CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25142 – Apache Airflow: Cache Control - Storage of Sensitive Data in Browser Cache
https://notcve.org/view.php?id=CVE-2024-25142
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This issue affects Apache Airflow: before 2.9.2. Users are recommended to upgrade to version 2.9.2, which fixes the issue. Uso de la vulnerabilidad de caché del navegador web que contiene información confidencial en Apache Airflow. Airflow no devolvió el encabezado "Cache-Control" para contenido dinámico, lo que en el caso de algunos navegadores podría resultar en el almacenamiento de datos confidenciales en la caché local del navegador. Este problema afecta a Apache Airflow: antes de 2.9.2. Se recomienda a los usuarios actualizar a la versión 2.9.2, que soluciona el problema. • https://github.com/apache/airflow/pull/39550 https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr • CWE-525: Use of Web Browser Cache Containing Sensitive Information •
CVSS: -EPSS: 6%CPEs: 1EXPL: 0CVE-2024-36265 – Apache Submarine Server Core: authorization bypass
https://notcve.org/view.php?id=CVE-2024-36265
Incorrect Authorization vulnerability in Apache Submarine Server Core. This issue affects Apache Submarine Server Core: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vulnerabilidad de autorización incorrecta en Apache Submarine Server Core. Este problema afecta a Apache Submarine Server Core: desde 0.8.0. Como este proyecto está retirado, no planeamos lanzar una versión que solucione este problema. • http://www.openwall.com/lists/oss-security/2024/06/12/3 https://lists.apache.org/thread/prckhhst19qxof064hsm8cccxtofvflz • CWE-863: Incorrect Authorization •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36264 – Apache Submarine Commons Utils: default secret
https://notcve.org/view.php?id=CVE-2024-36264
Improper Authentication vulnerability in Apache Submarine Commons Utils. This issue affects Apache Submarine Commons Utils: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vulnerabilidad de autenticación incorrecta en Apache Submarine Commons Utils. Este problema afecta a Apache Submarine Commons Utils: desde 0.8.0. Como este proyecto está retirado, no planeamos lanzar una versión que solucione este problema. • http://www.openwall.com/lists/oss-security/2024/06/12/2 https://github.com/apache/submarine/pull/1125 https://lists.apache.org/thread/7mo0c7vbhpo8thvybl8wwvb0bccrg7r4 • CWE-287: Improper Authentication •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36263 – Apache Submarine Server Core: SQL injection
https://notcve.org/view.php?id=CVE-2024-36263
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Submarine Server Core. This issue affects Apache Submarine Server Core: all versions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ("inyección SQL") en Apache Submarine Server Core. Este problema afecta a Apache Submarine Server Core: todas las versiones. Como este proyecto está retirado, no planeamos lanzar una versión que solucione este problema. • http://www.openwall.com/lists/oss-security/2024/06/12/1 https://github.com/apache/submarine/pull/1121 https://lists.apache.org/thread/8q9kbdg9gk9kpz5p8x6t7q8709l3vrmt • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36471 – Apache Allura: sensitive information exposure via DNS rebinding
https://notcve.org/view.php?id=CVE-2024-36471
Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them. This issue affects Apache Allura from 1.0.1 through 1.16.0. Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file. La funcionalidad de importación es vulnerable a ataques de revinculación de DNS entre la verificación y el procesamiento de la URL. Los administradores de proyectos pueden ejecutar estas importaciones, lo que podría hacer que Allura lea servicios internos y los exponga. • https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-918: Server-Side Request Forgery (SSRF) •