CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49582 – Apache Portable Runtime (APR): Unexpected lax shared memory permissions
https://notcve.org/view.php?id=CVE-2023-49582
Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h) Users are recommended to upgrade to APR version 1.7.5, which fixes this issue. • https://lists.apache.org/thread/sntjc04t1rvjhdzz2tzmtz2zdnmv7dc4 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41937 – Apache Airflow: Stored XSS Vulnerability on provider link
https://notcve.org/view.php?id=CVE-2024-41937
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability. • https://github.com/apache/airflow/pull/40933 https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22281 – Apache Helix Front (UI): Helix front hard-coded secret in the express-session
https://notcve.org/view.php?id=CVE-2024-22281
The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies. This issue affects Apache Helix Front (UI): all versions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. • https://lists.apache.org/thread/zt26fpmrqx3fzcy8nv3b43kb3xllo5ny • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43202 – Apache DolphinScheduler: Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-43202
Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.2. We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue. • https://github.com/apache/dolphinscheduler/pull/15758 https://lists.apache.org/thread/nlmdp7q7l7o3l27778vxc5px24ncr5r5 https://lists.apache.org/thread/qbhk9wqyxhrn4z7m4m343wqxpwg926nh https://www.cve.org/CVERecord?id=CVE-2023-49109 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41909 – Apache MINA SSHD: integrity check bypass
https://notcve.org/view.php?id=CVE-2024-41909
Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack The mitigations to prevent this type of attack were implemented in Apache MINA SSHD 2.12.0, both client and server side. Users are recommended to upgrade to at least this version. Note that both the client and the server implementation must have mitigations applied against this issue, otherwise the connection may still be affected. A flaw was found in Apache MINA SSHD. • https://github.com/apache/mina-sshd/issues/445 https://lists.apache.org/thread/vwf1ot8wx1njyy8n19j5j2tcnjnozt3b https://access.redhat.com/security/cve/CVE-2024-41909 https://bugzilla.redhat.com/show_bug.cgi?id=2304442 • CWE-354: Improper Validation of Integrity Check Value •