cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-48019,https://securityvulnerability.io/vulnerability/CVE-2024-48019,Path Traversal Vulnerability in Apache Doris,"A vulnerability in Apache Doris allows application administrators to read arbitrary files from the server filesystem due to improper limitations on pathname access. This path traversal issue could be exploited by malicious users to access sensitive information that should remain restricted. To mitigate this risk, it is essential for users to upgrade to version 2.1.8, 3.0.3, or later, which addresses this vulnerability.",Apache,Apache Doris,,,0.01,false,,false,false,false,,false,false,false,,2025-02-04T18:19:52.467Z,0
CVE-2024-27137,https://securityvulnerability.io/vulnerability/CVE-2024-27137,Local Privilege Escalation in Apache Cassandra Security Flaw,"A local attacker can exploit an issue in Apache Cassandra where they may manipulate the RMI registry, leading to potential man-in-the-middle attacks. This vulnerability allows the attacker to capture user credentials for the JMX interface without needing access to the Apache Cassandra process or its configuration files. Once these credentials are obtained, the attacker may gain unauthorized access to the JMX interface, enabling them to perform various operations. It is crucial for operators to upgrade to specific releases to mitigate this vulnerability.",Apache,Apache Cassandra,,,0.01,false,,false,false,false,,false,false,false,,2025-02-04T10:19:44.109Z,0
CVE-2025-24860,https://securityvulnerability.io/vulnerability/CVE-2025-24860,Incorrect Authorization Vulnerability in Apache Cassandra,"An incorrect authorization issue exists in Apache Cassandra that allows users with restricted data center access to manipulate their permissions via data control language (DCL) statements. This vulnerability affects versions using CassandraNetworkAuthorizer and CassandraCIDRAuthorizer, potentially enabling unauthorized data center access or IP/CIDR group visibility. It is crucial for operators to reassess data access rules and upgrade to patched versions 4.0.16, 4.1.8, or 5.0.3 to mitigate the risk.",Apache,Apache Cassandra,,,0.01,false,,false,false,false,,false,false,false,,2025-02-04T10:17:55.258Z,0
CVE-2025-23015,https://securityvulnerability.io/vulnerability/CVE-2025-23015,Privilege Escalation Vulnerability in Apache Cassandra,"A Privilege Defined With Unsafe Actions vulnerability exists in Apache Cassandra, allowing users with MODIFY permissions on all keyspaces to escalate their privileges to superuser. This can be exploited through unsafe actions to system resources, potentially leading to unauthorized access and data breaches within a targeted Cassandra cluster. Operators are advised to review permissions and access rules associated with data MODIFY privileges to mitigate risks associated with this vulnerability.",Apache,Apache Cassandra,8.8,HIGH,0.01,false,,false,false,false,,false,false,false,,2025-02-04T09:37:18.580Z,0
CVE-2024-29869,https://securityvulnerability.io/vulnerability/CVE-2024-29869,Unauthorized File Access Vulnerability in Apache Hive,"Apache Hive is susceptible to an improper file permissions vulnerability where it creates a credentials file in a temporary directory with default permissions set to 644. This oversight allows any unauthorized user with access to the directory to read sensitive information contained within the file. It is critical for users to upgrade to version 4.0.1 or later, which addresses this vulnerability and helps mitigate the risk of unauthorized information disclosure.",Apache,Apache Hive,5.5,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,false,,2025-01-28T21:31:43.422Z,0
CVE-2024-23953,https://securityvulnerability.io/vulnerability/CVE-2024-23953,Timing Attack in Apache Hive Allows Signature Forgery by Authorized Users,"A vulnerability in Apache Hive's LlapSignerImpl allows an attacker, who is already an authorized user, to forge valid signatures for arbitrary messages by exploiting the non-constant time behavior of the Arrays.equals() method. This flaw permits attackers to manipulate message validation, potentially leading to malicious submissions to LLAP. The associated issue could enable unauthorized activities, such as Denial of Service (DDoS) attacks, as it relies on the differences in signature comparison times. Users are strongly advised to upgrade to version 4.0.0 or later to mitigate this risk.",Apache,Apache Hive,6.5,MEDIUM,0.0004400000034365803,false,,false,false,false,,false,false,false,,2025-01-28T09:07:22.333Z,0
CVE-2025-24783,https://securityvulnerability.io/vulnerability/CVE-2025-24783,Pseudo-Random Number Generator Flaw in Apache Cocoon by Apache,"A vulnerability exists in Apache Cocoon due to an incorrect implementation of the pseudo-random number generator (PRNG) used for generating continuation identifiers. The randomness was compromised by seeding the PRNG with the startup time, which may lead to insufficient unpredictability. Consequently, attackers could potentially guess continuation IDs, granting them unauthorized access to sensitive information. As Apache Cocoon is a retired project, no official fixes are available; therefore, users are advised to either adopt alternative solutions or restrict access strictly to trusted users. Enabling the 'session-bound-continuations' option can mitigate exposure by ensuring continuity identifiers are not shared across different user sessions.",Apache,Apache Cocoon,7.5,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-27T14:47:42.845Z,0
CVE-2025-24814,https://securityvulnerability.io/vulnerability/CVE-2025-24814,Privilege Escalation Vulnerability in Solr by Apache,"Users operating Solr instances with the FileSystemConfigSetService component in an unauthenticated environment face a significant privilege escalation risk. This vulnerability allows the replacement of 'trusted' configuration set files with unvetted alternatives, enabling potential manipulation of Solr's classpath and the execution of malicious code through plugins. To mitigate this issue, it is crucial to enable authentication and authorization in Solr clusters or transition to SolrCloud, along with upgrading to version 9.8.0 or later, which disables the use of '<lib>' tags by default.",Apache,Apache Solr,,,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-27T08:58:08.768Z,0
CVE-2024-52012,https://securityvulnerability.io/vulnerability/CVE-2024-52012,Relative Path Traversal Vulnerability in Apache Solr Affecting Windows Systems,"A relative path traversal vulnerability exists in Apache Solr instances running on Windows operating systems. This flaw is due to insufficient input sanitation within the 'configset upload' API, enabling malicious users to exploit the system by uploading specially crafted ZIP files with relative file paths. Consequently, this allows unauthorized write access to arbitrary locations of the filesystem, potentially leading to unauthorized data exposure and system compromise. To mitigate the risk, users are advised to upgrade to version 9.8.0 or implement the 'Rule-Based Authentication Plugin' to restrict access to the configset upload API.",Apache,Apache Solr,,,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-27T08:54:42.907Z,163
CVE-2024-53299,https://securityvulnerability.io/vulnerability/CVE-2024-53299,Denial of Service Vulnerability in Apache Wicket by Apache,"A flaw in the request handling of Apache Wicket 7.0.0 across all platforms enables malicious actors to exploit server resources, potentially leading to service interruptions. Users are strongly advised to upgrade to the patched versions 9.19.0 or 10.3.0 to ensure protection against such exploitation.",Apache,Apache Wicket,6.5,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-23T08:37:05.687Z,0
CVE-2024-51941,https://securityvulnerability.io/vulnerability/CVE-2024-51941,Remote Code Injection Vulnerability in Apache Ambari Metrics by Apache,"A remote code injection vulnerability in the Apache Ambari Metrics and AMS Alerts feature permits authenticated users to inject and execute arbitrary code. This vulnerability arises during the processing of alert definitions, enabling the insertion of malicious input into the alert script execution path. An attacker with authenticated access can exploit this vulnerability to run arbitrary commands on the server. The issue has been addressed in the latest patch releases of Apache Ambari.",Apache,Apache Ambari,8.8,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-21T22:15:00.000Z,0
CVE-2024-45479,https://securityvulnerability.io/vulnerability/CVE-2024-45479,SSRF Vulnerability in Apache Ranger UI Version 2.4.0,"A Server-Side Request Forgery (SSRF) vulnerability exists in the Edit Service Page of the Apache Ranger UI, specifically in Apache Ranger Version 2.4.0. This flaw could allow an attacker to manipulate the server into making unintended requests, potentially gaining access to sensitive internal resources. To mitigate this risk, users are strongly advised to upgrade to Apache Ranger Version 2.5.0, where this issue has been addressed.",Apache,Apache Ranger,9.1,CRITICAL,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-21T22:15:00.000Z,0
CVE-2024-45478,https://securityvulnerability.io/vulnerability/CVE-2024-45478,Stored XSS Vulnerability in Apache Ranger UI for Apache Software Foundation,"A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Edit Service Page of the Apache Ranger user interface. This flaw allows malicious users to inject arbitrary web scripts into the vulnerable application, potentially compromising the security environment and exposing sensitive data. It is recommended for users operating Apache Ranger version 2.4.0 to upgrade to version 2.5.0 to address this vulnerability effectively. Detailed information can be found on the official Apache Ranger website.",Apache,Apache Ranger,4.8,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-21T22:15:00.000Z,0
CVE-2025-23196,https://securityvulnerability.io/vulnerability/CVE-2025-23196,Code Injection Vulnerability in Ambari Alert Definition by Apache,"A code injection vulnerability exists in the Ambari Alert Definition feature that permits authenticated users to inject and execute arbitrary shell commands. This vulnerability is linked to the alert script definitions where the script filename is executed using a shell command. If exploited, an attacker with authenticated access can send malicious commands, leading to remote code execution on the targeted server. The vulnerability has been addressed in the latest versions of Ambari, emphasizing the importance of prompt updates for users.",Apache,Apache Ambari,8.8,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-21T22:15:00.000Z,0
CVE-2025-23195,https://securityvulnerability.io/vulnerability/CVE-2025-23195,XML External Entity Vulnerability in Apache Ambari and Oozie,"An XML External Entity (XXE) vulnerability in the Apache Ambari and Oozie projects allows attackers to inject malicious XML entities. This security weakness arises from the insecure parsing of XML input using the `DocumentBuilderFactory` class without properly disabling external entity resolution. By exploiting this flaw, attackers can gain access to arbitrary files on the server and potentially execute server-side request forgery (SSRF) attacks. The issue has been remediated in Ambari version 2.7.9, as well as in the trunk branch.",Apache,Apache Ambari,7.5,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-21T22:15:00.000Z,0
CVE-2025-23184,https://securityvulnerability.io/vulnerability/CVE-2025-23184,Denial of Service Vulnerability in Apache CXF Software,"A vulnerability in Apache CXF could lead to denial of service due to unclosed CachedOutputStream instances. This issue may arise in specific scenarios where these instances, when tied to temporary files, fail to close properly. As a result, the affected systems—both servers and clients—could experience file system saturation, potentially hindering their operational capabilities.",Apache,Apache Cxf,5.9,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-21T09:35:37.468Z,0
CVE-2024-45627,https://securityvulnerability.io/vulnerability/CVE-2024-45627,File Reading Vulnerability in Apache Linkis DataSource Manager Module,"A vulnerability exists in the DataSource Manager Module of Apache Linkis versions prior to 1.7.0, whereby insufficient filtering of input parameters may allow an attacker with valid authorized access to configure malicious MySQL JDBC parameters. This configuration can enable the attacker to read arbitrary files from the Linkis server, potentially leading to unauthorized information disclosure. To mitigate this risk, it is recommended that users update to Linkis version 1.7.0 or above, where proper parameter blacklisting has been implemented to enhance security.",Apache Software Foundation,Apache Linkis,,,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-14T17:15:00.000Z,0
CVE-2025-22828,https://securityvulnerability.io/vulnerability/CVE-2025-22828,Access Control Issue in Apache CloudStack Affects User Comments,"An access validation flaw in Apache CloudStack allows users to add and read comments on resources they are authorized to access. This issue affects versions starting from 4.16.0, and attackers with username and access privileges, as well as knowledge of resource UUIDs, can exploit it. While it's difficult to enumerate resource UUIDs, the potential risk lies in the confidentiality of information stored within comments. The ability to insert or read annotations could lead to unauthorized exposure of sensitive data. Administrators are advised to restrict API access for non-admin roles as a precautionary measure.",Apache,Apache Cloudstack,,,0.0004299999854993075,false,,false,false,true,2025-01-31T04:26:38.000Z,true,false,false,,2025-01-13T12:47:51.619Z,65
CVE-2024-45033,https://securityvulnerability.io/vulnerability/CVE-2024-45033,Insufficient Session Expiration in Apache Airflow Fab Provider,"An insufficient session expiration vulnerability exists in the Apache Airflow Fab Provider, which allows users to remain logged in even after their password has been modified through the admin CLI. This issue was specifically noted in versions prior to 1.5.2, and it poses a risk since users might retain session access despite a password change. In contrast, session handling behaves securely when password changes are initiated via the web server. For enhanced security, it is recommended that users upgrade to version 1.5.2, which addresses this oversight.",Apache,Apache Airflow Fab Provider,8.1,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-08T08:41:39.579Z,0
CVE-2024-54676,https://securityvulnerability.io/vulnerability/CVE-2024-54676,Deserialization Vulnerability in Apache OpenMeetings by The Apache Software Foundation,"A deserialization vulnerability in Apache OpenMeetings due to inadequate clustering instructions can lead to potential exploitation. The default setup does not detail blacklists or whitelists for OpenJPA, allowing attackers to manipulate the deserialization process and potentially execute malicious code. Users are strongly advised to upgrade to version 8.0.0 and adjust startup scripts to implement the appropriate 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' settings. This precaution is crucial for maintaining the security of the application against unauthorized data handling.",Apache,Apache Openmeetings,9.8,CRITICAL,0.001769999973475933,false,,false,false,false,,false,false,false,,2025-01-08T08:40:03.705Z,0
CVE-2024-56512,https://securityvulnerability.io/vulnerability/CVE-2024-56512,Authorization Flaw in Apache NiFi Affecting Parameter Contexts and Controller Services,"A security flaw exists in Apache NiFi versions 1.10.0 through 2.0.0 related to the lack of fine-grained authorization checks for Parameter Contexts, Controller Services, and Parameter Providers during the creation of new Process Groups. When a Process Group is created that does not reference any Parameter values, the framework fails to validate user authorization for the associated Parameter Context, allowing unauthorized access to non-sensitive Parameter values. Furthermore, when referencing existing Controller Services or Parameter Providers, the system does not check user authorization, which could permit unauthorized users to create Process Groups that leverage these components. It is important to note that this issue affects deployments setup with component-based authorization policies and is limited to users who are already authenticated and authorized to initiate the creation of Process Groups. The recommended action is to upgrade to Apache NiFi version 2.1.0, which addresses these authorization issues.",Apache Software Foundation,,,,0.0005300000193528831,false,,false,false,true,2025-01-07T02:35:33.000Z,true,false,false,,2024-12-28T17:15:00.000Z,696
CVE-2024-52046,https://securityvulnerability.io/vulnerability/CVE-2024-52046,Remote Code Execution Risk in Apache MINA ObjectSerializationDecoder,"The ObjectSerializationDecoder in Apache MINA is vulnerable due to its reliance on Java's native deserialization without implementing proper security measures. This flaw allows attackers to exploit the deserialization process by sending specially crafted data, which may result in remote code execution on the affected systems. The vulnerability impacts MINA core versions 2.0.X, 2.1.X, and 2.2.X, necessitating upgrades to the patched versions: 2.0.27, 2.1.10, and 2.2.4. Applications utilizing the IoBuffer#getObject() method and employing ProtocolCodecFilter with ObjectSerializationCodecFactory are particularly at risk. To safeguard against this vulnerability, developers must not only update the MINA library but also configure the ObjectSerializationDecoder to explicitly permit the deserialization of specific class names and patterns. By default, the decoder rejects all class types present in incoming serialized data, thereby providing a layer of security when correctly configured.",Apache,Apache Mina,10,CRITICAL,0.0004299999854993075,false,,false,false,false,,,true,true,2024-12-31T06:52:02.724Z,2024-12-25T10:06:23.887Z,6153
CVE-2024-43441,https://securityvulnerability.io/vulnerability/CVE-2024-43441,Authentication Bypass Vulnerability in Apache HugeGraph-Server,"An authentication bypass vulnerability has been identified in Apache HugeGraph-Server, affecting versions from 1.0.0 up to but not including 1.5.0. This security issue arises from an improper handling of assumed-immutable data, which may allow an attacker to gain unauthorized access. It is critical for users operating vulnerable versions of the HugeGraph-Server to upgrade to version 1.5.0, where this vulnerability has been addressed. Failure to update may expose systems to potential exploitation.",Apache,Apache Hugegraph-server,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-24T11:59:59.219Z,229
CVE-2024-45387,https://securityvulnerability.io/vulnerability/CVE-2024-45387,SQL Injection Vulnerability in Apache Traffic Control,"A vulnerability exists in Traffic Ops of Apache Traffic Control that allows a privileged user with roles such as 'admin', 'federation', 'operations', 'portal', or 'steering' to perform SQL injection attacks. By crafting a specially-designed PUT request, these users can execute arbitrary SQL commands against the database, potentially compromising data integrity and confidentiality. It is essential for users operating susceptible versions of Apache Traffic Control to upgrade to version 8.0.2 to mitigate this risk effectively.",Apache,Apache Traffic Control,9.9,CRITICAL,0.0004299999854993075,false,,true,true,true,2024-12-25T09:18:55.000Z,,true,false,,2024-12-23T15:30:13.873Z,2874
CVE-2024-23945,https://securityvulnerability.io/vulnerability/CVE-2024-23945,Application Security Flaw in Apache Hive and Spark Affecting Cookie Signature Verification,"An application security flaw exists in Apache Hive and Apache Spark concerning the improper handling of signed cookies. This vulnerability allows an incorrect signature mismatch to expose the signed cookie to users, potentially enabling malicious actors to alter the cookie's value. The vulnerability traces back to the CookieSigner logic introduced in Apache Hive via HIVE-9710 starting from version 1.2.0 and in Apache Spark through SPARK-14987 from version 2.0.0. The exposure of these cookies can result in unauthorized access and further exploitation of the application, raising significant security concerns for users relying on these platforms.",Apache,"Apache Hive,Apache Spark",,,0.0004400000034365803,false,,false,false,false,,,false,false,,2024-12-23T15:26:54.477Z,278