
CVE-2024-45719 – Apache Answer: Predictable Authorization Token Using UUIDv1
https://notcve.org/view.php?id=CVE-2024-45719
22 Nov 2024 — Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.4.0. The ids generated using the UUID v1 version are to some extent not secure enough. It can cause the generated token to be predictable. Users are recommended to upgrade to version 1.4.1, which fixes the issue. Inadequate Encryption Strength vulnerability in Apache Answer. • https://lists.apache.org/thread/sz2d0z39k01nbx3r9pj65t76o1hy9491 • CWE-326: Inadequate Encryption Strength •

CVE-2024-52067 – Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log
https://notcve.org/view.php?id=CVE-2024-52067
21 Nov 2024 — Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. An authorized administrator with access to change logging levels could enable debug logging for framework flow synchronization, causing the application to write Parameter names and values to the application log. Parameter Context values may contain sensitive information depending on application flow configuration. Deployments of Apache NiFi with ... • https://lists.apache.org/thread/9rz5rwn2zc7pfjq7ppqldqlc067tlcwd • CWE-532: Insertion of Sensitive Information into Log File •

CVE-2024-31141 – Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider
https://notcve.org/view.php?id=CVE-2024-31141
19 Nov 2024 — Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables. In applications where Apache Kafka Clients configurat... • https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv • CWE-269: Improper Privilege Management CWE-552: Files or Directories Accessible to External Parties •

CVE-2024-52318 – Apache Tomcat: Incorrect JSP tag recycling leads to XSS
https://notcve.org/view.php?id=CVE-2024-52318
18 Nov 2024 — Incorrect object recycling and reuse vulnerability in Apache Tomcat. This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96. Users are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97, which fixes the issue. Vulnerabilidad de reutilización y reciclaje incorrecto de objetos en Apache Tomcat. Este problema afecta a Apache Tomcat: 11.0.0, 10.1.31, 9.0.96. • https://github.com/TAM-K592/CVE-2024-52318 • CWE-326: Inadequate Encryption Strength •

CVE-2024-52317 – Apache Tomcat: Request/response mix-up with HTTP/2
https://notcve.org/view.php?id=CVE-2024-52317
18 Nov 2024 — Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue. Vulnerabilidad de reutilización y reciclaje incorrecto de objetos en Apache Tomcat. • https://github.com/TAM-K592/CVE-2024-52317 • CWE-326: Inadequate Encryption Strength •

CVE-2024-52316 – Apache Tomcat: Authentication bypass when using Jakarta Authentication API
https://notcve.org/view.php?id=CVE-2024-52316
18 Nov 2024 — Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 thr... • https://github.com/TAM-K592/CVE-2024-52316 • CWE-248: Uncaught Exception CWE-391: Unchecked Error Condition •

CVE-2024-41151 – Apache HertzBeat: RCE by notice template injection vulnerability
https://notcve.org/view.php?id=CVE-2024-41151
18 Nov 2024 — Deserialization of Untrusted Data vulnerability in Apache HertzBeat. This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue. • https://lists.apache.org/thread/oor9nw6nh2ojnfw8d8oxrv40cbtk5mwj • CWE-502: Deserialization of Untrusted Data •

CVE-2024-45791 – Apache HertzBeat: Exposure sensitive token via http GET method with query string
https://notcve.org/view.php?id=CVE-2024-45791
18 Nov 2024 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue. • https://lists.apache.org/thread/jmbsfjsvrfnvosh1ftrm3ry4j3sb7doz • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVE-2024-45505 – Apache HertzBeat: Exists Native Deser RCE and file writing vulnerabilities
https://notcve.org/view.php?id=CVE-2024-45505
18 Nov 2024 — Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat (incubating): before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue. Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by ... • https://lists.apache.org/thread/gvbc68krhqhht7mkkkx7k13k6k6fdhy0 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVE-2024-47208 – Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE
https://notcve.org/view.php?id=CVE-2024-47208
18 Nov 2024 — Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13158 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •