CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41890 – Apache Answer: The link to reset the user's password will remain valid after sending a new link
https://notcve.org/view.php?id=CVE-2024-41890
09 Aug 2024 — Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. User sends multiple password reset emails, each containing a valid link. Within the link's validity period, this could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue. Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. • https://lists.apache.org/thread/j7c080xj31x8rvz1pyk2h47rdd9pwbv9 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 8.8EPSS: 79%CPEs: 1EXPL: 0CVE-2024-30188 – Apache DolphinScheduler: Resource File Read And Write Vulnerability
https://notcve.org/view.php?id=CVE-2024-30188
09 Aug 2024 — File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2. Users are recommended to upgrade to version 3.2.2, which fixes the issue. File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2. Users are recommended to upgrade to ve... • https://lists.apache.org/thread/tbrt42mnr42bq6scxwt6bjr3s2pwyd07 • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29831 – Apache DolphinScheduler: RCE by arbitrary js execution
https://notcve.org/view.php?id=CVE-2024-29831
09 Aug 2024 — Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2. • https://lists.apache.org/thread/x1ch0x5om3srtbnp7rtsvdszho3mdrq0 • CWE-20: Improper Input Validation •
CVSS: 8.3EPSS: 1%CPEs: 2EXPL: 0CVE-2024-42062 – Apache CloudStack: User Key Exposure to Domain Admins
https://notcve.org/view.php?id=CVE-2024-42062
07 Aug 2024 — CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An ... • https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42222 – Apache CloudStack: Unauthorised Network List Access
https://notcve.org/view.php?id=CVE-2024-42222
07 Aug 2024 — In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data. Affected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1. • https://github.com/apache/cloudstack/issues/9456 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36448 – Apache IoTDB Workbench: SSRF Vulnerability (EOL)
https://notcve.org/view.php?id=CVE-2024-36448
05 Aug 2024 — Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Workbench. This issue affects Apache IoTDB Workbench: from 0.13.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. ** UNSUPPORTED WHEN ASSIGNED ** Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Wor... • https://lists.apache.org/thread/d19p0vsm7nogp43q9m3tzm5jl6mzjj1x • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 94%CPEs: 1EXPL: 10CVE-2024-38856 – Apache OFBiz Incorrect Authorization Vulnerability
https://notcve.org/view.php?id=CVE-2024-38856
05 Aug 2024 — Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints). This vulnerability allows remote attackers to bypass authentication on affec... • https://github.com/codeb0ss/CVE-2024-38856-PoC • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42447 – Apache Airflow Providers FAB: FAB provider 1.2.1 and 1.2.0 did not let user to logout for Airflow
https://notcve.org/view.php?id=CVE-2024-42447
05 Aug 2024 — Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out. * FAB provider 1.2.1 only affected Airflow 2.9.3 (earlier and later versions of Airflow are not affected) * FAB provider 1.2.0 affected all versions of Airflow. Users who run Apache Airflow 2.9.3 are recommended to upgrade to Apache Airflow Provi... • https://github.com/apache/airflow/pull/40784 • CWE-613: Insufficient Session Expiration •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 0CVE-2024-36268 – Apache InLong TubeMQ Client: Remote Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-36268
02 Aug 2024 — Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/10251 • https://lists.apache.org/thread/1w1yp1bg5sjvn46dszkf00tz1vfs0frc • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27182 – Apache Linkis Basic management services: Engine material management Arbitrary file deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-27182
02 Aug 2024 — In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on A user with an administrator account could delete any file accessible by the Linkis system user . Users are recommended to upgrade to version 1.6.0, which fixes this issue. In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on A user with an administrator account could delete any file accessible by the Linkis system user . Users are recommended to upgrade to version 1.6.0, which fixes this issue. • https://lists.apache.org/thread/2of1p433h8rbq2bx525rtftnk19oz38h • CWE-552: Files or Directories Accessible to External Parties •