CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45791 – Apache HertzBeat: Exposure sensitive token via http GET method with query string
https://notcve.org/view.php?id=CVE-2024-45791
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue. • https://lists.apache.org/thread/jmbsfjsvrfnvosh1ftrm3ry4j3sb7doz https://lists.apache.org/thread/lvsczrp8kdynppmzyxtkh4ord4gpw1ph • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45505 – Apache HertzBeat: Exists Native Deser RCE and file writing vulnerabilities
https://notcve.org/view.php?id=CVE-2024-45505
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat (incubating): before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue. • https://lists.apache.org/thread/gvbc68krhqhht7mkkkx7k13k6k6fdhy0 https://lists.apache.org/thread/h8k14o1bfyod66p113pkgnt1s52p6p19 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47208 – Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE
https://notcve.org/view.php?id=CVE-2024-47208
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13158 https://lists.apache.org/thread/022r19skfofhv3lzql33vowlrvqndh11 https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48962 – Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)
https://notcve.org/view.php?id=CVE-2024-48962
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13162 https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6 https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45784 – Apache Airflow: Sensitive configuration values are not masked in the logs by default
https://notcve.org/view.php?id=CVE-2024-45784
Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. • https://github.com/apache/airflow/pull/43040 https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h • CWE-1295: Debug Messages Revealing Unnecessary Information •