| CVE-2016-1000027 |
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code
execution (RCE) issue if used for Java deserialization of untrusted data. Depending
on how the library is implemented within a product, this issue may or not occur, and
authentication may be required. NOTE: the vendor's position is that untrusted data
is not an intended use case. The product's behavior will not be changed because some
users rely on deserialization of trusted data. |
| CVE-2021-4048 |
An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV
functions in lapack through version 3.10.0, as also used in OpenBLAS before version
0.3.18. Specially crafted inputs passed to these functions could cause an
application using lapack to crash or possibly disclose portions of its
memory. |
| CVE-2024-38821 |
Spring WebFlux applications that have Spring Security authorization rules on
static resources can be bypassed under certain circumstances. For this to impact an
application, all of the following must be true: * It must be a WebFlux application *
It must be using Spring's static resources support * It must have a non-permitAll
authorization rule applied to the static resources support |
| CVE-2024-52046 |
The ObjectSerializationDecoder in Apache MINA uses Java’s native
deserialization protocol to process incoming serialized data but lacks the necessary
security checks and defenses. This vulnerability allows attackers to exploit the
deserialization process by sending specially crafted malicious serialized data,
potentially leading to remote code execution (RCE) attacks. This issue affects MINA
core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27,
2.1.10 and 2.2.4. It's also important to note that an application using MINA core
library will only be affected if the IoBuffer#getObject() method is called, and this
specific method is potentially called when adding a ProtocolCodecFilter instance
using the ObjectSerializationCodecFactory class in the filter chain. If your
application is specifically using those classes, you have to upgrade to the latest
version of MINA core library. Upgrading will not be enough: you also need to
explicitly allow the classes the decoder will accept in the
ObjectSerializationDecoder instance, using one of the three new methods: /** *
Accept class names where the supplied ClassNameMatcher matches for *
deserialization, unless they are otherwise rejected. * * @param classNameMatcher the
matcher to use */ public void accept(ClassNameMatcher classNameMatcher) /** * Accept
class names that match the supplied pattern for * deserialization, unless they are
otherwise rejected. * * @param pattern standard Java regexp */ public void
accept(Pattern pattern) /** * Accept the wildcard specified classes for
deserialization, * unless they are otherwise rejected. * * @param patterns Wildcard
file name patterns as defined by * {@link
org.apache.commons.io.FilenameUtils#wildcardMatch(String, String)
FilenameUtils.wildcardMatch} */ public void accept(String... patterns) By default,
the decoder will reject *all* classes that will be present in the incoming data.
Note: The FtpServer, SSHd and Vysper sub-project are not affected by this
issue. |
| CVE-2024-52316 |
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is
configured to use a custom Jakarta Authentication (formerly
JASPIC) ServerAuthContext component which may throw an exception during the
authentication process without explicitly setting an HTTP status to indicate
failure, the authentication may not fail, allowing the user to bypass the
authentication process. There are no known Jakarta Authentication components that
behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through
11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are
recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the
issue. |
| CVE-2024-53990 |
The AsyncHttpClient (AHC) library allows Java applications to easily execute
HTTP requests and asynchronously process HTTP responses. When making any HTTP
request, the automatically enabled and self-managed CookieStore (aka cookie jar)
will silently replace explicitly defined Cookies with any that have the same name
from the cookie jar. For services that operate with multiple users, this can result
in one user's Cookie being used for another user's requests. |
| CVE-2025-24813 |
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution
and/or Information disclosure and/or malicious content added to uploaded files via
write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat:
from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through
9.0.98. The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be
affected. If all of the following were true, a malicious user was able to view
security sensitive files and/or inject content into those files: - writes enabled
for the default servlet (disabled by default) - support for partial PUT (enabled by
default) - a target URL for security sensitive uploads that was a sub-directory of a
target URL for public uploads - attacker knowledge of the names of security
sensitive files being uploaded - the security sensitive files also being uploaded
via partial PUT If all of the following were true, a malicious user was able to
perform remote code execution: - writes enabled for the default servlet (disabled by
default) - support for partial PUT (enabled by default) - application was using
Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes
the issue. |
| CVE-2025-31651 |
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in
Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those rewrite rules
effectively enforced security constraints, those constraints could be bypassed. This
issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through
10.1.39, from 9.0.0.M1 through 9.0.102. The following versions were EOL at the time
the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other,
older, EOL versions may also be affected. Users are recommended to upgrade to
version [FIXED_VERSION], which fixes the issue. |
| CVE-2024-48910 |
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML,
MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability
is fixed in 2.4.2. |
| CVE-2024-45216 |
Improper Authentication vulnerability in Apache Solr. Solr instances using the
PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is
used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr
API URL path, will allow requests to skip Authentication while maintaining the API
contract with the original URL Path. This fake ending looks like an unprotected API
path, however it is stripped off internally after authentication but before API
routing. This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before
9.7.0. Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the
issue. |
| CVE-2026-27727 |
mchange-commons-java, a library that provides Java utilities, includes code
that mirrors early implementations of JNDI functionality, including support for
remote `factoryClassLocation` values, by which code can be downloaded and invoked
within a running application. If an attacker can provoke an application to read a
maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke
the download and execution of malicious code. Implementations of this functionality
within the JDK were disabled by default behind a System property that defaults to
`false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since
mchange-commons-java includes an independent implementation of JNDI derefencing,
libraries (such as c3p0) that resolve references via that implementation could be
provoked to download and execute malicious code even after the JDK was hardened.
Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by
configuration parameters that default to restrictive values starting in version
0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided
on application CLASSPATHs. |
| CVE-2025-66614 |
Improper Input Validation vulnerability. This issue affects Apache Tomcat: from
11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through
9.0.112. The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected.
Tomcat did not validate that the host name provided via the SNI extension was the
same as the host name provided in the HTTP host header field. If Tomcat was
configured with more than one virtual host and the TLS configuration for one of
those hosts did not require client certificate authentication but another one did,
it was possible for a client to bypass the client certificate authentication by
sending different host names in the SNI extension and the HTTP host header field.
The vulnerability only applies if client certificate authentication is only enforced
at the Connector. It does not apply if client certificate authentication is enforced
at the web application. Users are recommended to upgrade to version 11.0.15 or
later, 10.1.50 or later or 9.0.113 or later, which fix the issue. |
| CVE-2025-24813 |
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution
and/or Information disclosure and/or malicious content added to uploaded files via
write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat:
from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through
9.0.98. The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be
affected. If all of the following were true, a malicious user was able to view
security sensitive files and/or inject content into those files: - writes enabled
for the default servlet (disabled by default) - support for partial PUT (enabled by
default) - a target URL for security sensitive uploads that was a sub-directory of a
target URL for public uploads - attacker knowledge of the names of security
sensitive files being uploaded - the security sensitive files also being uploaded
via partial PUT If all of the following were true, a malicious user was able to
perform remote code execution: - writes enabled for the default servlet (disabled by
default) - support for partial PUT (enabled by default) - application was using
Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes
the issue. |
| CVE-2017-1000028 |
Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both
authenticated and unauthenticated Directory Traversal vulnerability, that can be
exploited by issuing a specially crafted HTTP GET request. |
| CVE-2019-18218 |
cdf_read_property_info in cdf.c in file through 5.37 does not restrict the
number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte
out-of-bounds write). |
| CVE-2021-0341 |
In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept
a certificate for the wrong domain due to improperly used crypto. This could lead to
remote information disclosure with no additional execution privileges needed. User
interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1
Android-9 Android-10 Android-11Android ID: A-171980069 |
| CVE-2021-44878 |
If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with
no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit
configuration on its side or for the "idtoken" response type which is not secure and
violates the OpenID Core Specification. The "none" algorithm does not require any
signature verification when validating the ID tokens, which allows the attacker to
bypass the token validation by injecting a malformed ID token using "none" as the
value of "alg" key in the header with an empty signature value. |
| CVE-2022-25844 |
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of
Service (ReDoS) by providing a custom locale rule that makes it possible to assign
the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a
very high value. **Note:** 1) This package has been deprecated and is no longer
maintained. 2) The vulnerable versions are 1.7.0 and higher. |
| CVE-2022-3171 |
A parsing issue with binary data in protobuf-java core and lite versions prior
to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs
containing multiple instances of non-repeated embedded messages with repeated or
unknown fields causes objects to be converted back-n-forth between mutable and
immutable forms, resulting in potentially long garbage collection pauses. We
recommend updating to the versions mentioned above. |
| CVE-2022-3509 |
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java
core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a
denial of service attack. Inputs containing multiple instances of non-repeated
embedded messages with repeated or unknown fields causes objects to be converted
back-n-forth between mutable and immutable forms, resulting in potentially long
garbage collection pauses. We recommend updating to the versions mentioned
above. |
| CVE-2022-3510 |
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in
protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can
lead to a denial of service attack. Inputs containing multiple instances of
non-repeated embedded messages with repeated or unknown fields causes objects to be
converted back-n-forth between mutable and immutable forms, resulting in potentially
long garbage collection pauses. We recommend updating to the versions mentioned
above. |
| CVE-2023-3635 |
GzipSource does not handle an exception that might be raised when parsing a
malformed gzip buffer. This may lead to denial of service of the Okio client when
handling a crafted GZIP archive, by using the GzipSource class. |
| CVE-2023-39410 |
When deserializing untrusted or corrupted data, it is possible for a reader to
consume memory beyond the allowed constraints and thus lead to out of memory on the
system. This issue affects Java applications using Apache Avro Java SDK up to and
including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses
this issue. |
| CVE-2023-4586 |
A vulnerability was found in the Hot Rod client. This security issue occurs as
the Hot Rod client does not enable hostname validation when using TLS, possibly
resulting in a man-in-the-middle (MITM) attack. |
| CVE-2023-7272 |
In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of
nested objects can allow an attacker to cause a Java stack overflow exception and
denial of service. Eclipse Parsson allows processing (e.g. parse, generate,
transform and query) JSON documents. |
| CVE-2024-13009 |
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released
when confronted with a gzip error when inflating a request body. This can result in
corrupted and/or inadvertent sharing of data between requests. |
| CVE-2024-21490 |
This affects versions of the package angular from 1.3.0. A regular expression
used to split the value of the ng-srcset directive is vulnerable to super-linear
runtime due to backtracking. With large carefully-crafted input, this can result in
catastrophic backtracking and cause a denial of service. **Note:** This package is
EOL and will not receive any updates to address this issue. Users should migrate to
[@angular/core](https://www.npmjs.com/package/@angular/core). |
| CVE-2024-25638 |
dnsjava is an implementation of DNS in Java. Records in DNS replies are not
checked for their relevance to the query, allowing an attacker to respond with RRs
from different zones. This vulnerability is fixed in 3.6.0. |
| CVE-2024-29131 |
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue
affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended
to upgrade to version 2.10.1, which fixes the issue. |
| CVE-2024-29857 |
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java
(BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C#
.Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead
to excessive CPU consumption during the evaluation of the curve parameters. |
| CVE-2024-34447 |
An issue was discovered in the Bouncy Castle Crypto Package For Java before BC
TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS
TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL
socket is created without an explicit hostname (as happens with HttpsURLConnection),
hostname verification could be performed against a DNS-resolved IP address in some
situations, opening up a possibility of DNS poisoning. |
| CVE-2024-47561 |
Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions
allows bad actors to execute arbitrary code. Users are recommended to upgrade to
version 1.11.4 or 1.12.0, which fix this issue. |
| CVE-2024-57699 |
A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When
loading a specially crafted JSON input, containing a large number of ’{’, a stack
exhaustion can be trigger, which could allow an attacker to cause a Denial of
Service (DoS). This issue exists because of an incomplete fix for
CVE-2023-1370. |
| CVE-2024-7254 |
Any project that parses untrusted Protocol Buffers data containing an arbitrary
number of nested groups / series of SGROUP tags can corrupted by exceeding the stack
limit i.e. StackOverflow. Parsing nested groups as unknown fields with
DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map
fields, creates unbounded recursions that can be abused by an attacker. |
| CVE-2025-1948 |
In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can
specify a very large value for the HTTP/2 settings parameter
SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation
on this setting, and tries to allocate a ByteBuffer of the specified capacity to
encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even
the JVM process exiting. |
| CVE-2025-22228 |
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return
true for passwords larger than 72 characters as long as the first 72 characters are
the same. |
| CVE-2025-24970 |
Netty, an asynchronous, event-driven network application framework, has a
vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final.
When a special crafted packet is received via SslHandler it doesn't correctly handle
validation of such a packet in all cases which can lead to a native crash. Version
4.1.118.Final contains a patch. As workaround its possible to either disable the
usage of the native SSLEngine or change the code manually. |
| CVE-2025-31650 |
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error
handling for some invalid HTTP priority headers resulted in incomplete clean-up of
the failed request which created a memory leak. A large number of such requests
could trigger an OutOfMemoryException resulting in a denial of service. This issue
affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39,
from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE
was created but are known to be affected: 8.5.90 though 8.5.100. Users are
recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the
issue. |
| CVE-2025-46762 |
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous
versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix
to restrict untrusted packages, the default setting of trusted packages still allows
malicious classes from these packages to be executed. The exploit is only applicable
if the client code of parquet-avro uses the "specific" or the "reflect" models
deliberately for reading Parquet files. ("generic" model is not impacted) Users are
recommended to upgrade to 1.15.2 or set the system property
"org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string on 1.15.1. Both
are sufficient to fix the issue. |
| CVE-2025-67721 |
Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard
compression algorithms to Java. In versions 3.3 and below, incorrect handling of
malformed data in Java-based decompressor implementations for Snappy and LZ4 allow
remote attackers to read previous buffer contents via crafted compressed input. With
certain crafted compressed inputs, elements from the output buffer can end up in the
uncompressed output, potentially leaking sensitive data. This is relevant for
applications that reuse the same output buffer to uncompress multiple inputs. This
can be the case of a web server that allocates a fix-sized buffer for performance
purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q. This issue is fixed
in version 3.4. |
| CVE-2025-55163 |
Netty is an asynchronous, event-driven network application framework. Prior to
versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS.
This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2
control frames in order to break the max concurrent streams limit - which results in
resource exhaustion and distributed denial of service. This issue has been patched
in versions 4.1.124.Final and 4.2.4.Final. |
| CVE-2025-58057 |
Netty is an asynchronous event-driven network application framework for rapid
development of maintainable high performance protocol servers & clients. In
netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions
4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and
certain other decompression decoders will allocate a large number of reachable byte
buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit
in how often it calls pull, decompressing data 64K bytes at a time. The buffers are
saved in the output list, and remain reachable until OOM is hit. This is fixed in
versions 4.1.125.Final of netty-codec and 4.2.5.Final of
netty-codec-compression. |
| CVE-2025-58056 |
Netty is an asynchronous event-driven network application framework for
development of maintainable high performance protocol servers and clients. In
versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly
accepts standalone newline characters (LF) as a chunk-size line terminator,
regardless of a preceding carriage return (CR), instead of requiring CRLF per
HTTP/1.1 standards. When combined with reverse proxies that parse LF differently
(treating it as part of the chunk extension), attackers can craft requests that the
proxy sees as one request but Netty processes as two, enabling request smuggling
attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final. |
| CVE-2025-48734 |
Improper Access Control vulnerability in Apache Commons. A special
BeanIntrospector class was added in version 1.9.2. This can be used to stop
attackers from using the declared class property of Java enum objects to get access
to the classloader. However this protection was not enabled by default.
PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class
level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential
security issue when accessing enum properties in an uncontrolled way. If an
application using Commons BeanUtils passes property paths from an external source
directly to the getProperty() method of PropertyUtilsBean, an attacker can access
the enum’s class loader via the “declaredClass” property available on all Java
“enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to
access the ClassLoader and execute arbitrary code. The same issue exists with
PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a
special BeanIntrospector suppresses the “declaredClass” property. Note that this new
BeanIntrospector is enabled by default, but you can disable it to regain the old
behavior; see section 2.5 of the user's guide and the unit tests. This issue affects
Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the
artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to
version 1.11.0, which fixes the issue. Users of the artifact
org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version
2.0.0-M2, which fixes the issue. |
| CVE-2026-24308 |
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5
and 3.9.4 on all platforms allows an attacker to expose sensitive information stored
in client configuration in the client's logfile. Configuration values are exposed at
INFO level logging rendering potential production systems affected by the
issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this
issue. |
| CVE-2026-24281 |
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse
DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR
records to impersonate ZooKeeper servers or clients with a valid certificate for the
PTR name. It's important to note that attacker must present a certificate which is
trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are
recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by
introducing a new configuration option to disable reverse DNS lookup in client and
quorum protocols. |
| CVE-2023-1428 |
There exists an vulnerability causing an abort() to be called in gRPC. The
following headers cause gRPC's C++ implementation to abort() when called via http2:
te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x ==
anything) On top of sending one of those headers, a later header must be sent that
gets the total header size past 8KB. We recommend upgrading past git
commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above. |
| CVE-2026-22022 |
Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based
Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr
APIs, due to insufficiently strict input validation in those components. Only
deployments that meet all of the following criteria are impacted by this
vulnerability: * Use of Solr's "RuleBasedAuthorizationPlugin" * A
RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple
"roles" * A RuleBasedAuthorizationPlugin permission list (see security.json) that
uses one or more of the following pre-defined permission rules: "config-read",
"config-edit", "schema-read", "metrics-read", or "security-read". * A
RuleBasedAuthorizationPlugin permission list that doesn't define the "all"
pre-defined permission * A networking setup that allows clients to make unfiltered
network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is,
unmodified or restricted by any intervening proxy or gateway) Users can mitigate
this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration
specifies the "all" pre-defined permission and associates the permission with an
"admin" or other privileged role. Users can also upgrade to a Solr version outside
of the impacted range, such as the recently released Solr 9.10.1. |
| CVE-2024-45217 |
Insecure Default Initialization of Resource vulnerability in Apache Solr. New
ConfigSets that are created via a Restore command, which copy a configSet from the
backup and give it a new name, are created without setting the "trusted" metadata.
ConfigSets that do not contain the flag are trusted implicitly if the metadata is
missing, therefore this leads to "trusted" ConfigSets that may not have been created
with an Authenticated request. "trusted" ConfigSets are able to load custom code
into classloaders, therefore the flag is supposed to only be set when the request
that uploads the ConfigSet is Authenticated & Authorized. This issue affects
Apache Solr: from 6.6.0 before 8.11.4, from 9.0.0 before 9.7.0. This issue does not
affect Solr instances that are secured via Authentication/Authorization. Users are
primarily recommended to use Authentication and Authorization when running Solr.
However, upgrading to version 9.7.0, or 8.11.4 will mitigate this issue
otherwise. |
| CVE-2026-22444 |
The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input
validation on some API parameters, which can cause Solr to check the existence of
and attempt to read file-system paths that should be disallowed by Solr's
"allowPaths" security setting
https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element
. These read-only accesses can allow users to create cores using unexpected
configsets if any are accessible via the filesystem. On Windows systems configured
to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes.
Solr deployments are subject to this vulnerability if they meet the following
criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting
is being used to restrict file access to certain directories. * Solr's "create core"
API is exposed and accessible to untrusted users. This can happen if Solr's
RuleBasedAuthorizationPlugin
https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html
is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or
an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles.
Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if
disabled) and configuring a permission-list that prevents untrusted users from
creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or
greater, which contain fixes for this issue. |
| CVE-2025-5222 |
A stack buffer overflow was found in Internationl components for unicode (ICU
). While running the genrb binary, the 'subtag' struct overflowed at the
SRBRoot::addTag function. This issue may lead to memory corruption and local
arbitrary code execution. |
| CVE-2025-5115 |
In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25,
<=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send
RST_STREAM frames, for example by sending frames that are malformed or that should
not be sent in a particular stream state, therefore forcing the server to consume
resources such as CPU and memory. For example, a client can open a stream and then
send WINDOW_UPDATE frames with window size increment of 0, which is illegal. Per
specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the
server should send a RST_STREAM frame. The client can now open another stream and
send another bad WINDOW_UPDATE, therefore causing the server to consume more
resources than necessary, as this case does not exceed the max number of concurrent
streams, yet the client is able to create an enormous amount of streams in a short
period of time. The attack can be performed with other conditions (for example, a
DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.
Links: *
https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h |
| CVE-2019-10768 |
In AngularJS before 1.7.9 the function `merge()` could be tricked into adding
or modifying properties of `Object.prototype` using a `__proto__` payload. |
| CVE-2022-2048 |
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid
HTTP/2 request, the error handling has a bug that can wind up not properly cleaning
up the active connections and associated resources. This can lead to a Denial of
Service scenario where there are no enough resources left to process good
requests. |
| CVE-2023-36478 |
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0
through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer
overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value
exceeds the size limit, and throws an exception if the limit is exceeded. However,
when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be
negative, and the check on line 296 will not be triggered. Furthermore,
`MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be
negative, potentially leading to a very large buffer allocation later on when the
user-entered size is multiplied by 2. This means that if a user provides a negative
length value (or, more precisely, a length value which, when multiplied by the 4/3
fudge factor, is negative), and this length value is a very large positive number
when multiplied by 2, then the user can cause a very large buffer to be allocated on
the server. Users of HTTP/2 can be impacted by a remote denial of service attack.
The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no
known workarounds. |
| CVE-2023-44487 |
The HTTP/2 protocol allows a denial of service (server resource consumption)
because request cancellation can reset many streams quickly, as exploited in the
wild in August through October 2023. |
| CVE-2024-22201 |
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection
that is established and TCP congested will be leaked when it times out. An attacker
can cause many connections to end up in this state, and the server may run out of
file descriptors, eventually causing the server to stop accepting new connections
from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and
12.0.6. |
| CVE-2024-9823 |
There exists a security vulnerability in Jetty's DosFilter which can be
exploited by unauthorized users to cause remote denial-of-service (DoS) attack on
the server using DosFilter. By repeatedly sending crafted requests, attackers can
trigger OutofMemory errors and exhaust the server's memory finally. |
| CVE-2023-50386 |
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of
File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere
vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through
8.11.2, from 9.0.0 before 9.4.1. In the affected versions, Solr ConfigSets accepted
Java jar and class files to be uploaded through the ConfigSets API. When backing up
Solr Collections, these configSet files would be saved to disk when using the
LocalFileSystemRepository (the default for backups). If the backup was saved to a
directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files
would be available to use with any ConfigSet, trusted or untrusted. When Solr is run
in a secure way (Authorization enabled), as is strongly suggested, this
vulnerability is limited to extending the Backup permissions with the ability to add
libraries. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix
the issue. In these versions, the following protections have been added: * Users are
no longer able to upload files to a configSet that could be executed via a Java
ClassLoader. * The Backup API restricts saving backups to directories that are used
in the ClassLoader. |
| CVE-2023-50291 |
Insufficiently Protected Credentials vulnerability in Apache Solr. This issue
affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the
two endpoints that publishes the Solr process' Java system properties,
/admin/info/properties, was only setup to hide system properties that had "password"
contained in the name. There are a number of sensitive system properties, such as
"basicauth" and "aws.secretKey" do not contain "password", thus their values were
published via the "/admin/info/properties" endpoint. This endpoint populates the
list of System Properties on the home screen of the Solr Admin page, making the
exposed credentials visible in the UI. This /admin/info/properties endpoint is
protected under the "config-read" permission. Therefore, Solr Clouds with
Authorization enabled will only be vulnerable through logged-in users that have the
"config-read" permission. Users are recommended to upgrade to version 9.3.0 or
8.11.3, which fixes the issue. A single option now controls hiding Java system
property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive
properties are hidden (including "-Dbasicauth"), as well as any property with a name
containing "secret" or "password". Users who cannot upgrade can also use the
following Java system property to fix the issue:
'-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*' |
| CVE-2023-50292 |
Incorrect Permission Assignment for Critical Resource, Improper Control of
Dynamically-Managed Code Resources vulnerability in Apache Solr. This issue affects
Apache Solr: from 8.10.0 through 8.11.2, from 9.0.0 before 9.3.0. The Schema
Designer was introduced to allow users to more easily configure and test new Schemas
and configSets. However, when the feature was created, the "trust" (authentication)
of these configSets was not considered. External library loading is only available
to configSets that are "trusted" (created by authenticated users), thus
non-authenticated users are unable to perform Remote Code Execution. Since the
Schema Designer loaded configSets without taking their "trust" into account,
configSets that were created by unauthenticated users were allowed to load external
libraries when used in the Schema Designer. Users are recommended to upgrade to
version 9.3.0, which fixes the issue. |
| CVE-2023-50298 |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in
Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0
before 9.4.1. Solr Streaming Expressions allows users to extract data from other
Solr Clouds, using a "zkHost" parameter. When original SolrCloud is setup to use
ZooKeeper credentials and ACLs, they will be sent to whatever "zkHost" the user
provides. An attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper
requests with credentials and ACLs and extracts the sensitive information, then send
a streaming expression using the mock server's address in "zkHost". Streaming
Expressions are exposed via the "/streaming" handler, with "read" permissions. Users
are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. From
these versions on, only zkHost values that have the same server address (regardless
of chroot), will use the given ZooKeeper credentials and ACLs when
connecting. |
| CVE-2025-66524 |
Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which
requires integration with a configurable Distribute Map Cache Client Service for
storing and retrieving state information. The GetAsanaObject Processor used generic
Java Object serialization and deserialization without filtering. Unfiltered Java
object deserialization does not provide protection against crafted state information
stored in the cache server configured for GetAsanaObject. Exploitation requires an
Apache NiFi system running with the GetAsanaObject Processor, and direct access to
the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended
mitigation, which replaces Java Object serialization with JSON serialization.
Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar
bundle also prevents exploitation. |
| CVE-2020-14734 |
Vulnerability in the Oracle Text component of Oracle Database Server. Supported
versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult
to exploit vulnerability allows unauthenticated attacker with network access via
Oracle Net to compromise Oracle Text. Successful attacks of this vulnerability can
result in takeover of Oracle Text. CVSS 3.1 Base Score 8.1 (Confidentiality,
Integrity and Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). |
| CVE-2017-15288 |
The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and
2.12.x before 2.12.4 uses weak permissions for private files in
/tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users
to write to arbitrary class files and consequently gain privileges. |
| CVE-2023-45142 |
OpenTelemetry-Go Contrib is a collection of third-party packages for
OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and
`http.method` that have unbound cardinality. It leads to the server's potential
memory exhaustion when many malicious requests are sent to it. HTTP header
User-Agent or HTTP method for requests can be easily set by an attacker to be random
and long. The library internally uses `httpconv.ServerRequest` that records every
value for HTTP `method` and `User-Agent`. In order to be affected, a program has to
use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or
User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed
this issue when the values collected for attribute `http.request.method` were
changed to be restricted to a set of well-known values and other high cardinality
attributes were removed. As a workaround to stop being affected,
`otelhttp.WithFilter()` can be used, but it requires manual careful configuration to
not log certain requests entirely. For convenience and safe usage of this library,
it should by default mark with the label `unknown` non-standard HTTP methods and
User agents to show that such requests were made but do not increase cardinality. In
case someone wants to stay with the current behavior, library API should allow to
enable it. |
| CVE-2023-47108 |
OpenTelemetry-Go Contrib is a collection of third-party packages for
OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc
Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and
`net.peer.sock.port` that have unbound cardinality. It leads to the server's
potential memory exhaustion when many malicious requests are sent. An attacker can
easily flood the peer address and port for requests. Version 0.46.0 contains a fix
for this issue. As a workaround to stop being affected, a view removing the
attributes can be used. The other possibility is to disable grpc metrics
instrumentation by passing `otelgrpc.WithMeterProvider` option with
`noop.NewMeterProvider`. |
| CVE-2025-54920 |
This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended
to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary
Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in
the Spark History Web UI due to overly permissive Jackson deserialization of event
log data. This allows an attacker with access to the Spark event logs directory to
inject malicious JSON payloads that trigger deserialization of arbitrary classes,
enabling command execution on the host running the Spark History Server. Details The
vulnerability arises because the Spark History Server uses Jackson polymorphic
deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing
an attacker to specify arbitrary class names in the event JSON. This behavior
permits instantiating unintended classes, such as
org.apache.hive.jdbc.HiveConnection, which can perform network calls or other
malicious actions during deserialization. The attacker can exploit this by injecting
crafted JSON content into the Spark event log files, which the History Server then
deserializes on startup or when loading event logs. For example, the attacker can
force the History Server to open a JDBC connection to a remote attacker-controlled
server, demonstrating remote command injection capability. Proof of Concept: 1. Run
Spark with event logging enabled, writing to a writable directory (spark-logs). 2.
Inject the following JSON at the beginning of an event log file: { "Event":
"org.apache.hive.jdbc.HiveConnection", "uri":
"jdbc:hive2://<IP>:<PORT>/", "info": { "hive.metastore.uris":
"thrift://<IP>:<PORT>" } } 3. Start the Spark History Server with logs
pointing to the modified directory. 4. The Spark History Server initiates a JDBC
connection to the attacker’s server, confirming the injection. Impact An attacker
with write access to Spark event logs can execute arbitrary code on the server
running the History Server, potentially compromising the entire system. |
| CVE-2025-54988 |
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13
through and including 3.2.1 on all platforms allows an attacker to carry out XML
External Entity injection via a crafted XFA file inside of a PDF. An attacker may be
able to read sensitive data or trigger malicious requests to internal resources or
third-party servers. Note that the tika-parser-pdf-module is used as a dependency in
several Tika packages including at least: tika-parsers-standard-modules,
tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users
are recommended to upgrade to version 3.2.2, which fixes this issue. |
| CVE-2026-24734 |
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.
When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat
Native code) did not complete verification or freshness checks on the OCSP response
which could allow certificate revocation to be bypassed. This issue affects Apache
Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat:
from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through
9.0.114. The following versions were EOL at the time the CVE was created but are
known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older
EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade
to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat
users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or
9.0.115 or later which fix the issue. |
| CVE-2026-25639 |
Axios is a promise based HTTP client for the browser and Node.js. Prior to
versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a
TypeError when processing configuration objects containing __proto__ as an own
property. An attacker can trigger this by providing a malicious configuration object
created via JSON.parse(), causing complete denial of service. This vulnerability is
fixed in versions 0.30.3 and 1.13.5. |
| CVE-2025-11965 |
In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler
configuration for restricting access to hidden files fails to restrict access to
hidden directories, allowing unauthorized users to retrieve files within them (e.g.
'.git/config'). |
| CVE-2017-18214 |
The moment module before 2.19.3 for Node.js is prone to a regular expression
denial of service via a crafted date string, a different vulnerability than
CVE-2016-4055. |
| CVE-2022-24785 |
Moment.js is a JavaScript date library for parsing, validating, manipulating,
and formatting dates. A path traversal vulnerability impacts npm (server) users of
Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale
string is directly used to switch moment locale. This problem is patched in 2.29.2,
and the patch can be applied to all affected versions. As a workaround, sanitize the
user-provided locale name before passing it to Moment.js. |
| CVE-2022-1271 |
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility.
When zgrep is applied on the attacker's chosen file name (for example, a crafted
file name), this can overwrite an attacker's content to an arbitrary
attacker-selected file. This flaw occurs due to insufficient validation when
processing filenames with two or more newlines where selected content and the target
file names are embedded in crafted multi-line file names. This flaw allows a remote,
low privileged attacker to force zgrep to write arbitrary files on the
system. |
| CVE-2015-4035 |
scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly
process file names containing semicolons, which allows remote attackers to execute
arbitrary code by having a user run xzgrep on a crafted file name. |
