CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-25247 – Apache Felix Webconsole: XSS in services console
https://notcve.org/view.php?id=CVE-2025-25247
10 Feb 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole. This issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up to 5.0.8. Users are recommended to upgrade to version 4.9.10 or 5.0.10 or higher, which fixes the issue. • https://lists.apache.org/thread/z47jbf0rbylzd0ktfzdw9c8b5fpyl24m • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25069 – Apache Kvrocks: Cross-Protocol Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2025-25069
07 Feb 2025 — A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when it is chained with SSRF. It is similiar to CVE-2016-10517 in Redis. This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0. Users are recommended to upgrade to version 2.11.1, which fixes the iss... • https://lists.apache.org/thread/gbxv9gpsskmdzg6z48zm3tvo8cyo9v3t • CWE-115: Misinterpretation of Input •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31764 – Apache ShardingSphere ElasticJob-UI allows RCE via event trace data source JDBC
https://notcve.org/view.php?id=CVE-2022-31764
06 Feb 2025 — The Lite UI of Apache ShardingSphere ElasticJob-UI allows an attacker to perform RCE by constructing a special JDBC URL of H2 database. This issue affects Apache ShardingSphere ElasticJob-UI version 3.0.1 and prior versions. This vulnerability has been fixed in ElasticJob-UI 3.0.2. The premise of this attack is that the attacker has obtained the account and password. Otherwise, the attacker cannot perform this attack. The Lite UI of Apache ShardingSphere ElasticJob-UI allows an attacker to perform RCE by co... • https://lists.apache.org/thread/pg0k223m4hsnnzg4nh7lxvdxxgbkrlqb • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37358 – Apache James: denial of service through the use of IMAP literals
https://notcve.org/view.php?id=CVE-2024-37358
06 Feb 2025 — Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals. • https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45626 – Apache James: denial of service through JMAP HTML to text conversion
https://notcve.org/view.php?id=CVE-2024-45626
06 Feb 2025 — Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue. • https://lists.apache.org/thread/1fr9hvpsylomwwfr3rv82g84sxszn4kl • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-48019 – Apache Doris: allows admin users to read arbitrary files through the REST API
https://notcve.org/view.php?id=CVE-2024-48019
04 Feb 2025 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris. Application administrators can read arbitrary files from the server filesystem through path traversal. Users are recommended to upgrade to version 2.1.8, 3.0.3 or later, which fixes the issue. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache ... • https://lists.apache.org/thread/p70klgmyrgknhn0t195261wvwv5jw6hr • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-552: Files or Directories Accessible to External Parties •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-27137 – Apache Cassandra: unrestricted deserialization of JMX authentication credentials
https://notcve.org/view.php?id=CVE-2024-27137
04 Feb 2025 — In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorized operations. This is same vulnerability that CVE-2020-13946 was issued for, but the Java option was changed in JDK10. This issue affects Apache Cassan... • https://lists.apache.org/thread/jsk87d9yv8r204mgqpz1qxtp5wcrpysm • CWE-287: Improper Authentication •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24860 – Apache Cassandra: CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions
https://notcve.org/view.php?id=CVE-2025-24860
04 Feb 2025 — Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions. This issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both Cass... • https://lists.apache.org/thread/yjo5on4tf7s1r9qklc4byrz30b8vkm2d • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-23015 – Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions
https://notcve.org/view.php?id=CVE-2025-23015
04 Feb 2025 — Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches. This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2. Users are recommended to upgrade to versions 3.0.31, 3.11.... • https://lists.apache.org/thread/jmks4msbgkl65ssg69x728sv1m0hwz3s • CWE-267: Privilege Defined With Unsafe Actions •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29869 – Apache Hive: Credentials file created with non restrictive permissions
https://notcve.org/view.php?id=CVE-2024-29869
28 Jan 2025 — Hive creates a credentials file to a temporary directory in the file system with permissions 644 by default when the file permissions are not set explicitly. Any unauthorized user having access to the directory can read the sensitive information written into this file. Users are recommended to upgrade to version 4.0.1, which fixes this issue. Hive creates a credentials file to a temporary directory in the file system with permissions 644 by default when the file permissions are not set explicitly. Any unaut... • https://github.com/apache/hive • CWE-732: Incorrect Permission Assignment for Critical Resource •