Page 17 of 332 results (0.010 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

14 Oct 2024 — Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. On multi-blog/user Roller websites, by default weblog owners are trusted to publish arbitrary weblog content and this combined with a deficiency in Roller's CSRF protections allowed an escalation of privileges attack. This issue affects Apache Roller before 6.1.4. Roller users who run multi-blog/user Roller websites are recommended to upgrade to version 6.1.4, which fixes the issue. Roller 6.1.4 release announcement: ht... • https://lists.apache.org/thread/6m0ghjo9j92qty00t2qb6qf2spds0p5t • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0

09 Oct 2024 — On Windows platforms, a "best fit" character encoding conversion of command line arguments to Subversion's executables (e.g., svn.exe, etc.) may lead to unexpected command line argument interpretation, including argument injection and execution of other programs, if a specially crafted command line argument string is processed. All versions of Subversion up to and including Subversion 1.14.3 are affected on Windows platforms only. Users are recommended to upgrade to version Subversion 1.14.4, which fixes th... • https://subversion.apache.org/security/CVE-2024-45720-advisory.txt • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

03 Oct 2024 — Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue. A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. • https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 9.2EPSS: 1%CPEs: 1EXPL: 0

03 Oct 2024 — Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue. El análisis de esquemas en el SDK de Java de Apache Avro 1.11.3 y versiones anteriores permite que actores maliciosos ejecuten código arbitrario. Se recomienda a los usuarios actualizar a la versión 1.11.4 o 1.12.0, que solucionan este problema. A vulnerability was found in Apache Avro. The project is affec... • https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x • CWE-502: Deserialization of Untrusted Data •

CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0

30 Sep 2024 — Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting func... • https://lists.apache.org/thread/3f3oph7bqnqspb9q5p0gm5mgc1b6thjo • CWE-502: Deserialization of Untrusted Data •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

26 Sep 2024 — Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin. This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0. Users are recommended to upgrade to version 3.3.0, which fixes the issue. Archetype integration testing creates a file called ./target/classes/archetype-it/archetype-settings.xml This file contains all the content from the users ~/.m2/settings.xml file, which often contains information they do not wa... • https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-922: Insecure Storage of Sensitive Information •

CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 0

25 Sep 2024 — Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users. RunJar.run() de Apache Hadoop no establece permisos para el director... • https://issues.apache.org/jira/browse/HADOOP-19031 • CWE-269: Improper Privilege Management •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

25 Sep 2024 — Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. Using the MD5 value of a user's email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead. Users are recommended to upgrade to version 1.4.0, which fixes the issue. Vulnerabilidad de fuerza de cifrado inadecuada en Apache Answer. • https://lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x • CWE-326: Inadequate Encryption Strength •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

24 Sep 2024 — In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Users are recommended to upgrade to version 1.6.0, which fixes this issue. In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Users are recommended to upgrade to version 1.6.0, which fixes th... • https://lists.apache.org/thread/g664n13nb17rsogcfrn8kjgd8m89p8nw • CWE-326: Inadequate Encryption Strength •

CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0

23 Sep 2024 — Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service. This issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected. Users are recommended to upgrade to version 1.2.50, which fixes the issue. • https://lists.apache.org/thread/q1gp7cc38hs1r8gj8gfnopwznd5fpr4d • CWE-276: Incorrect Default Permissions •