Filtered by vendor Apache
Subscribe
Total
2393 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27296 | 1 Apache | 1 Inlong | 2024-11-21 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it. [1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422 | |||||
| CVE-2023-26513 | 1 Apache | 1 Sling Resource Merger | 2024-11-21 | N/A | 7.5 HIGH |
| Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2. | |||||
| CVE-2023-26512 | 4 Apache, Apple, Linux and 1 more | 4 Eventmesh, Macos, Linux Kernel and 1 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible. | |||||
| CVE-2023-26268 | 2 Apache, Ibm | 2 Couchdb, Cloudant | 2024-11-21 | N/A | 4.4 MEDIUM |
| Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list * filter * filter views (using view functions as filters) * rewrite * update This doesn't affect map/reduce or search (Dreyfus) index functions. Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3). Workaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment. | |||||
| CVE-2023-25956 | 1 Apache | 1 Apache-airflow-providers-amazon | 2024-11-21 | N/A | 7.5 HIGH |
| Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1. | |||||
| CVE-2023-25753 | 1 Apache | 1 Shenyu | 2024-11-21 | N/A | 6.5 MEDIUM |
| There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing. This issue affects Apache ShenYu: 2.5.1. Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776 . | |||||
| CVE-2023-25696 | 1 Apache | 1 Apache-airflow-providers-apache-hive | 2024-11-21 | N/A | 9.8 CRITICAL |
| Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3. | |||||
| CVE-2023-25613 | 1 Apache | 1 Identity Backend | 2024-11-21 | N/A | 9.8 CRITICAL |
| An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3. | |||||
| CVE-2023-25197 | 1 Apache | 1 Fineract | 2024-11-21 | N/A | 6.3 MEDIUM |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Authorized users may be able to exploit this for limited impact on components. This issue affects apache fineract: from 1.4 through 1.8.2. | |||||
| CVE-2023-25196 | 1 Apache | 1 Fineract | 2024-11-21 | N/A | 4.3 MEDIUM |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized users may be able to change or add data in certain components. This issue affects Apache Fineract: from 1.4 through 1.8.2. | |||||
| CVE-2023-25195 | 1 Apache | 1 Fineract | 2024-11-21 | N/A | 8.1 HIGH |
| Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic. This issue affects Apache Fineract: from 1.4 through 1.8.3. | |||||
| CVE-2023-24831 | 1 Apache | 1 Iotdb | 2024-11-21 | N/A | 9.8 CRITICAL |
| Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3. Attackers could login without authorization. This is fixed in 0.13.4. | |||||
| CVE-2023-23638 | 1 Apache | 1 Dubbo | 2024-11-21 | N/A | 5.0 MEDIUM |
| A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. | |||||
| CVE-2023-22946 | 1 Apache | 1 Spark | 2024-11-21 | N/A | 6.4 MEDIUM |
| In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications. | |||||
| CVE-2023-22888 | 1 Apache | 1 Airflow | 2024-11-21 | N/A | 6.5 MEDIUM |
| Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected | |||||
| CVE-2023-22887 | 1 Apache | 1 Airflow | 2024-11-21 | N/A | 6.5 MEDIUM |
| Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected | |||||
| CVE-2023-22886 | 1 Apache | 1 Apache-airflow-providers-jdbc | 2024-11-21 | N/A | 8.8 HIGH |
| Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s [Connection URL] parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain airflow server permission. This issue affects Apache Airflow JDBC Provider: before 4.0.0. | |||||
| CVE-2023-22665 | 1 Apache | 1 Jena | 2024-11-21 | N/A | 5.4 MEDIUM |
| There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query. | |||||
| CVE-2023-22602 | 2 Apache, Vmware | 2 Shiro, Spring Boot | 2024-11-21 | N/A | 7.5 HIGH |
| When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher` | |||||
| CVE-2022-47937 | 1 Apache | 1 Sling Commons Json | 2024-11-21 | N/A | 9.8 CRITICAL |
| Improper input validation in the Apache Sling Commons JSON bundle allows an attacker to trigger unexpected errors by supplying specially-crafted input. The org.apache.sling.commons.json bundle has been deprecated as of March 2017 and should not be used anymore. Consumers are encouraged to consider the Apache Sling Commons Johnzon OSGi bundle provided by the Apache Sling project, but may of course use other JSON libraries. | |||||