cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2025-22828,https://securityvulnerability.io/vulnerability/CVE-2025-22828,Access Control Issue in Apache CloudStack Affects User Comments,"An access validation flaw in Apache CloudStack allows users to add and read comments on resources they are authorized to access. This issue affects versions starting from 4.16.0, and attackers with username and access privileges, as well as knowledge of resource UUIDs, can exploit it. While it's difficult to enumerate resource UUIDs, the potential risk lies in the confidentiality of information stored within comments. The ability to insert or read annotations could lead to unauthorized exposure of sensitive data. Administrators are advised to restrict API access for non-admin roles as a precautionary measure.",Apache,Apache Cloudstack,,,0.0004299999854993075,false,,false,false,true,2025-01-31T04:26:38.000Z,true,false,false,,2025-01-13T12:47:51.619Z,65
CVE-2024-56337,https://securityvulnerability.io/vulnerability/CVE-2024-56337,Race Condition Vulnerability in Apache Tomcat Affects Multiple Versions,"CVE-2024-56337 is a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability affecting Apache Tomcat across several versions. The vulnerability arises when Tomcat is run on a case-insensitive file system with the default servlet write capability enabled. Users may be exposed if they do not properly configure their systems as the initial workaround for CVE-2024-50379 was insufficient. Specifically, additional configuration is vital for systems utilizing Java 8 or Java 11, where the system property 'sun.io.useCanonCaches' needs to be set to false. For Java 17, the same property, if originally set, must also be false, while Tomcat versions 11.0.3, 10.1.35, and 9.0.99 and higher will check this setting before allowing default servlet write access on case-insensitive file systems, automatically applying the appropriate configurations where applicable.",Apache,Apache Tomcat,9.8,CRITICAL,0.0004299999854993075,false,,true,false,true,2025-01-27T16:33:56.000Z,,true,true,2024-12-26T02:52:02.176Z,2024-12-20T16:15:00.000Z,6396
CVE-2024-56512,https://securityvulnerability.io/vulnerability/CVE-2024-56512,Authorization Flaw in Apache NiFi Affecting Parameter Contexts and Controller Services,"A security flaw exists in Apache NiFi versions 1.10.0 through 2.0.0 related to the lack of fine-grained authorization checks for Parameter Contexts, Controller Services, and Parameter Providers during the creation of new Process Groups. When a Process Group is created that does not reference any Parameter values, the framework fails to validate user authorization for the associated Parameter Context, allowing unauthorized access to non-sensitive Parameter values. Furthermore, when referencing existing Controller Services or Parameter Providers, the system does not check user authorization, which could permit unauthorized users to create Process Groups that leverage these components. It is important to note that this issue affects deployments setup with component-based authorization policies and is limited to users who are already authenticated and authorized to initiate the creation of Process Groups. The recommended action is to upgrade to Apache NiFi version 2.1.0, which addresses these authorization issues.",Apache Software Foundation,,,,0.0005300000193528831,false,,false,false,true,2025-01-07T02:35:33.000Z,true,false,false,,2024-12-28T17:15:00.000Z,696
CVE-2024-45387,https://securityvulnerability.io/vulnerability/CVE-2024-45387,SQL Injection Vulnerability in Apache Traffic Control,"A vulnerability exists in Traffic Ops of Apache Traffic Control that allows a privileged user with roles such as 'admin', 'federation', 'operations', 'portal', or 'steering' to perform SQL injection attacks. By crafting a specially-designed PUT request, these users can execute arbitrary SQL commands against the database, potentially compromising data integrity and confidentiality. It is essential for users operating susceptible versions of Apache Traffic Control to upgrade to version 8.0.2 to mitigate this risk effectively.",Apache,Apache Traffic Control,9.9,CRITICAL,0.0004299999854993075,false,,true,true,true,2024-12-25T09:18:55.000Z,,true,false,,2024-12-23T15:30:13.873Z,2874
CVE-2024-50379,https://securityvulnerability.io/vulnerability/CVE-2024-50379,Race Condition Vulnerability in Apache Tomcat Leading to Remote Code Execution,"The vulnerability allows an attacker to potentially execute arbitrary code on systems running Apache Tomcat, specifically when the default servlet is enabled for write access, and the system is utilizing case insensitive file systems. This occurs due to a timing issue during JSP compilation, which results in a time-of-check time-of-use (TOCTOU) race condition. The affected versions include Apache Tomcat from 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97. To mitigate this vulnerability, it is crucial for users to upgrade to the patched versions: 11.0.2, 10.1.34, or 9.0.98.",Apache,Apache Tomcat,9.8,CRITICAL,0.0004299999854993075,false,,true,false,true,2024-12-20T14:24:10.000Z,true,true,true,2024-12-24T00:52:01.825Z,2024-12-17T13:15:00.000Z,9063
CVE-2024-40725,https://securityvulnerability.io/vulnerability/CVE-2024-40725,"Partial Fix for Content-Type Based Configuration Ignores Use of Legacy Handlers, Leading to Source Code Disclosure","A vulnerability has been identified in Apache HTTP Server version 2.4.61, stemming from a partial fix of a prior vulnerability. This issue arises from improper handling of legacy content-type configuration, specifically with directives like 'AddType'. When certain files are requested indirectly, this misconfiguration can lead to unintended disclosure of source code, including PHP scripts, instead of executing them as intended. It is advisable for users to upgrade to version 2.4.62 to mitigate this potential risk.",Apache,Apache Http Server,5.3,MEDIUM,0.0008800000068731606,false,,true,false,true,2024-12-19T00:09:38.000Z,true,true,true,2024-07-23T11:23:09.225Z,2024-07-18T09:32:43.929Z,5589
CVE-2023-50780,https://securityvulnerability.io/vulnerability/CVE-2023-50780,Arbitrary File Write Vulnerability in ActiveMQ Artemis Could Lead to RCE,"The vulnerability in Apache ActiveMQ Artemis originates from the unauthorized exposure of diagnostic information and control mechanisms through MBeans, particularly accessible via the authenticated Jolokia endpoint. Prior to version 2.29.0, the Log4J2 MBean was also part of this exposure, which is not intended for non-administrative user access. An authenticated attacker can leverage this situation to write arbitrary files to the filesystem, paving the way for potential remote code execution. It is strongly recommended that users upgrade to version 2.29.0 or later to mitigate this risk.",Apache,Apache ActiveMQ Artemis,8.8,HIGH,0.0006500000017695129,false,,false,false,true,2024-12-18T07:07:24.000Z,true,false,false,,2024-10-14T16:03:38.321Z,0
CVE-2024-38475,https://securityvulnerability.io/vulnerability/CVE-2024-38475,Code Execution or Source Code Disclosure Vulnerability in Apache HTTP Server's mod_rewrite,"Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. 

Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag ""UnsafePrefixStat"" can be used to opt back in once ensuring the substitution is appropriately constrained.",Apache,Apache Http Server,,,0.0004299999854993075,false,,false,false,true,2024-12-12T19:23:32.000Z,true,false,false,,2024-07-01T18:15:12.292Z,0
CVE-2024-53677,https://securityvulnerability.io/vulnerability/CVE-2024-53677,Flawed File Upload Logic in Apache Struts Exposes Vulnerability,"A security flaw in the file upload mechanism of Apache Struts could allow an attacker to exploit file upload parameters. This vulnerability enables path traversal, leading to the possibility of uploading a malicious file that can facilitate remote code execution. To mitigate risks, users should upgrade to version 6.4.0 or later and adopt the new file upload mechanism provided by Apache Struts. Applications utilizing older file upload logic through FileuploadInterceptor remain vulnerable; however, those that don't use this outdated method are not affected.",Apache,Apache Struts,,,0.0004299999854993075,false,,true,true,true,2024-12-12T03:15:03.000Z,true,true,true,2024-12-21T05:52:01.776Z,2024-12-11T16:15:00.000Z,6995
CVE-2024-24549,https://securityvulnerability.io/vulnerability/CVE-2024-24549,Apache Tomcat Denial of Service Vulnerability Affects Multiple Versions,"Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

",Apache,Apache Tomcat,,,0.00044999999227002263,false,,false,false,true,2024-12-09T13:59:07.000Z,true,false,false,,2024-03-13T15:46:53.085Z,0
CVE-2024-52318,https://securityvulnerability.io/vulnerability/CVE-2024-52318,Incorrect Object Recycling and Reuse Vulnerability in Apache Tomcat,"Incorrect object recycling and reuse vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96.

Users are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97, which fixes the issue.",Apache,Apache Tomcat,6.1,MEDIUM,0.0004299999854993075,false,,false,false,true,2024-11-21T15:38:48.000Z,true,false,false,,2024-11-18T13:15:00.000Z,0
CVE-2024-52317,https://securityvulnerability.io/vulnerability/CVE-2024-52317,Incorrect Object Recycling Vulnerability Affects Apache Tomcat Versions,"Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests 
could lead to request and/or response mix-up between users.

This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.

Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.",Apache,Apache Tomcat,6.5,MEDIUM,0.0004299999854993075,false,,false,false,true,2024-11-21T15:20:42.000Z,true,false,false,,2024-11-18T12:15:00.000Z,0
CVE-2024-52316,https://securityvulnerability.io/vulnerability/CVE-2024-52316,Unchecked Error Condition Vulnerability Affects Apache Tomcat,"This vulnerability within Apache Tomcat arises from the potential for authentication bypass when a custom Jakarta Authentication ServerAuthContext encounters an exception. If this exception occurs without a corresponding HTTP status indicating failure, the system may erroneously allow the user to pass through authentication checks. Currently, there are no known Jakarta Authentication components that exhibit such behavior, highlighting the importance of proper configuration to prevent unauthorized access. Users of affected versions are strongly advised to upgrade to the latest secure releases to mitigate this risk.",Apache,Apache Tomcat,9.8,CRITICAL,0.0004299999854993075,false,,false,false,true,2024-11-20T19:22:50.000Z,true,false,false,,2024-11-18T12:15:00.000Z,0
CVE-2024-23114,https://securityvulnerability.io/vulnerability/CVE-2024-23114,Deserialization of Untrusted Data Vulnerability,"Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.

Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1

",Apache,Apache Camel,,,0.0004299999854993075,false,,false,false,true,2024-10-28T02:29:38.000Z,true,false,false,,2024-02-20T14:59:38.326Z,0
CVE-2024-47561,https://securityvulnerability.io/vulnerability/CVE-2024-47561,Apache Avro Java SDK Vulnerability,"A vulnerability in the schema parsing component of the Java SDK within Apache Avro versions up to 1.11.3 exposes systems to potential arbitrary code execution. This weakness allows malicious actors to exploit improperly handled schema data, potentially leading to severe security breaches. Users utilizing versions prior to 1.11.4 should urgently upgrade to mitigate risks associated with this vulnerability. The latest versions address these security concerns effectively.",Apache,Apache Avro Java Sdk,,,0.0004299999854993075,false,,true,false,true,2024-10-07T10:30:42.000Z,,false,false,,2024-10-03T10:23:16.214Z,0
CVE-2023-38709,https://securityvulnerability.io/vulnerability/CVE-2023-38709,Malicious Input Validation Flaw Affects Apache HTTP Server,"A significant input validation flaw exists in the core functionality of Apache HTTP Server, specifically impacting versions up to 2.4.58. This vulnerability enables malicious actors or backend content generators to exploit this weakness, leading to the potential for HTTP response splitting. Such an attack could allow for various security implications, including session fixation and cache poisoning, thereby compromising the integrity and confidentiality of affected systems. Organizations using the impacted versions should act swiftly to mitigate this vulnerability and enhance the security posture of their web servers.",Apache,Apache Http Server,,,0.0004400000034365803,false,,false,false,true,2024-10-06T05:32:45.000Z,true,false,false,,2024-04-04T20:15:00.000Z,0
CVE-2024-45195,https://securityvulnerability.io/vulnerability/CVE-2024-45195,Apache OFBiz vulnerable to 'Forced Browsing' (Direct Request) attack,"The vulnerability CVE-2024-45195 affects Apache OFBiz versions before 18.12.16, allowing attackers to execute arbitrary code on the server without valid credentials. This vulnerability poses a severe risk to organizations relying on OFBiz, including potential data theft, disruption of operations, and lateral movement and persistence within the network. Apache has released a patch in version 18.12.16 to address this vulnerability, along with three other related vulnerabilities. Previous vulnerabilities in Apache OFBiz have been actively exploited, making it crucial for organizations to promptly implement the patch to safeguard their critical data and mitigate their attack surface.",Apache,Apache Ofbiz,7.5,HIGH,0.030239999294281006,true,2025-02-04T00:00:00.000Z,true,false,true,2024-09-06T01:00:00.000Z,,false,false,,2024-09-04T08:08:59.201Z,0
CVE-2024-26308,https://securityvulnerability.io/vulnerability/CVE-2024-26308,Allocation of Resources Without Limits or Throttling Vulnerability,"Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.

Users are recommended to upgrade to version 1.26, which fixes the issue.

",Apache,Apache Commons Compress,5.5,MEDIUM,0.0012499999720603228,false,,false,false,true,2024-08-11T23:10:14.000Z,true,false,false,,2024-02-19T08:31:50.192Z,0
CVE-2024-36104,https://securityvulnerability.io/vulnerability/CVE-2024-36104,Apache OFBiz vulnerable to Path Traversal attack,"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14.

Users are recommended to upgrade to version 18.12.14, which fixes the issue.

",Apache,Apache Ofbiz,,,0.010599999688565731,false,,true,false,true,2024-08-07T17:30:13.000Z,,false,false,,2024-06-04T07:25:07.746Z,0
CVE-2024-32113,https://securityvulnerability.io/vulnerability/CVE-2024-32113,Apache OFBiz Fixes Path Traversal Vulnerability,"The Apache OFBiz has a Path Traversal vulnerability, identified as CVE-2024-32113, that allows for arbitrary code execution. This vulnerability has been exploited, particularly by the Mirai Botnet, highlighting the urgency of upgrading to version 18.12.13 to fix the issue.

Another critical vulnerability affects VMware eSXI hypervisors, allowing for authentication bypass and potential ransomware exploits. It is crucial to ensure that all eSXI hypervisors are patched and to use two-factor authentication to enhance security.

Additionally, multiple flaws in Windows Security features, particularly Smart Screen and Smart App Control, have been reported, posing a risk of initial access with minimal user interaction. Teams are advised to carefully monitor and study downloads on their systems to mitigate this risk.",Apache,Apache Ofbiz,9.8,CRITICAL,0.9147899746894836,true,2024-08-07T00:00:00.000Z,true,true,true,2024-08-05T19:51:02.000Z,true,false,false,,2024-05-08T14:50:07.272Z,0
CVE-2024-38856,https://securityvulnerability.io/vulnerability/CVE-2024-38856,Incorrect Authorization Vulnerability Affects Apache OFBiz Through 18.12.14,"An incorrect authorization vulnerability exists in Apache OFBiz that affects versions up to 18.12.14. This issue permits unauthenticated endpoints to execute screen rendering code if certain preconditions are met, particularly when the screen definitions lack explicit checks for user permissions due to reliance on endpoint configurations. Users are advised to upgrade to version 18.12.15 to mitigate the vulnerability and secure their systems.",Apache,Apache Ofbiz,9.8,CRITICAL,0.9428799748420715,true,2024-08-27T00:00:00.000Z,true,true,true,2024-08-05T14:45:12.000Z,true,true,true,2024-08-06T21:52:02.266Z,2024-08-05T08:20:18.081Z,7151
CVE-2024-34693,https://securityvulnerability.io/vulnerability/CVE-2024-34693,Improper Input Validation Vulnerability in Apache Superset Allows for File Reading and Insertion,"The vulnerability in Apache Superset, known as CVE-2024-34693, is a high-risk issue that allows an authenticated attacker to create a MariaDB connection with local_infile enabled. This could potentially lead to the execution of MySQL/MariaDB SQL commands to read files from the server and insert them into a MariaDB database table. The affected versions are Apache Superset before 3.1.3 and version 4.0.0. Users are urged to upgrade to version 4.0.1 or 3.1.3 to address this vulnerability. The potential impact of exploitation includes data manipulation and disclosure. It is classified as a high-risk vulnerability and affected systems include Linux and Unix operating systems. The Common Vulnerability Scoring System (CVSS) has given it a Base Score of 8.1. Exploitations have been reported, making it crucial for users to update their systems promptly. The severity of this vulnerability highlights the need for regular monitoring and prompt patching of affected systems.",Apache,Apache Superset,6.8,MEDIUM,0.0004299999854993075,false,,true,false,true,2024-07-28T06:28:11.000Z,true,false,false,,2024-06-20T08:51:55.329Z,0
CVE-2024-41107,https://securityvulnerability.io/vulnerability/CVE-2024-41107,SAML Authentication Vulnerability in CloudStack Environments,"CVE-2024-41107 is a SAML authentication vulnerability that affects Apache CloudStack environments. The vulnerability allows attackers to bypass SAML authentication and gain unauthorized access to user accounts and control over cloud resources. It is recommended for affected users to disable the SAML authentication plugin or upgrade to the patched versions 4.18.2.2 or 4.19.1.0. An exploit for this vulnerability has been developed, highlighting the critical nature of the issue. The BSI has issued a security advisory for Apache CloudStack, recommending users to keep their systems up to date and install security updates as soon as they are available. The exploit poses a medium risk for affected systems and can potentially lead to the bypassing of security measures.",Apache,Apache Cloudstack,8.1,HIGH,0.7969300150871277,false,,true,false,true,2024-07-24T16:34:18.000Z,,false,false,,2024-07-19T10:19:53.995Z,0
CVE-2024-34750,https://securityvulnerability.io/vulnerability/CVE-2024-34750,"Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption Vulnerability Affects Apache Tomcat","The vulnerability CVE-2024-34750 affects Apache Tomcat, an open-source server, and can be exploited to overload the server's computing resources, leading to a Denial of Service (DoS) attack. The vulnerability affects various versions of Apache Tomcat, and it was discovered directly by the Tomcat security team. The issue stems from an improper handling of HTTP/2 streams, resulting in an incorrect infinite timeout, which allows connections to remain open when they should have been closed. The impact of this vulnerability can be severe, causing service slowdowns or outages. It is recommended to update Tomcat to the patched versions to mitigate the risk. There is a high urgency in addressing this vulnerability due to its potential impact on service availability.",Apache,Apache Tomcat,,,0.0004299999854993075,false,,true,false,true,2024-07-05T18:19:39.000Z,,false,false,,2024-07-03T20:15:00.000Z,0
CVE-2024-29868,https://securityvulnerability.io/vulnerability/CVE-2024-29868,Cryptographically Weak Pseudo-Random Number Generator (PRNG) Vulnerability Affects Apache StreamPipes from 0.69.0 to 0.93.0,"Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism.
This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.
This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.

Users are recommended to upgrade to version 0.95.0, which fixes the issue.

",Apache,Apache Streampipes,,,0.0005300000193528831,false,,false,false,true,2024-06-24T23:53:05.000Z,true,false,false,,2024-06-24T09:59:39.941Z,0