CVE-2024-36265 – Apache Submarine Server Core: authorization bypass
https://notcve.org/view.php?id=CVE-2024-36265
Incorrect Authorization vulnerability in Apache Submarine Server Core. This issue affects Apache Submarine Server Core: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vulnerabilidad de autorización incorrecta en Apache Submarine Server Core. Este problema afecta a Apache Submarine Server Core: desde 0.8.0. Como este proyecto está retirado, no planeamos lanzar una versión que solucione este problema. • http://www.openwall.com/lists/oss-security/2024/06/12/3 https://lists.apache.org/thread/prckhhst19qxof064hsm8cccxtofvflz • CWE-863: Incorrect Authorization •
CVE-2024-36264 – Apache Submarine Commons Utils: default secret
https://notcve.org/view.php?id=CVE-2024-36264
Improper Authentication vulnerability in Apache Submarine Commons Utils. This issue affects Apache Submarine Commons Utils: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vulnerabilidad de autenticación incorrecta en Apache Submarine Commons Utils. Este problema afecta a Apache Submarine Commons Utils: desde 0.8.0. Como este proyecto está retirado, no planeamos lanzar una versión que solucione este problema. • http://www.openwall.com/lists/oss-security/2024/06/12/2 https://github.com/apache/submarine/pull/1125 https://lists.apache.org/thread/7mo0c7vbhpo8thvybl8wwvb0bccrg7r4 • CWE-287: Improper Authentication •
CVE-2024-36263 – Apache Submarine Server Core: SQL injection
https://notcve.org/view.php?id=CVE-2024-36263
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Submarine Server Core. This issue affects Apache Submarine Server Core: all versions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ("inyección SQL") en Apache Submarine Server Core. Este problema afecta a Apache Submarine Server Core: todas las versiones. Como este proyecto está retirado, no planeamos lanzar una versión que solucione este problema. • http://www.openwall.com/lists/oss-security/2024/06/12/1 https://github.com/apache/submarine/pull/1121 https://lists.apache.org/thread/8q9kbdg9gk9kpz5p8x6t7q8709l3vrmt • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2024-36471 – Apache Allura: sensitive information exposure via DNS rebinding
https://notcve.org/view.php?id=CVE-2024-36471
Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them. This issue affects Apache Allura from 1.0.1 through 1.16.0. Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file. La funcionalidad de importación es vulnerable a ataques de revinculación de DNS entre la verificación y el procesamiento de la URL. Los administradores de proyectos pueden ejecutar estas importaciones, lo que podría hacer que Allura lea servicios internos y los exponga. • https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2024-36104 – Apache OFBiz: Path traversal leading to a RCE
https://notcve.org/view.php?id=CVE-2024-36104
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue. Limitación inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en Apache OFBiz. Este problema afecta a Apache OFBiz: antes del 18.12.14. Se recomienda a los usuarios actualizar a la versión 18.12.14, que soluciona el problema. • https://github.com/ggfzx/CVE-2024-36104 http://www.openwall.com/lists/oss-security/2024/06/03/1 https://issues.apache.org/jira/browse/OFBIZ-13092 https://lists.apache.org/thread/sv0xr8b1j7mmh5p37yldy9vmnzbodz2o https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •