CVE-2024-29006 – Apache CloudStack: x-forwarded-for HTTP header parsed by default
https://notcve.org/view.php?id=CVE-2024-29006
By default the CloudStack management server honours the x-forwarded-for HTTP header and logs it as the source IP of an API request. This could lead to authentication bypass and other operational problems should an attacker decide to spoof their IP address this way. Users are recommended to upgrade to CloudStack version 4.18.1.1 or 4.19.0.1, which fixes this issue. De forma predeterminada, el servidor de administración de CloudStack respeta el encabezado HTTP x-forwarded-for y lo registra como la IP de origen de una solicitud de API. Esto podría provocar una omisión de autenticación y otros problemas operativos si un atacante decide falsificar su dirección IP de esta manera. • https://lists.apache.org/thread/82f46pv7mvh95ybto5hn8wlo6g8jhjvp • CWE-290: Authentication Bypass by Spoofing •
CVE-2024-29834 – Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints
https://notcve.org/view.php?id=CVE-2024-29834
This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. • http://www.openwall.com/lists/oss-security/2024/04/02/2 https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5 https://pulsar.apache.org/security/CVE-2024-29834 • CWE-863: Incorrect Authorization •
CVE-2024-23537 – Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role.
https://notcve.org/view.php?id=CVE-2024-23537
Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.9.0, which fixes the issue. Vulnerabilidad de gestión de privilegios incorrecta en Apache Fineract. Este problema afecta a Apache Fineract: <1.8.5. Se recomienda a los usuarios actualizar a la versión 1.9.0, que soluciona el problema. • http://www.openwall.com/lists/oss-security/2024/03/29/1 https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1 • CWE-269: Improper Privilege Management •
CVE-2024-23538 – Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.
https://notcve.org/view.php?id=CVE-2024-23538
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en Apache Fineract. Este problema afecta a Apache Fineract: <1.8.5. Se recomienda a los usuarios actualizar a la versión 1.8.5 o 1.9.0, que soluciona el problema. • http://www.openwall.com/lists/oss-security/2024/03/29/2 https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report https://lists.apache.org/thread/by32w2dylzgbqm5940x3wj7519wolqxs • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2024-23539 – Apache Fineract: Under certain system configurations, the sqlSearch parameter for specific endpoints was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.
https://notcve.org/view.php?id=CVE-2024-23539
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en Apache Fineract. Este problema afecta a Apache Fineract: <1.8.5. Se recomienda a los usuarios actualizar a la versión 1.8.5 o 1.9.0, que soluciona el problema. • http://www.openwall.com/lists/oss-security/2024/03/29/3 https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report https://lists.apache.org/thread/g8sv1gnjv716lx2h89jbvjdgtrrjmy7h • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •