat

6.5MEDIUM

CVE-2026-23982

< 6.0.0

An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls

6.5MEDIUM

CVE-2026-23980

< 6.0.0

Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an aut

6.5MEDIUM

CVE-2026-23969

< 4.1.2

Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive S

6.5MEDIUM

CVE-2025-27555

< 2.11.1

Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values

6.5MEDIUM

CVE-2024-56373

< 2.11.1

DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary cod

8.4HIGH

CVE-2025-65995

< 2.11.1

When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If

6.5MEDIUM

CVE-2026-24734

>= 9.0.83 and < 9.0.115

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and

7.5HIGH

CVE-2026-24733

>= 9.0.1 and < 9.0.113

Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a securit

3.7LOW

CVE-2025-66614

>= 9.0.1 and < 9.0.113

Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through

9.1CRITICAL

CVE-2026-24098

>= 3.0.0 and < 3.1.7

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specifi

6.5MEDIUM

CVE-2026-22922

>= 3.1.0 and < 3.1.7

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permiss

6.5MEDIUM

CVE-2025-68675

< 3.1.6

In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs contai

7.5HIGH

CVE-2025-68438

>= 3.1.0 and < 3.1.6

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensiti

7.5HIGH

CVE-2025-68493

>= 2.0.0 and <= 2.3.37

Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1;

8.1HIGH

CVE-2025-66388

>= 3.1.0 and < 3.1.4

A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not be

6.5MEDIUM

CVE-2025-66675

>= 2.0.0 and <= 2.3.37

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue af

8.2HIGH

CVE-2025-58098

< 2.4.66

Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-esca

8.3HIGH

CVE-2025-66200

>= 2.4.7 and < 2.4.66

mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHead

5.4MEDIUM

CVE-2025-65082

>= 2.4.0 and < 2.4.66

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables se

6.5MEDIUM

CVE-2025-59775

>= 2.4.0 and < 2.4.66

Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlas

7.5HIGH

CVE-2025-55753

>= 2.4.30 and < 2.4.66

An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configur

7.5HIGH

CVE-2025-64775

>= 2.0.0 and < 6.8.0

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue af

7.5HIGH

CVE-2025-64407

< 4.1.16

Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to c

5.3MEDIUM

CVE-2025-64406

< 4.1.16

An out-of-bounds Write vulnerability in Apache OpenOffice could allow an attacker to craft a document that would crash the program

4.3MEDIUM

CVE-2025-64405

< 4.1.16

Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to c

7.5HIGH

CVE-2025-64404

< 4.1.16

Apache OpenOffice documents can contain links to other files. A missing Authorization vulnerability in Apache OpenOffice allowed a

7.5HIGH

CVE-2025-64403

< 4.1.16

Apache OpenOffice Calc spreadsheet can contain links to other files, in the form of "external data sources". A missing Authorizati

8.1HIGH

CVE-2025-64402

< 4.1.16

Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to c

6.5MEDIUM

CVE-2025-64401

< 4.1.16

Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to

7.5HIGH

CVE-2025-62503

>= 3.0.0 and < 3.1.1

User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with

4.6MEDIUM

CVE-2025-62402

>= 3.0.0 and < 3.1.1

API users via /api/v2/dagReports could perform Dag code execution in the context of the api-server if the api-server was deploye

5.4MEDIUM

CVE-2025-54941

>= 3.0.0 and < 3.0.5

An example dag example_dag_decorator had non-validated parameter that allowed the UI user to redirect the example to a malicious

4.6MEDIUM

CVE-2025-61795

>= 8.5.0 and <= 8.5.100

Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during th

5.3MEDIUM

CVE-2025-55754

>= 8.5.60 and <= 8.5.100

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape s

9.6CRITICAL

CVE-2025-55752

>= 8.5.6 and <= 8.5.100

Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten U

7.5HIGH

CVE-2025-54831

all versions

Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to

6.5MEDIUM

CVE-2025-55675

< 5.0.0

Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows a

6.5MEDIUM

CVE-2025-55674

< 5.0.0

A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An

6.5MEDIUM

CVE-2025-55673

< 4.1.3

When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in it

4.3MEDIUM

CVE-2025-55672

< 5.0.0

A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with perm

5.4MEDIUM

CVE-2025-55668

>= 9.0.1 and < 9.0.106

Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.

6.5MEDIUM

CVE-2025-48989

>= 9.0.1 and < 9.0.108

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This is

7.5HIGH

CVE-2025-54090

all versions

A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to u

6.3MEDIUM

CVE-2025-53506

>= 9.0.0 and <= 9.0.106

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings fram

7.5HIGH

CVE-2025-52520

>= 9.0.0 and < 9.0.107

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via b

7.5HIGH

CVE-2025-52434

>= 9.0.0 and < 9.0.107

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when us

7.5HIGH

CVE-2025-53020

>= 2.4.17 and < 2.4.64

Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from

7.5HIGH

CVE-2025-49812

< 2.4.64

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-

7.4HIGH

CVE-2025-49630

>= 2.4.26 and < 2.4.64

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be t

7.5HIGH

CVE-2025-23048

>= 2.4.35 and < 2.4.64

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is poss

9.1CRITICAL

CVE-2024-47252

>= 2.4.0 and < 2.4.64

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client

7.5HIGH

CVE-2024-43394

>= 2.4.0 and < 2.4.64

Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server

7.5HIGH

CVE-2024-43204

>= 2.4.0 and < 2.4.64

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the att

7.5HIGH

CVE-2024-42516

>= 2.4.0 and < 2.4.64

HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers

7.5HIGH

CVE-2025-49763

>= 9.0.0 and < 9.2.11

ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instruct

7.5HIGH

CVE-2025-31698

>= 9.0.0 and < 9.2.11

ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a

7.5HIGH

CVE-2025-49125

>= 9.0.0 and < 9.0.106

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResource

7.5HIGH

CVE-2025-49124

>= 9.0.23 and < 9.0.106

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows

8.4HIGH

CVE-2025-48988

>= 9.0.0 and < 9.0.106

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.

7.5HIGH

CVE-2025-48912

< 4.1.2

An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL i

6.5MEDIUM

CVE-2025-46701

>= 9.0.0 and < 9.0.105

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security c

7.3HIGH

CVE-2025-27696

< 4.1.2

Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authentica

8.8HIGH

CVE-2025-27533

>= 5.16.0 and < 5.16.8

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size

7.5HIGH

CVE-2025-3891

all versions

A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a

7.5HIGH

CVE-2025-31651

>= 9.0.0 and < 9.0.104

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite ru

9.8CRITICAL

CVE-2025-31650

>= 9.0.76 and < 9.0.104

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted

7.5HIGH

CVE-2024-53868

>= 9.0.0 and < 9.2.10

Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server:

7.5HIGH

CVE-2025-24813

< 9.0.99

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious con

9.8CRITICAL

CVE-2024-56196

>= 10.0.0 and < 10.0.4

Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 10.0.0 through 10.

6.3MEDIUM

CVE-2024-56195

>= 9.0.0 and < 9.2.9

Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.

6.3MEDIUM

CVE-2024-38311

>= 9.0.0 and < 9.2.9

Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.

6.3MEDIUM

CVE-2024-56202

>= 9.0.0 and < 9.2.9

Expected Behavior Violation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.0.0 through

4.3MEDIUM

CVE-2024-56337

>= 9.0.0 and < 9.0.98

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M

9.8CRITICAL

CVE-2024-54677

>= 9.0.0 and < 9.0.98

Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of ser

5.3MEDIUM

CVE-2024-50379

>= 9.0.0 and < 9.0.98

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case ins

9.8CRITICAL

CVE-2024-55633

< 4.1.0

Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft

6.5MEDIUM

CVE-2024-53677

>= 2.0.0 and < 6.4.0

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under s

9.8CRITICAL

CVE-2024-53949

>= 2.0.0 and < 4.1.0

Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lo

6.5MEDIUM

CVE-2024-53948

< 4.1.0

Generation of Error Message Containing analytics metadata Information in Apache Superset. This issue affects Apache Superset: bef

5.3MEDIUM

CVE-2024-53947

< 4.1.0

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specificall

9.8CRITICAL

CVE-2018-9481

>= 6.0.0 and <= 6.2.3

In bta_hd_set_report_act of bta_hd_act.cc, there is a possible out-of-bounds read due to an integer overflow. This could lead to r

6.5MEDIUM

CVE-2024-52318

all versions

Incorrect object recycling and reuse vulnerability in Apache Tomcat. This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96.

6.1MEDIUM

CVE-2024-52317

>= 9.0.92 and < 9.0.96

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HT

6.5MEDIUM

CVE-2024-52316

>= 9.0.0 and < 9.0.96

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly

9.8CRITICAL

CVE-2024-45784

< 2.10.3

Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. Th

7.5HIGH

CVE-2024-50306

>= 10.0.0 and < 10.0.2

Unchecked return value can allow Apache Traffic Server to retain privileges on startup. This issue affects Apache Traffic Server:

9.1CRITICAL

CVE-2024-50305

>= 9.0.0 and < 9.2.6

Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: fro

7.5HIGH

CVE-2024-38479

>= 8.0.0 and <= 8.1.11

Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.

7.5HIGH

CVE-2024-50378

< 2.10.3

Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values

4.9MEDIUM

CVE-2024-38286

>= 9.0.13 and < 9.0.90

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.

8.6HIGH

CVE-2024-45498

all versions

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authentica

8.8HIGH

CVE-2024-45034

< 2.10.1

Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and ge

8.8HIGH

CVE-2024-41937

< 2.10.0

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-

6.1MEDIUM

CVE-2024-35296

>= 8.0.0 and < 8.1.11

Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests. This issue aff

8.2HIGH

CVE-2024-35161

>= 8.0.0 and < 8.1.11

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smugglin

7.5HIGH

CVE-2023-38522

>= 8.0.0 and < 8.1.11

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin serve

7.5HIGH

CVE-2024-40898

< 2.4.62

SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malici

7.5HIGH

CVE-2024-40725

all versions

A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based conf

5.3MEDIUM

CVE-2024-39877

>= 2.4.0 and < 2.9.3

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md param

8.8HIGH

CVE-2024-39863

< 2.9.3

Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when in

5.4MEDIUM

CVE-2024-39887

< 4.0.2

An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands.

4.3MEDIUM

CVE-2024-39884

all versions

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.

6.2MEDIUM

CVE-2024-34750

>= 9.0.0 and < 9.0.90

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an

7.5HIGH

CVE-2024-39573

>= 2.4.0 and < 2.4.60

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpect

7.5HIGH

CVE-2024-38477

>= 2.4.0 and < 2.4.60

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malici

7.5HIGH

CVE-2024-38476

>= 2.4.0 and < 2.4.60

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script exec

9.8CRITICAL

CVE-2024-38475

>= 2.4.0 and < 2.4.60

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem l

9.1CRITICAL

CVE-2024-38474

>= 2.4.0 and < 2.4.60

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in director

9.8CRITICAL

CVE-2024-38473

>= 2.4.0 and < 2.4.60

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to b

8.1HIGH

CVE-2024-38472

>= 2.4.0 and < 2.4.60

SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious request

7.5HIGH

CVE-2024-36387

>= 2.4.55 and <= 2.4.59

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the

5.4MEDIUM

CVE-2024-34693

< 3.1.3

Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection wi

6.8MEDIUM

CVE-2024-25142

< 2.9.2

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Contro

5.5MEDIUM

CVE-2024-32077

all versions

Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task inst

5.4MEDIUM

CVE-2024-28148

< 4.0.0

An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted

4.3MEDIUM

CVE-2024-32114

>= 6.0.0 and < 6.1.2

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Messa

8.5HIGH

CVE-2024-31869

>= 2.7.0 and < 2.9.0

Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuratio

4.3MEDIUM

CVE-2024-31309

>= 8.0.0 and < 8.1.10

HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 thro

7.5HIGH

CVE-2024-27316

>= 2.4.17 and < 2.4.59

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 respo

7.5HIGH

CVE-2024-24795

>= 2.4.0 and < 2.4.59

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers in

6.3MEDIUM

CVE-2023-38709

< 2.4.59

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.

7.3HIGH

CVE-2024-29735

>= 2.8.2 and <= 2.8.4

Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3.

5.3MEDIUM

CVE-2024-28746

>= 2.8.0 and < 2.8.3

Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to ac

8.1HIGH

CVE-2024-24549

>= 8.5.0 and < 8.5.99

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 r

7.5HIGH

CVE-2024-23672

>= 8.5.0 and < 8.5.99

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket c

6.3MEDIUM

CVE-2024-26280

< 2.8.2

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information

4.7MEDIUM

CVE-2024-27906

< 2.8.2

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of D

5.9MEDIUM

CVE-2024-26016

< 3.0.4

A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its

4.3MEDIUM

CVE-2024-24779

<= 3.0.4

Apache Superset with custom roles that include can write on dataset and without all data access permissions, allows for users to

5.0MEDIUM

CVE-2024-24773

< 3.0.4

Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. Thi

4.9MEDIUM

CVE-2024-24772

< 3.0.4

A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the u

4.3MEDIUM

CVE-2024-27315

< 3.0.4

An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL

4.3MEDIUM

CVE-2024-23952

< 2.1.3

This is a duplicate for CVE-2023-46104. With correct CVE version ranges for affected Apache Superset. Uncontrolled resource cons

6.5MEDIUM

CVE-2023-51702

>= 2.3.0 and < 2.6.1

Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow w

6.5MEDIUM

CVE-2023-50944

< 2.8.1

Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG t

6.5MEDIUM

CVE-2023-50943

< 2.8.1

Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing

7.5HIGH

CVE-2023-49657

< 3.0.3

A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/u

9.6CRITICAL

CVE-2024-21733

>= 8.5.7 and < 8.5.64

Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from

5.3MEDIUM

CVE-2023-47804

< 4.1.15

Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined

8.8HIGH

CVE-2023-50783

< 2.8.0

Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit

6.5MEDIUM

CVE-2023-49920

>= 2.7.0 and <= 2.7.3

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without

6.5MEDIUM

CVE-2023-48291

< 2.8.0

Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited acces

4.3MEDIUM

CVE-2023-47265

>= 2.6.0 and <= 2.7.3

Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-s

5.4MEDIUM

CVE-2023-49736

< 2.1.2

A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL inj

6.5MEDIUM

CVE-2023-49734

< 2.1.2

An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one o

7.7HIGH

CVE-2023-46104

< 2.1.3

Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dash

6.5MEDIUM

CVE-2023-50164

>= 2.0.0 and < 2.5.33

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a

9.8CRITICAL

CVE-2023-41835

>= 2.0.0 and < 2.5.32

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in s

7.5HIGH

CVE-2023-42504

< 3.0.0

An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading t

5.8MEDIUM

CVE-2023-42505

< 3.0.0

An authenticated user with read permissions on database connections metadata could potentially access sensitive information such a

4.3MEDIUM

CVE-2023-42502

< 3.0.0

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Ho

4.8MEDIUM

CVE-2023-46589

>= 8.5.0 and < 8.5.96

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15,

7.5HIGH

CVE-2022-41678

< 5.16.6

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configur

8.8HIGH

CVE-2023-43701

< 2.1.2

Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store

4.3MEDIUM

CVE-2023-42501

< 2.1.1

Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotation

4.3MEDIUM

CVE-2023-40610

< 2.1.2

Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default ex

6.3MEDIUM

CVE-2023-47037

< 2.7.3

We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.

4.3MEDIUM

CVE-2023-42781

< 2.7.3

Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs onl

6.5MEDIUM

CVE-2023-46215

>= 1.10.0 and < 2.7.0

Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive infor

7.5HIGH

CVE-2023-46604

< 5.15.16

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with

10.0CRITICAL

CVE-2023-46288

>= 2.4.0 and < 2.7.0

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from

4.3MEDIUM

CVE-2023-45802

>= 2.4.17 and < 2.4.58

When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not recla

5.9MEDIUM

CVE-2023-43622

>= 2.4.55 and < 2.4.58

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinit

7.5HIGH

CVE-2023-31122

< 2.4.58

Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.

7.5HIGH

CVE-2023-41752

>= 8.0.0 and < 8.1.9

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffi

7.5HIGH

CVE-2023-39456

>= 9.0.0 and < 9.2.3

Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Se

7.5HIGH

CVE-2023-45348

>= 2.7.0 and < 2.7.2

Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive c

4.3MEDIUM

CVE-2023-42792

< 2.7.2

Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited acces

6.5MEDIUM

CVE-2023-42780

< 2.7.2

Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warn

6.5MEDIUM

CVE-2023-42663

< 2.7.2

Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs onl

6.5MEDIUM

CVE-2023-45648

>= 8.5.0 and < 8.5.94

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13

5.3MEDIUM

CVE-2023-42795

>= 8.5.0 and < 8.5.94

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through

5.3MEDIUM

CVE-2023-42794

>= 8.5.85 and < 8.5.94

Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 thr

5.9MEDIUM

CVE-2023-44487

>= 8.5.0 and <= 8.5.93

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams q

7.5HIGH

CVE-2023-40712

< 2.7.1

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the

6.5MEDIUM

CVE-2023-40611

< 2.7.3

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to

4.3MEDIUM

CVE-2023-39265

<= 2.1.0

Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver

3.8LOW

CVE-2023-37941

>= 1.5.0 and <= 2.1.0

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python objec

6.6MEDIUM

CVE-2023-32672

<= 2.1.0

An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an aut

4.3MEDIUM

CVE-2023-39264

<= 2.1.0

By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users

4.3MEDIUM

CVE-2023-36388

<= 2.1.0

Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network

4.3MEDIUM

CVE-2023-36387

<= 2.1.0

An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated G

5.4MEDIUM

CVE-2023-27526

<= 2.1.0

A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and in

4.3MEDIUM

CVE-2023-27523

<= 2.1.0

Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authentic

5.0MEDIUM

CVE-2023-41080

>= 8.5.0 and <= 8.5.92

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects

6.1MEDIUM

CVE-2023-40273

<= 2.7.0

The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password

8.0HIGH

CVE-2023-39441

< 2.7.0

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affecte

5.9MEDIUM

CVE-2023-37379

< 2.7.0

Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user posse

8.1HIGH

CVE-2023-33934

>= 8.0.0 and <= 8.1.7

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Serv

9.1CRITICAL

CVE-2022-47185

>= 8.0.0 and <= 8.1.7

Improper input validation vulnerability on the range header in Apache Software Foundation Apache Traffic Server.This issue affects

7.5HIGH

CVE-2023-39508

< 2.6.0

Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Softwa

8.8HIGH

CVE-2023-36543

< 2.6.3

Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current r

6.5MEDIUM

CVE-2023-35908

< 2.6.3

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the UR

6.5MEDIUM

CVE-2023-22888

< 2.6.3

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by man

6.5MEDIUM

CVE-2023-22887

< 2.6.3

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access

6.5MEDIUM

CVE-2022-46651

< 2.6.3

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitiv

6.5MEDIUM

CVE-2023-34981

all versions

A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not incl

7.5HIGH

CVE-2023-35005

>= 2.5.0 and < 2.6.2

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mi

6.5MEDIUM

CVE-2023-34396

< 2.5.31

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects

4.3MEDIUM

CVE-2023-34149

< 2.5.31

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects

4.3MEDIUM

CVE-2023-33933

>= 8.0.0 and < 8.1.7

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This

7.5HIGH

CVE-2023-30631

>= 8.0.0 and < 8.1.7

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server. The configuration option proxy.con

7.5HIGH

CVE-2022-47184

>= 8.0.0 and < 8.1.7

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This

7.5HIGH

CVE-2023-28709

>= 8.5.85 and <= 8.5.87

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85

7.5HIGH

CVE-2023-25754

< 2.6.0

Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: be

9.8CRITICAL

CVE-2023-29247

< 2.6.0

Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0.

5.4MEDIUM

CVE-2023-30776

>= 1.3.0 and <= 2.0.1

An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific R

4.9MEDIUM

CVE-2023-27524

<= 2.0.1

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default

8.9HIGH

CVE-2023-27525

<= 2.0.1

An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache

3.1LOW

CVE-2023-25504

<= 2.0.1

A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset featur

4.9MEDIUM

CVE-2022-47502

<= 4.1.13

Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined

7.8HIGH

CVE-2022-38745

< 4.1.14

Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbi

7.8HIGH

CVE-2023-28708

>= 8.5.0 and < 8.5.86

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header

4.3MEDIUM

CVE-2023-25695

< 2.5.2

Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue

5.3MEDIUM

CVE-2023-27522

>= 2.4.30 and < 2.4.56

HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.3

7.5HIGH

CVE-2023-25690

>= 2.4.0 and <= 2.4.55

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Confi

9.8CRITICAL

CVE-2023-22884

< 2.5.1

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Ap

9.8CRITICAL

CVE-2022-37436

< 2.4.55

Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some he

5.3MEDIUM

CVE-2022-36760

>= 2.4.0 and < 2.4.55

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allow

9.0CRITICAL

CVE-2006-20001

< 2.4.55

A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location b

7.5HIGH

CVE-2022-45438

<= 1.5.2

When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to

5.3MEDIUM

CVE-2022-43721

<= 1.5.2

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirec

5.4MEDIUM

CVE-2022-43720

<= 1.5.2

An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get proper

5.4MEDIUM

CVE-2022-43719

<= 1.5.2

Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apa

8.8HIGH

CVE-2022-43718

<= 1.5.2

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated

5.4MEDIUM

CVE-2022-43717

<= 1.5.2

Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that

5.4MEDIUM

CVE-2022-41703

<= 1.5.2

A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific databa

5.4MEDIUM

CVE-2022-45143

>= 9.0.40 and < 9.0.69

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or des

7.5HIGH

CVE-2022-40743

>= 8.0.0 and <= 8.1.5

Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cros

6.1MEDIUM

CVE-2022-37392

>= 8.0.0 and < 8.1.6

Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue

5.3MEDIUM

CVE-2022-32749

>= 8.0.0 and < 8.1.6

Improper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker t

7.5HIGH

CVE-2022-41131

< 2.3.0

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Pr

7.8HIGH

CVE-2022-40954

< 2.3.0

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark P

5.5MEDIUM

CVE-2022-40189

< 2.3.0

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Pro

9.8CRITICAL

CVE-2022-38649

< 2.3.0

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot P

9.8CRITICAL

CVE-2022-45402

< 2.4.3

In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's /login endpoint.

6.1MEDIUM

CVE-2022-40127

< 2.4.0

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary com

8.8HIGH

CVE-2022-27949

< 2.3.1

A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which we

7.5HIGH

CVE-2022-43985

< 2.4.2

In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's /confirm endpoint.

6.1MEDIUM

CVE-2022-43982

< 2.4.2

In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the origin qu

6.1MEDIUM

CVE-2022-42252

>= 8.5.0 and < 8.5.83

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid

7.5HIGH

CVE-2022-41672

<= 2.4.1

In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to c

8.1HIGH

CVE-2021-43980

>= 8.5.0 and <= 8.5.77

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards expose

3.7LOW

CVE-2022-40754

>= 2.3.0 and <= 2.3.4

In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's /confirm endpoint.

6.1MEDIUM

CVE-2022-40604

>= 2.3.0 and <= 2.3.4

In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.

7.5HIGH

CVE-2022-38170

< 2.3.4

In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon

4.7MEDIUM

CVE-2022-38054

>= 2.2.4 and <= 2.3.3

In Apache Airflow versions 2.2.4 through 2.3.3, the database webserver session backend was susceptible to session fixation.

9.8CRITICAL

CVE-2022-37401

< 4.1.13

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords

8.8HIGH

CVE-2022-37400

< 4.1.13

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords

8.8HIGH

CVE-2022-31780

>= 8.0.0 and <= 8.1.4

Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests.

7.5HIGH

CVE-2022-31779

>= 8.0.0 and <= 8.1.4

Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests.

7.5HIGH

CVE-2022-31778

>= 8.0.0 and <= 8.1.4

Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to po

7.5HIGH

CVE-2022-28129

>= 8.0.0 and <= 8.1.4

Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid hea

7.5HIGH

CVE-2022-25763

>= 8.0.0 and < 8.1.5

Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle

7.5HIGH

CVE-2021-37150

>= 8.0.0 and <= 8.1.4

Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources.

7.5HIGH

CVE-2021-37839

<= 1.5.1

Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permis

4.3MEDIUM

CVE-2022-34305

>= 8.5.50 and <= 8.5.81

In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication exam

6.1MEDIUM

CVE-2022-31813

< 2.4.54

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection

9.8CRITICAL

CVE-2022-30556

< 2.4.54

Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage

7.5HIGH

CVE-2022-30522

all versions

If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very l

7.5HIGH

CVE-2022-29404

<= 2.4.53

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of serv

7.5HIGH

CVE-2022-28615

< 2.4.54

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when prov

9.1CRITICAL

CVE-2022-28614

<= 2.4.53

The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server t

5.3MEDIUM

CVE-2022-28330

<= 2.4.53

Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi mod

5.3MEDIUM

CVE-2022-26377

>= 2.4.0 and < 2.4.54

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allow

7.5HIGH

CVE-2022-25762

>= 8.5.0 and < 8.5.76

If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.

8.6HIGH

CVE-2022-29885

>= 8.5.38 and <= 8.5.78

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the En

7.5HIGH

CVE-2022-27479

< 1.4.2

Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which a

9.8CRITICAL

CVE-2021-31805

>= 2.0.0 and <= 2.5.29

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes coul

9.8CRITICAL

CVE-2021-44759

>= 8.0.0 and <= 8.1.0

Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the

8.1HIGH

CVE-2021-44040

>= 8.0.0 and <= 8.1.3

Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid reques

7.5HIGH

CVE-2022-23943

>= 2.4.0 and < 2.4.53

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attac

9.8CRITICAL

CVE-2022-22721

<= 2.4.52

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow hap

9.1CRITICAL

CVE-2022-22720

<= 2.4.52

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, e

9.8CRITICAL

CVE-2022-22719

<= 2.4.52

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affec

7.5HIGH

CVE-2022-24288

< 2.2.4

In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptib

8.8HIGH

CVE-2021-45229

<= 2.2.3

It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the origin query argument. This i

6.1MEDIUM

CVE-2021-44451

<= 1.3.2

Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This

6.5MEDIUM

CVE-2022-23181

>= 8.5.55 and <= 8.5.73

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.

7.0HIGH

CVE-2021-45230

>= 1.10.0 and <= 1.10.15

In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs ca

6.5MEDIUM

CVE-2021-44790

< 2.4.52

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua script

9.8CRITICAL

CVE-2021-44224

>= 2.4.7 and < 2.4.52

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for

8.2HIGH

CVE-2021-42250

< 1.3.2

Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log e

6.5MEDIUM

CVE-2021-41972

<= 1.3.1

Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information

6.5MEDIUM

CVE-2021-43082

>= 8.0.0 and <= 8.1.2

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traff

9.8CRITICAL

CVE-2021-41585

>= 8.0.0 and <= 8.1.2

Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the se

7.5HIGH

CVE-2021-38161

>= 8.0.0 and <= 8.0.8

Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. Th

8.1HIGH

CVE-2021-37149

>= 8.0.0 and <= 8.1.2

Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This is

7.5HIGH

CVE-2021-37148

>= 8.0.0 and <= 8.1.2

Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This is

7.5HIGH

CVE-2021-37147

>= 8.0.0 and <= 8.1.2

Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This is

7.5HIGH

CVE-2021-41971

<= 1.3.0

Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL inj

8.8HIGH

CVE-2021-32609

<= 1.1

Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. This allows an attacker with Explo

5.4MEDIUM

CVE-2021-42340

>= 8.5.60 and < 8.5.72

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71

7.5HIGH

CVE-2021-41832

< 4.1.11

It is possible for an attacker to manipulate documents to appear to be signed by a trusted source. All versions of Apache OpenOffi

7.5HIGH

CVE-2021-41831

< 4.1.11

It is possible for an attacker to manipulate the timestamp of signed documents. All versions of Apache OpenOffice up to 4.1.10 are

5.3MEDIUM

CVE-2021-41830

< 4.1.11

It is possible for an attacker to manipulate signed documents and macros to appear to come from a trusted source. All versions of

7.5HIGH

CVE-2021-42013

all versions

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal

9.8CRITICAL

CVE-2021-40439

<= 4.1.10

Apache OpenOffice has a dependency on expat software. Versions prior to 2.1.0 were subject to CVE-2013-0340 a "Billion Laughs" ent

6.5MEDIUM

CVE-2021-28129

all versions

While working on Apache OpenOffice 4.1.8 a developer discovered that the DEB package did not install using root, but instead used

7.8HIGH

CVE-2021-41773

all versions

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attac

9.8CRITICAL

CVE-2021-41524

all versions

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external

7.5HIGH

CVE-2021-33035

<= 4.1.10

Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. DBF are database files with data organized in

7.8HIGH

CVE-2021-41079

>= 8.5.0 and < 8.5.64

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tom

7.5HIGH

CVE-2021-40438

<= 2.4.48

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue a

9.0CRITICAL

CVE-2021-39275

< 2.4.49

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to the

9.8CRITICAL

CVE-2021-36160

>= 2.4.30 and < 2.4.49

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affe

7.5HIGH

CVE-2021-34798

<= 2.4.48

Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

7.5HIGH

CVE-2021-38540

>= 2.0.0 and < 2.1.3

The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to

9.8CRITICAL

CVE-2021-35936

< 2.1.2

If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a F

5.3MEDIUM

CVE-2021-33193

>= 2.4.17 and < 2.4.49

A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or

7.5HIGH

CVE-2021-33037

>= 8.5.0 and <= 8.5.66

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding reque

5.3MEDIUM

CVE-2021-30640

>= 7.0.0 and < 7.0.109

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or

6.5MEDIUM

CVE-2021-30639

all versions

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a chan

7.5HIGH

CVE-2021-35474

>= 7.0.0 and <= 7.1.12

Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.

9.8CRITICAL

CVE-2021-32567

>= 7.0.0 and <= 7.1.12

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affect

7.5HIGH

CVE-2021-32566

>= 7.0.0 and <= 7.1.12

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affect

7.5HIGH

CVE-2021-32565

>= 7.0.0 and <= 7.1.12

Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affec

7.5HIGH

CVE-2021-27577

>= 7.0.0 and <= 7.1.12

Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affec

7.5HIGH

CVE-2021-31618

all versions

Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as config

7.5HIGH

CVE-2021-30641

>= 2.4.39 and <= 2.4.46

Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

5.3MEDIUM

CVE-2021-26691

>= 2.4.0 and <= 2.4.46

In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overf

9.8CRITICAL

CVE-2021-26690

>= 2.4.0 and <= 2.4.46

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dere

7.5HIGH

CVE-2020-35452

>= 2.4.0 and <= 2.4.46

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There

7.3HIGH

CVE-2020-13950

>= 2.4.41 and <= 2.4.46

Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted

7.5HIGH

CVE-2020-13938

>= 2.4.0 and <= 2.4.46

Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows

5.5MEDIUM

CVE-2019-17567

>= 2.4.6 and <= 2.4.46

Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin

5.3MEDIUM

CVE-2021-29621

all versions

Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilde

5.3MEDIUM

CVE-2021-27737

all versions

Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin.

7.5HIGH

CVE-2021-28359

>= 1.0.0 and < 1.10.15

The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Ai

6.1MEDIUM

CVE-2021-28125

<= 1.0.1

Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking use

6.1MEDIUM

CVE-2021-30245

<= 4.1.8

The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem ha

8.8HIGH

CVE-2021-21351

< 5.15.14

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability m

5.4MEDIUM

CVE-2021-21350

< 5.15.14