CISA Catalog
Data sourced from the official CISA Known Exploited Vulnerabilities Catalog. Federal agencies are required to remediate these vulnerabilities by the due date per BOD 22-01.
KEV Entries
1,619
Ransomware Use
327
Overdue
1,615
Vendors
266
Products
655
39 results · Page 2/2
Apache Airflow Command Injection
Apache · Airflow
A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow.
Required Action
Apply updates per vendor instructions.
Apache Airflow's Experimental API Authentication Bypass
Apache · Airflow's Experimental API
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication.
Required Action
Apply updates per vendor instructions.
Apache Solr DataImportHandler Code Injection Vulnerability
Apache · Solr
The optional Apache Solr module DataImportHandler contains a code injection vulnerability.
Required Action
Apply updates per vendor instructions.
Apache Log4j2 Remote Code Execution Vulnerability
Apache · Log4j2
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
Required Action
For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.
Apache HTTP Server-Side Request Forgery (SSRF)
Apache · Apache
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
Required Action
Apply updates per vendor instructions.
Apache Struts Deserialization of Untrusted Data Vulnerability
Apache · Struts
Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.
Required Action
Apply updates per vendor instructions.
Apache HTTP Server Path Traversal Vulnerability
Apache · HTTP Server
Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default require all denied or if CGI scripts are enabled. This CVE ID resolves an incomplete patch for CVE-2021-41773.
Required Action
Apply updates per vendor instructions.
Apache HTTP Server Path Traversal Vulnerability
Apache · HTTP Server
Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default �require all denied� or if CGI scripts are enabled. The original patch issued under this CVE ID is insufficient, please review remediation information under CVE-2021-42013.
Required Action
Apply updates per vendor instructions.
Apache HTTP Server Privilege Escalation Vulnerability
Apache · HTTP Server
Apache HTTP Server, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute code with the privileges of the parent process (usually root) by manipulating the scoreboard.
Required Action
Apply updates per vendor instructions.
Apache Shiro Code Execution Vulnerability
Apache · Shiro
Apache Shiro contains a vulnerability which may allow remote attackers to execute code or bypass intended access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature.
Required Action
Apply updates per vendor instructions.
Apache Solr VelocityResponseWriter Plug-In Remote Code Execution Vulnerability
Apache · Solr
The Apache Solr VelocityResponseWriter plug-in contains an unspecified vulnerability which can allow for remote code execution.
Required Action
Apply updates per vendor instructions.
Apache Struts Remote Code Execution Vulnerability
Apache · Struts
Forced Object-Graph Navigation Language (OGNL) evaluation in Apache Struts, when evaluated on raw user input in tag attributes, can lead to remote code execution.
Required Action
Apply updates per vendor instructions.
Apache Struts Remote Code Execution Vulnerability
Apache · Struts
Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.
Required Action
Apply updates per vendor instructions.
Apache Struts Remote Code Execution Vulnerability
Apache · Struts
Apache Struts contains a vulnerability that allows for remote code execution under two circumstances. One, where the alwaysSelectFullNamespace option is true and the value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace. Or, using URL tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace.
Required Action
Apply updates per vendor instructions.
