CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29733 – Apache Airflow FTP Provider: FTP_TLS instance with unverified SSL context
https://notcve.org/view.php?id=CVE-2024-29733
21 Apr 2024 — Improper Certificate Validation vulnerability in Apache Airflow FTP Provider. The FTP hook lacks complete certificate validation in FTP_TLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.create_default_context() during FTP_TLS instantiation is used as mitigation to validate the certificates properly. This issue affects Apache Airflow FTP Provider: before 3.7.0. Users are recommended to upgrade to version 3.7.0, which fixes the issue. • http://www.openwall.com/lists/oss-security/2024/04/19/3 • CWE-295: Improper Certificate Validation •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29217 – Apache Answer: XSS vulnerability when changing personal website
https://notcve.org/view.php?id=CVE-2024-29217
21 Apr 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: before 1.3.0. XSS attack when user changes personal website. A logged-in user, when modifying their personal website, can input malicious code in the website to create such an attack. Users are recommended to upgrade to version [1.3.0], which fixes the issue. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('cross... • http://www.openwall.com/lists/oss-security/2024/04/19/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31869 – Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used
https://notcve.org/view.php?id=CVE-2024-31869
18 Apr 2024 — Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your "expose_config" configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/... • http://www.openwall.com/lists/oss-security/2024/04/17/10 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31391 – Apache Solr Operator: Solr-Operator liveness and readiness probes may leak basic auth credentials
https://notcve.org/view.php?id=CVE-2024-31391
12 Apr 2024 — Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator. This issue affects all versions of the Apache Solr Operator from 0.3.0 through 0.8.0. When asked to bootstrap Solr security, the operator will enable basic authentication and create several accounts for accessing Solr: including the "solr" and "admin" accounts for use by end-users, and a "k8s-oper" account which the operator uses for its own requests to Solr. One common source of these operator requests is healthchec... • http://www.openwall.com/lists/oss-security/2024/04/12/7 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27309 – Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode
https://notcve.org/view.php?id=CVE-2024-27309
12 Apr 2024 — While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the removal. When those two preconditions are met, Kafka will treat the resource as if it had only one ACL associated with it after the removal, rather than the two or m... • http://www.openwall.com/lists/oss-security/2024/04/12/3 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 7%CPEs: 2EXPL: 1CVE-2024-31309 – Apache Traffic Server: HTTP/2 CONTINUATION frames can be utilized for DoS attack
https://notcve.org/view.php?id=CVE-2024-31309
10 Apr 2024 — HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases. Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue. U... • https://github.com/lockness-Ko/CVE-2024-27316 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31867 – Apache Zeppelin: LDAP search filter query Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-31867
09 Apr 2024 — Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. Vulnerabilidad de validación de entrada incorrecta en Apache Zeppelin. Los atacantes pueden ejecutar consultas maliciosas estableciendo propiedades de configuración incorrectas en el filtro de búsqueda L... • http://www.openwall.com/lists/oss-security/2024/04/09/12 • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31868 – Apache Zeppelin: XSS vulnerability in the helium module
https://notcve.org/view.php?id=CVE-2024-31868
09 Apr 2024 — Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. Vulnerabilidad de codificación o escape de salida inadecuados en Apache Zeppelin. Los atacantes pueden modificar helium.json y exponer ataques XSS a usuarios normales. • http://www.openwall.com/lists/oss-security/2024/04/09/11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-116: Improper Encoding or Escaping of Output •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31866 – Apache Zeppelin: Interpreter download command does not escape malicious code injection
https://notcve.org/view.php?id=CVE-2024-31866
09 Apr 2024 — Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. Vulnerabilidad de codificación o escape de salida inadecuados en Apache Zeppelin. Los atacantes pueden ejecutar scripts de shell o código malicioso anulando configuraciones co... • http://www.openwall.com/lists/oss-security/2024/04/09/10 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31865 – Apache Zeppelin: Cron arbitrary user impersonation with improper privileges
https://notcve.org/view.php?id=CVE-2024-31865
09 Apr 2024 — Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. Vulnerabilidad de validación de entrada incorrecta en Apache Zeppelin. • http://www.openwall.com/lists/oss-security/2024/04/09/9 • CWE-20: Improper Input Validation •