CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2024-52317 – Apache Tomcat: Request/response mix-up with HTTP/2
https://notcve.org/view.php?id=CVE-2024-52317
18 Nov 2024 — Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue. Vulnerabilidad de reutilización y reciclaje incorrecto de objetos en Apache Tomcat. • https://github.com/TAM-K592/CVE-2024-52317 • CWE-326: Inadequate Encryption Strength •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 1CVE-2024-52316 – Apache Tomcat: Authentication bypass when using Jakarta Authentication API
https://notcve.org/view.php?id=CVE-2024-52316
18 Nov 2024 — Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 thr... • https://github.com/TAM-K592/CVE-2024-52316 • CWE-391: Unchecked Error Condition •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41151 – Apache HertzBeat: RCE by notice template injection vulnerability
https://notcve.org/view.php?id=CVE-2024-41151
18 Nov 2024 — Deserialization of Untrusted Data vulnerability in Apache HertzBeat. This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue. • https://lists.apache.org/thread/oor9nw6nh2ojnfw8d8oxrv40cbtk5mwj • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45791 – Apache HertzBeat: Exposure sensitive token via http GET method with query string
https://notcve.org/view.php?id=CVE-2024-45791
18 Nov 2024 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue. • https://lists.apache.org/thread/jmbsfjsvrfnvosh1ftrm3ry4j3sb7doz • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45505 – Apache HertzBeat: Exists Native Deser RCE and file writing vulnerabilities
https://notcve.org/view.php?id=CVE-2024-45505
18 Nov 2024 — Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat (incubating): before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue. Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by ... • https://lists.apache.org/thread/gvbc68krhqhht7mkkkx7k13k6k6fdhy0 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47208 – Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE
https://notcve.org/view.php?id=CVE-2024-47208
18 Nov 2024 — Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13158 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48962 – Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)
https://notcve.org/view.php?id=CVE-2024-48962
18 Nov 2024 — Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13162 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45784 – Apache Airflow: Sensitive configuration values are not masked in the logs by default
https://notcve.org/view.php?id=CVE-2024-45784
15 Nov 2024 — Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exp... • https://github.com/apache/airflow/pull/43040 • CWE-1295: Debug Messages Revealing Unnecessary Information •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50306 – Apache Traffic Server: Server process can fail to drop privilege
https://notcve.org/view.php?id=CVE-2024-50306
14 Nov 2024 — Unchecked return value can allow Apache Traffic Server to retain privileges on startup. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1. Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue. Un valor de retorno sin marcar puede permitir que Apache Traffic Server conserve privilegios al iniciarse. Este problema afecta a Apache Traffic Server: de la versión 9.2.0 a la 9.2.5 y de la versión 10.0.0 a la 10.0.1. • https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y • CWE-252: Unchecked Return Value •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50305 – Apache Traffic Server: Valid Host field value can cause crashes
https://notcve.org/view.php?id=CVE-2024-50305
14 Nov 2024 — Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue. Un campo de encabezado de host válido puede provocar que Apache Traffic Server se bloquee en algunas plataformas. Este problema afecta a Apache Traffic Server: desde la versión 9.2.0 hasta la 9.2.5. • https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y • CWE-20: Improper Input Validation CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •