U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): Apache
There are 2,422 matching records.
Displaying matches 301 through 320.
Vuln ID Summary CVSS Severity
CVE-2023-29216

In Apache Linkis <=1.3.1, because the parameters are not effectively filtered, the attacker uses the MySQL data source and malicious parameters to configure a new data source to trigger a deserialization vulnerability, eventually leading to remote code execution. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.2.

Published: April 10, 2023; 4:15:07 AM -0400
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2023-29215

In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.2.

Published: April 10, 2023; 4:15:07 AM -0400
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2023-27987

In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values. We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization[1] https://linkis.apache.org/docs/latest/auth/token https://linkis.apache.org/docs/latest/auth/token

Published: April 10, 2023; 4:15:07 AM -0400
V3.1: 9.1 CRITICAL
V2.0:(not available)
CVE-2023-27603

In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability. We recommend users upgrade the version of Linkis to version 1.3.2.

Published: April 10, 2023; 4:15:07 AM -0400
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2023-27602

In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2.  For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties `wds.linkis.workspace.filesystem.owner.check=true` `wds.linkis.workspace.filesystem.path.check=true`

Published: April 10, 2023; 4:15:06 AM -0400
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2023-28710

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider.This issue affects Apache Airflow Spark Provider: before 4.0.1.

Published: April 07, 2023; 11:15:08 AM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-28707

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2.

Published: April 07, 2023; 11:15:08 AM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-28706

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 6.0.0.

Published: April 07, 2023; 11:15:08 AM -0400
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2023-28625

mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`.

Published: April 03, 2023; 10:15:07 AM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-26269

Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user. Administrators are advised to disable JMX, or set up a JMX password. Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.

Published: April 03, 2023; 4:15:07 AM -0400
V3.1: 7.8 HIGH
V2.0:(not available)
CVE-2023-28935

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache UIMA DUCC. When using the "Distributed UIMA Cluster Computing" (DUCC) module of Apache UIMA, an authenticated user that has the permissions to modify core entities can cause command execution as the system user that runs the web process. As the "Distributed UIMA Cluster Computing" module for UIMA is retired, we do not plan to release a fix for this issue. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Published: March 30, 2023; 6:15:07 AM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2023-1663

Coverity versions prior to 2023.3.2 are vulnerable to forced browsing, which exposes authenticated resources to unauthorized actors. The root cause of this vulnerability is an insecurely configured servlet mapping for the underlying Apache Tomcat server. As a result, the downloads directory and its contents are accessible. 5.9 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C)

Published: March 29, 2023; 10:15:07 AM -0400
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2023-28326

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Description: Attacker can elevate their privileges in any room

Published: March 28, 2023; 9:15:07 AM -0400
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2023-25197

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Authorized users may be able to exploit this for limited impact on components.   This issue affects apache fineract: from 1.4 through 1.8.2.

Published: March 28, 2023; 8:15:07 AM -0400
V3.1: 6.3 MEDIUM
V2.0:(not available)
CVE-2023-25196

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized users may be able to change or add data in certain components.   This issue affects Apache Fineract: from 1.4 through 1.8.2.

Published: March 28, 2023; 8:15:07 AM -0400
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2023-25195

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.  This issue affects Apache Fineract: from 1.4 through 1.8.3.

Published: March 28, 2023; 8:15:07 AM -0400
V3.1: 8.1 HIGH
V2.0:(not available)
CVE-2023-27296

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it. [1]  https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422

Published: March 27, 2023; 11:15:08 AM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-47502

Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. In the affected versions of OpenOffice, approval for certain links is not requested; when activated, such links could therefore result in arbitrary script execution.

Published: March 24, 2023; 12:15:08 PM -0400
V3.1: 7.8 HIGH
V2.0:(not available)
CVE-2022-38745

Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory.

Published: March 24, 2023; 12:15:08 PM -0400
V3.1: 7.8 HIGH
V2.0:(not available)
CVE-2023-28708

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Published: March 22, 2023; 7:15:10 AM -0400
V3.1: 4.3 MEDIUM
V2.0:(not available)