Search Results (Refine Search)
- Keyword (text search): Apache
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-29216 |
In Apache Linkis <=1.3.1, because the parameters are not effectively filtered, the attacker uses the MySQL data source and malicious parameters to configure a new data source to trigger a deserialization vulnerability, eventually leading to remote code execution. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.2. Published: April 10, 2023; 4:15:07 AM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-29215 |
In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.2. Published: April 10, 2023; 4:15:07 AM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-27987 |
In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values. We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization[1] https://linkis.apache.org/docs/latest/auth/token https://linkis.apache.org/docs/latest/auth/token Published: April 10, 2023; 4:15:07 AM -0400 |
V3.1: 9.1 CRITICAL V2.0:(not available) |
CVE-2023-27603 |
In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability. We recommend users upgrade the version of Linkis to version 1.3.2. Published: April 10, 2023; 4:15:07 AM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-27602 |
In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2. For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties `wds.linkis.workspace.filesystem.owner.check=true` `wds.linkis.workspace.filesystem.path.check=true` Published: April 10, 2023; 4:15:06 AM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-28710 |
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider.This issue affects Apache Airflow Spark Provider: before 4.0.1. Published: April 07, 2023; 11:15:08 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-28707 |
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2. Published: April 07, 2023; 11:15:08 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-28706 |
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 6.0.0. Published: April 07, 2023; 11:15:08 AM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-28625 |
mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`. Published: April 03, 2023; 10:15:07 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-26269 |
Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user. Administrators are advised to disable JMX, or set up a JMX password. Note that version 3.7.4 onward will set up a JMX password automatically for Guice users. Published: April 03, 2023; 4:15:07 AM -0400 |
V3.1: 7.8 HIGH V2.0:(not available) |
CVE-2023-28935 |
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache UIMA DUCC. When using the "Distributed UIMA Cluster Computing" (DUCC) module of Apache UIMA, an authenticated user that has the permissions to modify core entities can cause command execution as the system user that runs the web process. As the "Distributed UIMA Cluster Computing" module for UIMA is retired, we do not plan to release a fix for this issue. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Published: March 30, 2023; 6:15:07 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-1663 |
Coverity versions prior to 2023.3.2 are vulnerable to forced browsing, which exposes authenticated resources to unauthorized actors. The root cause of this vulnerability is an insecurely configured servlet mapping for the underlying Apache Tomcat server. As a result, the downloads directory and its contents are accessible. 5.9 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C) Published: March 29, 2023; 10:15:07 AM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-28326 |
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Description: Attacker can elevate their privileges in any room Published: March 28, 2023; 9:15:07 AM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-25197 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Authorized users may be able to exploit this for limited impact on components. This issue affects apache fineract: from 1.4 through 1.8.2. Published: March 28, 2023; 8:15:07 AM -0400 |
V3.1: 6.3 MEDIUM V2.0:(not available) |
CVE-2023-25196 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized users may be able to change or add data in certain components. This issue affects Apache Fineract: from 1.4 through 1.8.2. Published: March 28, 2023; 8:15:07 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-25195 |
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic. This issue affects Apache Fineract: from 1.4 through 1.8.3. Published: March 28, 2023; 8:15:07 AM -0400 |
V3.1: 8.1 HIGH V2.0:(not available) |
CVE-2023-27296 |
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it. [1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422 Published: March 27, 2023; 11:15:08 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-47502 |
Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. In the affected versions of OpenOffice, approval for certain links is not requested; when activated, such links could therefore result in arbitrary script execution. Published: March 24, 2023; 12:15:08 PM -0400 |
V3.1: 7.8 HIGH V2.0:(not available) |
CVE-2022-38745 |
Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory. Published: March 24, 2023; 12:15:08 PM -0400 |
V3.1: 7.8 HIGH V2.0:(not available) |
CVE-2023-28708 |
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Published: March 22, 2023; 7:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |