CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56180 – Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution
https://notcve.org/view.php?id=CVE-2024-56180
14 Feb 2025 — CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue. CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch witho... • https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52577 – Apache Ignite: Possible RCE when deserializing incoming messages by the server node
https://notcve.org/view.php?id=CVE-2024-52577
14 Feb 2025 — In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side. • https://lists.apache.org/thread/1bst0n27m9kb3b6f6hvlghn182vqb2hh • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46910 – Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user
https://notcve.org/view.php?id=CVE-2024-46910
13 Feb 2025 — An authenticated user can perform XSS and potentially impersonate another user. This issue affects Apache Atlas versions 2.3.0 and earlier. Users are recommended to upgrade to version 2.4.0, which fixes the issue. An authenticated user can perform XSS and potentially impersonate another user. This issue affects Apache Atlas versions 2.3.0 and earlier. • https://lists.apache.org/thread/sqzp34l4cdk21zoq5g31qlsvr7jvb1fy • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32838 – Apache Fineract: SQL injection vulnerabilities in offices API endpoint
https://notcve.org/view.php?id=CVE-2024-32838
12 Feb 2025 — SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints' query parameter. Users are recommended to upgrade to version 1.10.1, which fixes this issue. A SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly ... • https://lists.apache.org/thread/7l88h17pn9nf8zpx5bbojk7ko5oxo1dy • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-25247 – Apache Felix Webconsole: XSS in services console
https://notcve.org/view.php?id=CVE-2025-25247
10 Feb 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole. This issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up to 5.0.8. Users are recommended to upgrade to version 4.9.10 or 5.0.10 or higher, which fixes the issue. • https://lists.apache.org/thread/z47jbf0rbylzd0ktfzdw9c8b5fpyl24m • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25069 – Apache Kvrocks: Cross-Protocol Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2025-25069
07 Feb 2025 — A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when it is chained with SSRF. It is similiar to CVE-2016-10517 in Redis. This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0. Users are recommended to upgrade to version 2.11.1, which fixes the iss... • https://lists.apache.org/thread/gbxv9gpsskmdzg6z48zm3tvo8cyo9v3t • CWE-115: Misinterpretation of Input •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31764 – Apache ShardingSphere ElasticJob-UI allows RCE via event trace data source JDBC
https://notcve.org/view.php?id=CVE-2022-31764
06 Feb 2025 — The Lite UI of Apache ShardingSphere ElasticJob-UI allows an attacker to perform RCE by constructing a special JDBC URL of H2 database. This issue affects Apache ShardingSphere ElasticJob-UI version 3.0.1 and prior versions. This vulnerability has been fixed in ElasticJob-UI 3.0.2. The premise of this attack is that the attacker has obtained the account and password. Otherwise, the attacker cannot perform this attack. The Lite UI of Apache ShardingSphere ElasticJob-UI allows an attacker to perform RCE by co... • https://lists.apache.org/thread/pg0k223m4hsnnzg4nh7lxvdxxgbkrlqb • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37358 – Apache James: denial of service through the use of IMAP literals
https://notcve.org/view.php?id=CVE-2024-37358
06 Feb 2025 — Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals. • https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45626 – Apache James: denial of service through JMAP HTML to text conversion
https://notcve.org/view.php?id=CVE-2024-45626
06 Feb 2025 — Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue. • https://lists.apache.org/thread/1fr9hvpsylomwwfr3rv82g84sxszn4kl • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-48019 – Apache Doris: allows admin users to read arbitrary files through the REST API
https://notcve.org/view.php?id=CVE-2024-48019
04 Feb 2025 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris. Application administrators can read arbitrary files from the server filesystem through path traversal. Users are recommended to upgrade to version 2.1.8, 3.0.3 or later, which fixes the issue. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache ... • https://lists.apache.org/thread/p70klgmyrgknhn0t195261wvwv5jw6hr • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-552: Files or Directories Accessible to External Parties •