
CVE-2024-38479 – Apache Traffic Server: Cache key plugin is vulnerable to cache poisoning attack
https://notcve.org/view.php?id=CVE-2024-38479
14 Nov 2024 — Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue. Vulnerabilidad de validación de entrada incorrecta en Apache Traffic Server. Este problema afecta a Apache Traffic Server: desde la versión 8.0.0 hasta la 8.1.11, desde la versión 9.0.0 hasta la 9.2.5. • https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y • CWE-20: Improper Input Validation •

CVE-2024-50386 – Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure
https://notcve.org/view.php?id=CVE-2024-50386
12 Nov 2024 — Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and ... • https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3 • CWE-20: Improper Input Validation •

CVE-2024-50378 – Apache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cli
https://notcve.org/view.php?id=CVE-2024-50378
08 Nov 2024 — Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the C... • https://github.com/apache/airflow/pull/43123 • CWE-201: Insertion of Sensitive Information Into Sent Data •

CVE-2024-51504 – Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server
https://notcve.org/view.php?id=CVE-2024-51504
07 Nov 2024 — When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP add... • https://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh • CWE-290: Authentication Bypass by Spoofing •

CVE-2024-23590 – Apache Kylin: Session fixation in web interface
https://notcve.org/view.php?id=CVE-2024-23590
04 Nov 2024 — Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue. • https://lists.apache.org/thread/7161154h0k6zygr9917qq0g95p39szml • CWE-384: Session Fixation •

CVE-2024-43383 – Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator
https://notcve.org/view.php?id=CVE-2024-43383
31 Oct 2024 — Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access. Users are reco... • https://lists.apache.org/thread/wlz1p76dxpt4rl9o29voxjd5zl7717nh • CWE-502: Deserialization of Untrusted Data •

CVE-2024-38286 – Apache Tomcat: Denial of Service
https://notcve.org/view.php?id=CVE-2024-38286
30 Oct 2024 — Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process. • https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVE-2024-45477 – Apache NiFi: Improper Neutralization of Input in Parameter Description
https://notcve.org/view.php?id=CVE-2024-45477
29 Oct 2024 — Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation. Apache NiFi 1.10.0 a 1.27.0 y 2.0.0-M1 a 2.0.0-M3 ad... • https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2024-45031 – Apache Syncope: Stored XSS in Console and Enduser
https://notcve.org/view.php?id=CVE-2024-45031
24 Oct 2024 — When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking. Users are recommended to upgrade to version 3.0.9, which fixes... • https://lists.apache.org/thread/fn567pfmo3s55ofkc42drz8b4kgbhp9m • CWE-20: Improper Input Validation •

CVE-2024-45219 – Apache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure
https://notcve.org/view.php?id=CVE-2024-45219
16 Oct 2024 — Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environm... • https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2 • CWE-20: Improper Input Validation CWE-116: Improper Encoding or Escaping of Output •