
CVE-2024-42323 – Apache HertzBeat: RCE by snakeYaml deser load malicious xml
https://notcve.org/view.php?id=CVE-2024-42323
21 Sep 2024 — SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat (incubating): before 1.6.0. Users are recommended to upgrade to version 1.6.0, which fixes the issue. SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by authorized attackers. • https://lists.apache.org/thread/dwpwm572sbwon1mknlwhkpbom2y7skbx • CWE-502: Deserialization of Untrusted Data •

CVE-2024-45537 – Apache Druid: Users can provide MySQL JDBC properties not on allow list
https://notcve.org/view.php?id=CVE-2024-45537
17 Sep 2024 — Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC co... • https://lists.apache.org/thread/2ovx1t77y6tlkhk5b42clp4vwo4c8cjv • CWE-20: Improper Input Validation •

CVE-2024-45384 – Apache Druid: Padding oracle in druid-pac4j extension that allows an attacker to manipulate a pac4j session cookie via Padding Oracle Attack
https://notcve.org/view.php?id=CVE-2024-45384
17 Sep 2024 — Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability. While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the ... • https://lists.apache.org/thread/gr94fnp574plb50lsp8jw4smvgv1lbz1 • CWE-209: Generation of Error Message Containing Sensitive Information •

CVE-2024-22399 – Apache Seata: Remote Code Execution vulnerability via Hessian Deserialization in Apache Seata Server
https://notcve.org/view.php?id=CVE-2024-22399
16 Sep 2024 — Deserialization of Untrusted Data vulnerability in Apache Seata. When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue. • https://lists.apache.org/thread/91nzzlxyj4nmks85gbzwkkjtbmnmlkc4 • CWE-502: Deserialization of Untrusted Data •

CVE-2024-45034 – Apache Airflow: Authenticated DAG authors could execute code on scheduler nodes
https://notcve.org/view.php?id=CVE-2024-45034
07 Sep 2024 — Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability. Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the schedul... • https://github.com/apache/airflow/pull/41672 • CWE-250: Execution with Unnecessary Privileges •

CVE-2024-45195 – Apache OFBiz Forced Browsing Vulnerability
https://notcve.org/view.php?id=CVE-2024-45195
04 Sep 2024 — Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. Vulnerabilidad Direct Request ("Navegación forzada") en Apache OFBiz. Este problema afecta a Apache OFBiz: anterior a la versión 18.12.16. • https://issues.apache.org/jira/browse/OFBIZ-13130 • CWE-425: Direct Request ('Forced Browsing') •

CVE-2024-45507 – Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE
https://notcve.org/view.php?id=CVE-2024-45507
04 Sep 2024 — Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. Vulnerabilidad de Server-Side Request Forgery (SSRF) y control inadecuado de la generación de código ('inyección de código') en Apache OFBiz. Este problema afecta a Apache OFBiz: anterior a la versión 18.12.16. • https://github.com/Avento/CVE-2024-45507_Behinder_Webshell • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •

CVE-2023-49582 – Apache Portable Runtime (APR): Unexpected lax shared memory permissions
https://notcve.org/view.php?id=CVE-2023-49582
26 Aug 2024 — Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h) Users are recommended to upgrade to APR version 1.7.5, which fixes this issue. Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments... • https://lists.apache.org/thread/sntjc04t1rvjhdzz2tzmtz2zdnmv7dc4 • CWE-732: Incorrect Permission Assignment for Critical Resource •

CVE-2024-41937 – Apache Airflow: Stored XSS Vulnerability on provider link
https://notcve.org/view.php?id=CVE-2024-41937
21 Aug 2024 — Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability. Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-si... • https://github.com/apache/airflow/pull/40933 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2023-49198 – Apache SeaTunnel Web: Arbitrary file read vulnerability
https://notcve.org/view.php?id=CVE-2023-49198
21 Aug 2024 — Mysql security vulnerability in Apache SeaTunnel. Attackers can read files on the MySQL server by modifying the information in the MySQL URL allowLoadLocalInfile=true&allowUrlInLocalInfile=true&allowLoadLocalInfileInPath=/&maxAllowedPacket=655360 This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version [1.0.1], which fixes the issue. Mysql security vulnerability in Apache SeaTunnel. Attackers can read files on the MySQL server by modifying the information in the MySQL URL allo... • https://lists.apache.org/thread/48j9f1nsn037mgzc4j9o51nwglb1s08h • CWE-552: Files or Directories Accessible to External Parties •