CVE-2024-41178 – Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files
https://notcve.org/view.php?id=CVE-2024-41178
Exposure of temporary credentials in logs in Apache Arrow Rust Object Store (`object_store` crate), version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html . This allows someone with access to the logs to impersonate that identity, including performing their own calls to AssumeRoleWithWebIdentity, until the OIDC token expires. Typically OIDC tokens are valid for up to an hour, although this will vary depending on the issuer. Users are recommended to use a different AWS authentication mechanism, disable logging or upgrade to version 0.10.2, which fixes this issue. Details: When using AWS WebIdentityTokens with the object_store crate, in the event of a failure and automatic retry, the underlying reqwest error, including the full URL with the credentials, potentially in the parameters, is written to the logs. Thanks to Paul Hatcherian for reporting this vulnerability Exposición de credenciales temporales en registros en Apache Arrow Rust Object Store (caja `object_store`), versión 0.10.1 y anteriores en todas las plataformas que utilizan AWS WebIdentityTokens. En determinadas condiciones de error, los registros pueden contener el token OIDC pasado a AssumeRoleWithWebIdentity https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html. Esto permite que alguien con acceso a los registros se haga pasar por esa identidad, incluida la realización de sus propias llamadas a AssumeRoleWithWebIdentity, hasta que caduque el token OIDC. • http://www.openwall.com/lists/oss-security/2024/07/23/3 https://lists.apache.org/thread/3t0povdppnt2czv6crlsqhvyko93kcrg • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2024-29070 – Apache StreamPark: session not invalidated after logout
https://notcve.org/view.php?id=CVE-2024-29070
On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4 En versiones anteriores a la 2.1.4, la sesión no se invalida después de cerrar sesión. Cuando el usuario inicia sesión correctamente, el servicio Backend devuelve "Authorization" como credencial de autenticación de front-end. La "Authorization" aún puede iniciar solicitudes y acceder a datos incluso después de cerrar sesión. • https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl • CWE-613: Insufficient Session Expiration •
CVE-2024-34457 – Apache StreamPark IDOR Vulnerability
https://notcve.org/view.php?id=CVE-2024-34457
On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config. Mitigation: all users should upgrade to 2.1.4 En versiones anteriores a la 2.1.4, después de que un usuario normal inicia sesión con éxito, puede realizar una solicitud manualmente utilizando el token de autorización para ver la información de flink de todos los usuarios, incluidos runSQL y config. Mitigación: todos los usuarios deben actualizar a 2.1.4 • http://www.openwall.com/lists/oss-security/2024/07/22/2 https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j https://www.openwall.com/lists/oss-security/2024/07/22/2 • CWE-269: Improper Privilege Management CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2024-38503 – Apache Syncope: HTML tags can be injected into Console or Enduser text fields
https://notcve.org/view.php?id=CVE-2024-38503
When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”. Users are recommended to upgrade to version 3.0.8, which fixes this issue. Al editar un usuario, grupo o cualquier objeto en Syncope Console, se podrían agregar etiquetas HTML a cualquier campo de texto y podrían dar lugar a posibles exploits. La misma vulnerabilidad se encontró en Syncope Enduser, al editar “Personal Information” o “User Requests”. Se recomienda a los usuarios actualizar a la versión 3.0.8, que soluciona este problema. • http://www.openwall.com/lists/oss-security/2024/07/22/3 https://syncope.apache.org/security#cve-2024-38503-html-tags-can-be-injected-into-console-or-enduser https://www.openwall.com/lists/oss-security/2024/07/22/3 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-23321 – Apache RocketMQ: Unauthorized Exposure of Sensitive Data
https://notcve.org/view.php?id=CVE-2024-23321
For RocketMQ versions 5.2.0 and below, under certain conditions, there is a risk of exposure of sensitive Information to an unauthorized actor even if RocketMQ is enabled with authentication and authorization functions. An attacker, possessing regular user privileges or listed in the IP whitelist, could potentially acquire the administrator's account and password through specific interfaces. Such an action would grant them full control over RocketMQ, provided they have access to the broker IP address list. To mitigate these security threats, it is strongly advised that users upgrade to version 5.3.0 or newer. Additionally, we recommend users to use RocketMQ ACL 2.0 instead of the original RocketMQ ACL when upgrading to version Apache RocketMQ 5.3.0. Para las versiones 5.2.0 y anteriores de RocketMQ, bajo ciertas condiciones, existe el riesgo de exposición de información confidencial a un actor no autorizado incluso si RocketMQ está habilitado con funciones de autenticación y autorización. Un atacante que posea privilegios de usuario habituales o que esté incluido en la lista blanca de IP podría adquirir la cuenta y la contraseña del administrador a través de interfaces específicas. • http://www.openwall.com/lists/oss-security/2024/07/22/1 https://lists.apache.org/thread/lr8npobww786nrnddd1pcy974r17c830 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •