U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): Apache
There are 2,422 matching records.
Displaying matches 201 through 220.
Vuln ID Summary CVSS Severity
CVE-2023-40037

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.

Published: August 18, 2023; 6:15:10 PM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2023-40272

Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that is not affected.

Published: August 17, 2023; 10:15:10 AM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-39553

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider. Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook giving an opportunity to read files on the Airflow server. This issue affects Apache Airflow Drill Provider: before 2.4.3. It is recommended to upgrade to a version that is not affected.

Published: August 11, 2023; 4:15:09 AM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-33934

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1.

Published: August 09, 2023; 3:15:10 AM -0400
V3.1: 9.1 CRITICAL
V2.0:(not available)
CVE-2022-47185

Improper input validation vulnerability on the range header in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1.

Published: August 09, 2023; 3:15:09 AM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-38188

Azure Apache Hadoop Spoofing Vulnerability

Published: August 08, 2023; 2:15:23 PM -0400
V3.1: 4.5 MEDIUM
V2.0:(not available)
CVE-2023-36881

Azure Apache Ambari Spoofing Vulnerability

Published: August 08, 2023; 2:15:14 PM -0400
V3.1: 4.5 MEDIUM
V2.0:(not available)
CVE-2023-36877

Azure Apache Oozie Spoofing Vulnerability

Published: August 08, 2023; 2:15:14 PM -0400
V3.1: 4.5 MEDIUM
V2.0:(not available)
CVE-2023-35393

Azure Apache Hive Spoofing Vulnerability

Published: August 08, 2023; 2:15:13 PM -0400
V3.1: 4.5 MEDIUM
V2.0:(not available)
CVE-2023-37581

Insufficient input validation and sanitation in Weblog Category name, Website About and File Upload features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. If you are running with untrusted users then you should upgrade to Roller 6.1.2 and you should disable Roller's File Upload feature. 

Published: August 06, 2023; 4:15:09 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-39508

Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0 This issue affects Apache Airflow: before 2.6.0.

Published: August 05, 2023; 3:15:43 AM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2023-36542

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.

Published: July 29, 2023; 4:15:48 AM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2023-38435

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Apache Felix Healthcheck Webconsole Plugin version 2.0.2 and prior may allow an attacker to perform a reflected cross-site scripting (XSS) attack. Upgrade to Apache Felix Healthcheck Webconsole Plugin 2.1.0 or higher.

Published: July 25, 2023; 12:15:11 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-35088

Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0.  In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query statement, which may lead to SQL injection attacks. Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8198

Published: July 25, 2023; 4:15:10 AM -0400
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2023-34434

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0.  The attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8130 .

Published: July 25, 2023; 4:15:10 AM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-34189

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could use general users to delete and update the process, which only the admin can operate occurrences.  Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8109  to solve it.

Published: July 25, 2023; 4:15:10 AM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2023-34478

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

Published: July 24, 2023; 3:15:10 PM -0400
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2023-28754

Deserialization of Untrusted Data vulnerability in Apache ShardingSphere-Agent, which allows attackers to execute arbitrary code by constructing a special YAML configuration file. The attacker needs to have permission to modify the ShardingSphere Agent YAML configuration file on the target machine, and the target machine can access the URL with the arbitrary code JAR. An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. When the ShardingSphere JVM process starts and uses the ShardingSphere-Agent, the arbitrary code specified by the attacker will be executed during the deserialization of the YAML configuration file by the Agent. This issue affects ShardingSphere-Agent: through 5.3.2. This vulnerability is fixed in Apache ShardingSphere 5.4.0.

Published: July 19, 2023; 4:15:10 AM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2023-26512

CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible.

Published: July 17, 2023; 4:15:09 AM -0400
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2023-37415

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider. Patching on top of CVE-2023-35797 Before 6.1.2 the proxy_user option can also inject semicolon. This issue affects Apache Airflow Apache Hive Provider: before 6.1.2. It is recommended updating provider version to 6.1.2 in order to avoid this vulnerability.

Published: July 13, 2023; 4:15:10 AM -0400
V3.1: 8.8 HIGH
V2.0:(not available)