CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-47436 – Apache ORC: Potential Heap Buffer Overflow during C++ LZO Decompression
https://notcve.org/view.php?id=CVE-2025-47436
14 May 2025 — Heap-based Buffer Overflow vulnerability in Apache ORC. A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption. This issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1. Users are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and ... • https://lists.apache.org/thread/kd6tlv8fs5jybmsgxr4vrkdxyc866wrn • CWE-122: Heap-based Buffer Overflow •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-26864 – Apache IoTDB: Exposure of Sensitive Information in IoTDB OpenID Authentication
https://notcve.org/view.php?id=CVE-2025-26864
14 May 2025 — Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue. Vulnerabilidad de exposición de información confidencial a un agente no autorizado e inserción de información confidencial en archivos de registro en OpenIdAuthorizer de Apache... • https://lists.apache.org/thread/2kcjnlypppk8qjh17dpz0jvkcpn6l162 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-26795 – Apache IoTDB JDBC driver: Exposure of Sensitive Information in IoTDB JDBC driver
https://notcve.org/view.php?id=CVE-2025-26795
14 May 2025 — Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver. This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue. Vulnerabilidad de exposición de información confidencial a un agente no autorizado e inserción de información confidencial en archivos de registro en el controlador JDBC de Apache IoTDB. Est... • https://lists.apache.org/thread/bj0ytxr5wg0c4jw8xm7rhfd8ogho0r91 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24780 – Apache IoTDB: Remote Code Execution with untrusted URI of User-defined function
https://notcve.org/view.php?id=CVE-2024-24780
14 May 2025 — Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI. This issue affects Apache IoTDB: from 1.0.0 before 1.3.4. Users are recommended to upgrade to version 1.3.4, which fixes the issue. Vulnerabilidad de ejecución remota de código con URI no confiable de UDF en Apache IoTDB. • https://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27696 – Apache Superset: Improper authorization leading to resource ownership takeover
https://notcve.org/view.php?id=CVE-2025-27696
13 May 2025 — Improper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions. This issue affects Apache Superset: through 4.1.1. Users are recommended to upgrade to version 4.1.2 or above, which fixes the issue. • https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413 • CWE-285: Improper Authorization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46392 – Apache Commons Configuration: Uncontrolled Resource Consumption when loading untrusted configurations in 1.x
https://notcve.org/view.php?id=CVE-2025-46392
09 May 2025 — Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x. There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenario's where you only load trusted configurations. Users that load untrusted configurations or give att... • https://lists.apache.org/thread/y1pl0mn3opz6kwkm873zshjdxq3dwq5s • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 3CVE-2025-27533 – Apache ActiveMQ: Unchecked buffer length can cause excessive memory allocation
https://notcve.org/view.php?id=CVE-2025-27533
07 May 2025 — Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 b... • https://packetstorm.news/files/id/191182 • CWE-789: Memory Allocation with Excessive Size Value •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46762 – Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata
https://notcve.org/view.php?id=CVE-2025-46762
06 May 2025 — Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted) Users are recommended to ... • https://lists.apache.org/thread/t7724lpvl110xsbgqwsmrdsns0rhycdp • CWE-73: External Control of File Name or Path •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2025-31651 – Apache Tomcat: Bypass of rules in Rewrite Valve
https://notcve.org/view.php?id=CVE-2025-31651
28 Apr 2025 — Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERS... • https://github.com/gregk4sec/CVE-2025-31651 • CWE-116: Improper Encoding or Escaping of Output CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 3CVE-2025-31650 – Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame
https://notcve.org/view.php?id=CVE-2025-31650
28 Apr 2025 — Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fi... • https://github.com/absholi7ly/TomcatKiller-CVE-2025-31650 • CWE-20: Improper Input Validation CWE-459: Incomplete Cleanup •