Filtered by vendor Apache
Subscribe
Total
2223 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-46651 | 1 Apache | 1 Airflow | 2023-07-20 | N/A | 6.5 MEDIUM |
| Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability. | |||||
| CVE-2023-37582 | 1 Apache | 1 Rocketmq | 2023-07-20 | N/A | 9.8 CRITICAL |
| The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks. | |||||
| CVE-2022-42009 | 1 Apache | 1 Ambari | 2023-07-20 | N/A | 8.8 HIGH |
| SpringEL injection in the server agent in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7. | |||||
| CVE-2022-45855 | 1 Apache | 1 Ambari | 2023-07-20 | N/A | 8.8 HIGH |
| SpringEL injection in the metrics source in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7. | |||||
| CVE-2023-32200 | 1 Apache | 1 Jena | 2023-07-20 | N/A | 8.8 HIGH |
| There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena: from 3.7.0 through 4.8.0. | |||||
| CVE-2023-34442 | 1 Apache | 1 Camel | 2023-07-17 | N/A | 3.3 LOW |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Camel.This issue affects Apache Camel: from 3.X through <=3.14.8, from 3.18.X through <=3.18.7, from 3.20.X through <= 3.20.5, from 4.X through <= 4.0.0-M3. Users should upgrade to 3.14.9, 3.18.8, 3.20.6 or 3.21.0 and for users on Camel 4.x update to 4.0.0-M1 | |||||
| CVE-2022-40743 | 1 Apache | 1 Traffic Server | 2023-07-17 | N/A | 6.1 MEDIUM |
| Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions. | |||||
| CVE-2023-33008 | 1 Apache | 1 Johnzon | 2023-07-14 | N/A | 5.3 MEDIUM |
| Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. This issue affects Apache Johnzon: through 1.2.20. | |||||
| CVE-2023-35797 | 1 Apache | 1 Apache-airflow-providers-apache-hive | 2023-07-13 | N/A | 9.8 CRITICAL |
| Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider. This issue affects Apache Airflow Apache Hive Provider: before 6.1.1. Before version 6.1.1 it was possible to bypass the security check to RCE via principal parameter. For this to be exploited it requires access to modifying the connection details. It is recommended updating provider version to 6.1.1 in order to avoid this vulnerability. | |||||
| CVE-2023-33246 | 1 Apache | 1 Rocketmq | 2023-07-12 | N/A | 9.8 CRITICAL |
| For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x . | |||||
| CVE-2022-45935 | 1 Apache | 1 James | 2023-07-12 | N/A | 5.5 MEDIUM |
| Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions. | |||||
| CVE-2022-26650 | 1 Apache | 1 Shenyu | 2023-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3. | |||||
| CVE-2022-25763 | 3 Apache, Debian, Fedoraproject | 3 Traffic Server, Debian Linux, Fedora | 2023-07-12 | N/A | 7.5 HIGH |
| Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. | |||||
| CVE-2022-25598 | 1 Apache | 1 Dolphinscheduler | 2023-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher. | |||||
| CVE-2022-28331 | 2 Apache, Microsoft | 2 Portable Runtime, Windows | 2023-07-07 | N/A | 9.8 CRITICAL |
| On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow. | |||||
| CVE-2022-23913 | 2 Apache, Netapp | 3 Activemq Artemis, Active Iq Unified Manager, Oncommand Workflow Automation | 2023-07-07 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory. | |||||
| CVE-2023-22886 | 1 Apache | 1 Apache-airflow-providers-jdbc | 2023-07-06 | N/A | 8.8 HIGH |
| Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s [Connection URL] parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain airflow server permission. This issue affects Apache Airflow JDBC Provider: before 4.0.0. | |||||
| CVE-2023-34396 | 1 Apache | 1 Struts | 2023-07-06 | N/A | 7.5 HIGH |
| Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater | |||||
| CVE-2023-34149 | 1 Apache | 1 Struts | 2023-07-06 | N/A | 6.5 MEDIUM |
| Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater. | |||||
| CVE-2023-35798 | 1 Apache | 2 Apache-airflow-providers-microsoft-mssql, Apache-airflow-providers-odbc | 2023-07-06 | N/A | 4.3 MEDIUM |
| Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it. This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1. It is recommended to upgrade to a version that is not affected | |||||