CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48962 – Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)
https://notcve.org/view.php?id=CVE-2024-48962
18 Nov 2024 — Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13162 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-45784 – Apache Airflow: Sensitive configuration values are not masked in the logs by default
https://notcve.org/view.php?id=CVE-2024-45784
15 Nov 2024 — Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exp... • https://github.com/apache/airflow/pull/43040 • CWE-1295: Debug Messages Revealing Unnecessary Information •
CVSS: 9.1EPSS: 1%CPEs: 2EXPL: 0CVE-2024-50306 – Apache Traffic Server: Server process can fail to drop privilege
https://notcve.org/view.php?id=CVE-2024-50306
14 Nov 2024 — Unchecked return value can allow Apache Traffic Server to retain privileges on startup. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1. Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue. Un valor de retorno sin marcar puede permitir que Apache Traffic Server conserve privilegios al iniciarse. Este problema afecta a Apache Traffic Server: de la versión 9.2.0 a la 9.2.5 y de la versión 10.0.0 a la 10.0.1. • https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y • CWE-252: Unchecked Return Value •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50305 – Apache Traffic Server: Valid Host field value can cause crashes
https://notcve.org/view.php?id=CVE-2024-50305
14 Nov 2024 — Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue. Un campo de encabezado de host válido puede provocar que Apache Traffic Server se bloquee en algunas plataformas. Este problema afecta a Apache Traffic Server: desde la versión 9.2.0 hasta la 9.2.5. • https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y • CWE-20: Improper Input Validation CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-38479 – Apache Traffic Server: Cache key plugin is vulnerable to cache poisoning attack
https://notcve.org/view.php?id=CVE-2024-38479
14 Nov 2024 — Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue. Vulnerabilidad de validación de entrada incorrecta en Apache Traffic Server. Este problema afecta a Apache Traffic Server: desde la versión 8.0.0 hasta la 8.1.11, desde la versión 9.0.0 hasta la 9.2.5. • https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y • CWE-20: Improper Input Validation •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50386 – Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure
https://notcve.org/view.php?id=CVE-2024-50386
12 Nov 2024 — Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and ... • https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3 • CWE-20: Improper Input Validation •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50378 – Apache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cli
https://notcve.org/view.php?id=CVE-2024-50378
08 Nov 2024 — Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the C... • https://github.com/apache/airflow/pull/43123 • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51504 – Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server
https://notcve.org/view.php?id=CVE-2024-51504
07 Nov 2024 — When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP add... • https://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh • CWE-290: Authentication Bypass by Spoofing •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23590 – Apache Kylin: Session fixation in web interface
https://notcve.org/view.php?id=CVE-2024-23590
04 Nov 2024 — Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue. • https://lists.apache.org/thread/7161154h0k6zygr9917qq0g95p39szml • CWE-384: Session Fixation •
CVSS: 8.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-43383 – Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator
https://notcve.org/view.php?id=CVE-2024-43383
31 Oct 2024 — Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access. Users are reco... • https://lists.apache.org/thread/wlz1p76dxpt4rl9o29voxjd5zl7717nh • CWE-502: Deserialization of Untrusted Data •