Vulnerabilidades en Apache Software Foundation

1899 resultados
Análisis Vexday

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2026-42509MEDIUMApache Wicket: crafted strings can break out of the JavaScript sequenceEPSS 0.4%CVE-2025-59790MEDIUMApache Kvrocks: RESET command grants admin privilegesEPSS 0.4%CVE-2026-32794MEDIUMApache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token ExchangeEPSS 0.4%CVE-2026-42809CRITICALApache Polaris: staged table creation could vend storage credentials for unvalidated locationsEPSS 0.4%CVE-2026-40690MEDIUMApache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized usersEPSS 0.4%CVE-2026-38743MEDIUMApache Airflow: Dags endpoint might provide access to otherwise inaccessible entitiesEPSS 0.4%CVE-2026-46764MEDIUMApache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filterEPSS 0.4%CVE-2026-48589NONEApache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flowEPSS 0.4%CVE-2026-41014MEDIUMApache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpointsEPSS 0.4%CVE-2026-43514LOWApache Tomcat: AJP secret compared in non-constant timeEPSS 0.4%CVE-2026-54226MEDIUMApache Kvrocks: RESTORE IntSet Integer Overflow Leads to Remote DoSEPSS 0.3%CVE-2026-23984HIGHApache Superset: SQLLab Read-Only Bypass on PostgreSQLEPSS 0.3%CVE-2025-53648MEDIUMApache Gravitino: SQL misconfiguration can access or truncate filesEPSS 0.3%CVE-2025-49124HIGHApache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for WindowsEPSS 0.3%CVE-2017-3166In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that makEPSS 0.3%CVE-2023-43123Apache Storm: Local Information Disclosure Vulnerability in Storm-core on Unix-Like systems due temporary filesEPSS 0.3%CVE-2026-34476HIGHApache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP ServerEPSS 0.3%CVE-2026-45426LOWApache Airflow: Log server JWT authorization bypass via Python lstrip() character stripping allows cross-Dag log accessEPSS 0.3%CVE-2025-62728MEDIUMApache Hive: SQL injection vulnerability when processing delete column statistics requests via the HMS Thrift APIsEPSS 0.3%CVE-2024-27906MEDIUMApache Airflow: Dag Code and Import Error Permissions IgnoredEPSS 0.3%