CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-27135 – Apache Pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-27135
12 Mar 2024 — Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true". This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Pulsar Function Worker user... • http://www.openwall.com/lists/oss-security/2024/03/12/9 • CWE-20: Improper Input Validation CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-34321 – Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint
https://notcve.org/view.php?id=CVE-2022-34321
12 Mar 2024 — Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials. This issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0. The known risks include exposing sensitive ... • http://www.openwall.com/lists/oss-security/2024/03/12/8 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2024-28098 – Apache Pulsar: Improper Authorization For Topic-Level Policy Management
https://notcve.org/view.php?id=CVE-2024-28098
12 Mar 2024 — The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Apache Pulsar users should upgrade to at least 2.10.6. 2.11 Apache Pulsar users should upgrade ... • http://www.openwall.com/lists/oss-security/2024/03/12/12 • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41313 – Apache Doris: Timing Attack weakness
https://notcve.org/view.php?id=CVE-2023-41313
12 Mar 2024 — The authentication method in Apache Doris versions before 2.0.0 was vulnerable to timing attacks. Users are recommended to upgrade to version 2.0.0 + or 1.2.8, which fixes this issue. El método de autenticación en las versiones de Apache Doris anteriores a la 2.0.0 era vulnerable a ataques de sincronización. Se recomienda a los usuarios actualizar a la versión 2.0.0 + o 1.2.8, que soluciona este problema. The authentication method in Apache Doris versions before 2.0.0 was vulnerable to timing attacks. Users... • http://www.openwall.com/lists/oss-security/2024/03/10/2 • CWE-208: Observable Timing Discrepancy •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50740 – Apache Linkis DataSource: DataSource module Oracle SQL Database Password Logged
https://notcve.org/view.php?id=CVE-2023-50740
06 Mar 2024 — In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module. We recommend users upgrade the version of Linkis to version 1.5.0 En Apache Linkis <= 1.4.0, la contraseña se imprime en el registro cuando se utiliza la fuente de datos de Oracle del módulo de fuente de datos de Linkis. Recomendamos a los usuarios actualizar la versión de Linkis a la versión 1.5.0 • http://www.openwall.com/lists/oss-security/2024/03/06/2 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26580 – Apache InLong: Logged-in user could exploit an arbitrary file read vulnerability
https://notcve.org/view.php?id=CVE-2024-26580
06 Mar 2024 — Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9673 Vulnerabilidad de deserialización de datos no confiables en Apache InLong. Este problema afecta a Apache InLong: desde 1.8.0 hasta 1.10.0, los atacantes pueden usar el payload e... • http://www.openwall.com/lists/oss-security/2024/03/06/1 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27138 – Apache Archiva: disabling user registration is not effective
https://notcve.org/view.php?id=CVE-2024-27138
01 Mar 2024 — Incorrect Authorization vulnerability in Apache Archiva. Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva has been retired, we do not expect to release a version of Apache Archiva that fixes this issue. You are recommended to look into migrating to a different solution, or isolate your instance from any untrusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer Vulnerabilidad de autoriza... • http://www.openwall.com/lists/oss-security/2024/03/01/4 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27139 – Apache Archiva: incorrect authentication potentially leading to account takeover
https://notcve.org/view.php?id=CVE-2024-27139
01 Mar 2024 — Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially leading to account takeover. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the mainta... • http://www.openwall.com/lists/oss-security/2024/03/01/3 • CWE-863: Incorrect Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27140 – Apache Archiva: reflected XSS
https://notcve.org/view.php?id=CVE-2024-27140
01 Mar 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. Alternatively, you could configure a HTTP proxy in front of your Archiva instance to only forward requests that do not have malicious characters in the URL. • http://www.openwall.com/lists/oss-security/2024/03/01/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50378 – Apache Ambari: Various XSS problems
https://notcve.org/view.php?id=CVE-2023-50378
01 Mar 2024 — Lack of proper input validation and constraint enforcement in Apache Ambari prior to 2.7.8 Impact : As it will be stored XSS, Could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads. Users are recommended to upgrade to version 2.7.8 which fixes this issue. Falta de validación de entrada adecuada y aplicación de restricciones en Apache Ambari antes de 2.7.8 Impacto: como se almacenará XSS, podría explotarse para realizar acciones no ... • http://www.openwall.com/lists/oss-security/2024/03/01/5 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •