CVE-2024-31979 – Apache StreamPipes: Possibility of SSRF in pipeline element installation process
https://notcve.org/view.php?id=CVE-2024-31979
Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue. • https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2024-30471 – Apache StreamPipes: Potential creation of multiple identical accounts
https://notcve.org/view.php?id=CVE-2024-30471
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration. This allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and corrupting StreamPipe's user management. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue. • https://lists.apache.org/thread/8yodrmohgcybq900or3d4hc1msl230fr • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVE-2024-39887 – Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions
https://notcve.org/view.php?id=CVE-2024-39887
An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection. This issue affects Apache Superset: before 4.0.2. Users are recommended to upgrade to version 4.0.2, which fixes the issue. • https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz http://www.openwall.com/lists/oss-security/2024/07/16/5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-52290 – Apache StreamPark (incubating): Unchecked SQL query fields trigger SQL injection vulnerability
https://notcve.org/view.php?id=CVE-2023-52290
In streampark-console the list pages(e.g: application pages), users can sort page by field. This sort field is sent from the front-end to the back-end, and the SQL query is generated using this field. However, because this sort field isn't validated, there is a risk of SQL injection vulnerability. The attacker must successfully log into the system to launch an attack, which may cause data leakage. Since no data will be written, so this is a low-impact vulnerability. Mitigation: all users should upgrade to 2.1.4, Such parameters will be blocked. • https://lists.apache.org/thread/t3mcm8pb65d9gj3wrgtj9sx9s2pfvvl3 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-49566 – Apache Linkis DataSource: JDBC Datasource Module with DB2 has JNDI Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-49566
In Apache Linkis <=1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious db2 parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis <=1.5.0 will be affected. We recommend users upgrade the version of Linkis to version 1.6.0. En Apache Linkis <= 1.5.0, debido a la falta de un filtrado efectivo de parámetros, un atacante que configure parámetros db2 maliciosos en el módulo DataSource Manager resultará en una inyección de jndi. Por lo tanto, los parámetros en la URL de DB2 deben estar en la lista negra. Este ataque requiere que el atacante obtenga una cuenta autorizada de Linkis antes de poder llevarse a cabo. • https://lists.apache.org/thread/t68yy52lmv7pxgrxnq6rw7rwvk9tb1xj • CWE-502: Deserialization of Untrusted Data •