CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50305 – Apache Traffic Server: Valid Host field value can cause crashes
https://notcve.org/view.php?id=CVE-2024-50305
14 Nov 2024 — Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue. Un campo de encabezado de host válido puede provocar que Apache Traffic Server se bloquee en algunas plataformas. Este problema afecta a Apache Traffic Server: desde la versión 9.2.0 hasta la 9.2.5. • https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y • CWE-20: Improper Input Validation CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-38479 – Apache Traffic Server: Cache key plugin is vulnerable to cache poisoning attack
https://notcve.org/view.php?id=CVE-2024-38479
14 Nov 2024 — Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue. Vulnerabilidad de validación de entrada incorrecta en Apache Traffic Server. Este problema afecta a Apache Traffic Server: desde la versión 8.0.0 hasta la 8.1.11, desde la versión 9.0.0 hasta la 9.2.5. • https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y • CWE-20: Improper Input Validation •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50386 – Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure
https://notcve.org/view.php?id=CVE-2024-50386
12 Nov 2024 — Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and ... • https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3 • CWE-20: Improper Input Validation •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50378 – Apache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cli
https://notcve.org/view.php?id=CVE-2024-50378
08 Nov 2024 — Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the C... • https://github.com/apache/airflow/pull/43123 • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51504 – Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server
https://notcve.org/view.php?id=CVE-2024-51504
07 Nov 2024 — When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP add... • https://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh • CWE-290: Authentication Bypass by Spoofing •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23590 – Apache Kylin: Session fixation in web interface
https://notcve.org/view.php?id=CVE-2024-23590
04 Nov 2024 — Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue. • https://lists.apache.org/thread/7161154h0k6zygr9917qq0g95p39szml • CWE-384: Session Fixation •
CVSS: 8.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-43383 – Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator
https://notcve.org/view.php?id=CVE-2024-43383
31 Oct 2024 — Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access. Users are reco... • https://lists.apache.org/thread/wlz1p76dxpt4rl9o29voxjd5zl7717nh • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.6EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38286 – Apache Tomcat: Denial of Service
https://notcve.org/view.php?id=CVE-2024-38286
30 Oct 2024 — Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process. • https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45477 – Apache NiFi: Improper Neutralization of Input in Parameter Description
https://notcve.org/view.php?id=CVE-2024-45477
29 Oct 2024 — Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation. Apache NiFi 1.10.0 a 1.27.0 y 2.0.0-M1 a 2.0.0-M3 ad... • https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45031 – Apache Syncope: Stored XSS in Console and Enduser
https://notcve.org/view.php?id=CVE-2024-45031
24 Oct 2024 — When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking. Users are recommended to upgrade to version 3.0.9, which fixes... • https://lists.apache.org/thread/fn567pfmo3s55ofkc42drz8b4kgbhp9m • CWE-20: Improper Input Validation •