Page 19 of 370 results (0.009 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies. This issue affects Apache Helix Front (UI): all versions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. • https://lists.apache.org/thread/zt26fpmrqx3fzcy8nv3b43kb3xllo5ny • CWE-668: Exposure of Resource to Wrong Sphere •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.2. We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue. • https://github.com/apache/dolphinscheduler/pull/15758 https://lists.apache.org/thread/nlmdp7q7l7o3l27778vxc5px24ncr5r5 https://lists.apache.org/thread/qbhk9wqyxhrn4z7m4m343wqxpwg926nh https://www.cve.org/CVERecord?id=CVE-2023-49109 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. • https://github.com/python/cpython/issues/123067 https://github.com/python/cpython/pull/123075 https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621 https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1 https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06 https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a https://github.com/python/cp • CWE-400: Uncontrolled Resource Consumption •

CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0

Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack The mitigations to prevent this type of attack were implemented in Apache MINA SSHD 2.12.0, both client and server side. Users are recommended to upgrade to at least this version. Note that both the client and the server implementation must have mitigations applied against this issue, otherwise the connection may still be affected. A flaw was found in Apache MINA SSHD. • https://github.com/apache/mina-sshd/issues/445 https://lists.apache.org/thread/vwf1ot8wx1njyy8n19j5j2tcnjnozt3b https://access.redhat.com/security/cve/CVE-2024-41909 https://bugzilla.redhat.com/show_bug.cgi?id=2304442 • CWE-354: Improper Validation of Integrity Check Value •

CVSS: -EPSS: 0%CPEs: 1EXPL: 0

Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. The password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue. • https://lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4 • CWE-772: Missing Release of Resource after Effective Lifetime •