CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41916 – Apache Linkis DataSource: DatasourceManager module has a JDBC parameter judgment logic vulnerability that allows for arbitrary file reading
https://notcve.org/view.php?id=CVE-2023-41916
In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis = 1.4.0 will be affected. We recommend users upgrade the version of Linkis to version 1.5.0. En Apache Linkis = 1.4.0, debido a la falta de filtrado efectivo de parámetros, un atacante que configure parámetros maliciosos de Mysql JDBC en el módulo DataSource Manager activará la lectura de archivos arbitrarios. • https://lists.apache.org/thread/dxkpwyoxy1jpdwlpqp15zvo0jxn4v729 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36522 – Apache Wicket: Remote code execution via XSLT injection
https://notcve.org/view.php?id=CVE-2024-36522
The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue. • http://www.openwall.com/lists/oss-security/2024/07/12/2 https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39884 – Apache HTTP Server: source code disclosure with handlers configured via AddType
https://notcve.org/view.php?id=CVE-2024-39884
A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. Una regresión en el núcleo de Apache HTTP Server 2.4.60 ignora parte del uso de la configuración de controladores heredada basada en el tipo de contenido. "AddType" y configuraciones similares, en algunas circunstancias en las que los archivos se solicitan indirectamente, dan como resultado la divulgación del código fuente del contenido local. • http://www.openwall.com/lists/oss-security/2024/07/17/6 https://httpd.apache.org/security/vulnerabilities_24.html https://security.netapp.com/advisory/ntap-20240712-0002 •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-34750 – Apache Tomcat: HTTP/2 excess header handling DoS
https://notcve.org/view.php?id=CVE-2024-34750
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue. Manejo inadecuado de condiciones excepcionales, vulnerabilidad de consumo incontrolado de recursos en Apache Tomcat. Al procesar una secuencia HTTP/2, Tomcat no manejó correctamente algunos casos de encabezados HTTP excesivos. • https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l https://access.redhat.com/security/cve/CVE-2024-34750 https://bugzilla.redhat.com/show_bug.cgi?id=2295651 • CWE-400: Uncontrolled Resource Consumption CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39573 – Apache HTTP Server: mod_rewrite proxy handler substitution
https://notcve.org/view.php?id=CVE-2024-39573
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue. El potencial SSRF en mod_rewrite en Apache HTTP Server 2.4.59 y versiones anteriores permite a un atacante provocar que RewriteRules inseguras configuren inesperadamente URL para que sean manejadas por mod_proxy. Se recomienda a los usuarios actualizar a la versión 2.4.60, que soluciona este problema. A flaw was found in the mod_rewrite module of httpd. A potential SSRF allows an attacker to cause unsafe rules used in the RewriteRule directive to unexpectedly set up URLs to be handled by the mod_proxy module. • https://httpd.apache.org/security/vulnerabilities_24.html https://security.netapp.com/advisory/ntap-20240712-0001 https://access.redhat.com/security/cve/CVE-2024-39573 https://bugzilla.redhat.com/show_bug.cgi?id=2295022 • CWE-20: Improper Input Validation •