CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27439 – Apache Wicket: Possible bypass of CSRF protection
https://notcve.org/view.php?id=CVE-2024-27439
An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue. Un error en la evaluación de los encabezados de metadatos de recuperación podría permitir eludir la protección CSRF en Apache Wicket. Este problema afecta a Apache Wicket: desde 9.1.0 hasta 9.16.0 y los lanzamientos importantes para la serie 10.0. Apache Wicket 8.x no admite la protección CSRF a través de los encabezados de metadatos de recuperación y, como tal, no se ve afectado. Se recomienda a los usuarios actualizar a la versión 9.17.0 o 10.0.0, que soluciona el problema. • http://www.openwall.com/lists/oss-security/2024/03/19/2 https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo • CWE-352: Cross-Site Request Forgery (CSRF) CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24683 – Apache Hop Engine: ID isn't escaped when generating HTML
https://notcve.org/view.php?id=CVE-2024-24683
Improper Input Validation vulnerability in Apache Hop Engine.This issue affects Apache Hop Engine: before 2.8.0. Users are recommended to upgrade to version 2.8.0, which fixes the issue. When Hop Server writes links to the PrepareExecutionPipelineServlet page one of the parameters provided to the user was not properly escaped. The variable not properly escaped is the "id", which is not directly accessible by users creating pipelines making the risk of exploiting this low. This issue only affects users using the Hop Server component and does not directly affect the client. Vulnerabilidad de validación de entrada incorrecta en Apache Hop Engine. Este problema afecta a Apache Hop Engine: anterior a 2.8.0. Se recomienda a los usuarios actualizar a la versión 2.8.0, que soluciona el problema. Cuando Hop Server escribe enlaces a la página PrepareExecutionPipelineServlet, uno de los parámetros proporcionados al usuario no se escapó correctamente. • http://www.openwall.com/lists/oss-security/2024/03/18/1 https://lists.apache.org/thread/ts203zssv1n9qth1wdlhk2bhos3vcq6t • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-28752 – Apache CXF SSRF Vulnerability using the Aegis databinding
https://notcve.org/view.php?id=CVE-2024-28752
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted. Una vulnerabilidad SSRF que utiliza Aegis DataBinding en versiones de Apache CXF anteriores a 4.0.4, 3.6.3 y 3.5.8 permite a un atacante realizar ataques de estilo SSRF en servicios web que toman al menos un parámetro de cualquier tipo. Los usuarios de otros enlaces de datos (incluido el enlace de datos predeterminado) no se ven afectados. A server-side request forgery (SSRF) vulnerability was found in Apache CXF. • http://www.openwall.com/lists/oss-security/2024/03/14/3 https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt https://security.netapp.com/advisory/ntap-20240517-0001 https://access.redhat.com/security/cve/CVE-2024-28752 https://bugzilla.redhat.com/show_bug.cgi?id=2270732 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-23944 – Apache ZooKeeper: Information disclosure in persistent watcher handling
https://notcve.org/view.php?id=CVE-2024-23944
Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue. Divulgación de información en el manejo de observadores persistentes en Apache ZooKeeper debido a la falta de verificación de ACL. • http://www.openwall.com/lists/oss-security/2024/03/14/2 https://lists.apache.org/thread/96s5nqssj03rznz9hv58txdb2k1lr79k • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28746 – Apache Airflow: Ignored Airflow Permissions
https://notcve.org/view.php?id=CVE-2024-28746
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability Apache Airflow, versiones 2.8.0 a 2.8.2, tiene una vulnerabilidad que permite a un usuario autenticado con permisos limitados acceder a recursos como variables, conexiones, etc. desde la interfaz de usuario a la que no tiene permiso para acceder. Se recomienda a los usuarios de Apache Airflow actualizar a la versión 2.8.3 o posterior para mitigar el riesgo asociado con esta vulnerabilidad. • http://www.openwall.com/lists/oss-security/2024/03/13/5 https://github.com/apache/airflow/pull/37881 https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7 • CWE-281: Improper Preservation of Permissions •