CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36471 – Apache Allura: sensitive information exposure via DNS rebinding
https://notcve.org/view.php?id=CVE-2024-36471
10 Jun 2024 — Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them. This issue affects Apache Allura from 1.0.1 through 1.16.0. Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file. • https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.1EPSS: 93%CPEs: 1EXPL: 1CVE-2024-36104 – Apache OFBiz: Path traversal leading to a RCE
https://notcve.org/view.php?id=CVE-2024-36104
04 Jun 2024 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue. Limitación inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en Apache OFBiz. Este problema afecta a Apache OFBiz: antes del 18.12.14. • https://github.com/ggfzx/CVE-2024-36104 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5055 – Vulnerability of uncontrolled resource consumption in XAMPP
https://notcve.org/view.php?id=CVE-2024-5055
17 May 2024 — Uncontrolled resource consumption vulnerability in XAMPP Windows, versions 7.3.2 and earlier. This vulnerability exists when XAMPP attempts to process many incomplete HTTP requests, resulting in resource consumption and system crashes. Vulnerabilidad de consumo descontrolado de recursos en XAMPP Windows, versiones 7.3.2 y anteriores. Esta vulnerabilidad existe cuando XAMPP intenta procesar muchas solicitudes HTTP incompletas, lo que provoca consumo de recursos y fallos del sistema. • https://www.incibe.es/en/incibe-cert/notices/aviso/vulnerability-uncontrolled-resource-consumption-xampp • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.5EPSS: 2%CPEs: 1EXPL: 0CVE-2024-32077 – Apache Airflow: XSS vulnerability in Task Instance Log/Log Details
https://notcve.org/view.php?id=CVE-2024-32077
14 May 2024 — Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Users are recommended to upgrade to version 2.9.1, which fixes this issue. Apache Airflow versión 2.9.0 tiene una vulnerabilidad que permite a un atacante autenticado inyectar datos maliciosos en los registros de instancias de tareas. Se recomienda a los usuarios actualizar a la versión 2.9.1, que soluciona este problema. • http://www.openwall.com/lists/oss-security/2024/05/14/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34365 – Apache Karaf Cave: Cave SSRF and arbitrary file access
https://notcve.org/view.php?id=CVE-2024-34365
09 May 2024 — Improper Input Validation vulnerability in Apache Karaf Cave.This issue affects all versions of Apache Karaf Cave. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vulnerabilidad de validación de entrada incorrecta en Apache Karaf Cave. Este problema afecta a todas las versiones de... • http://www.openwall.com/lists/oss-security/2024/05/09/5 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26579 – Apache Inlong JDBC Vulnerability
https://notcve.org/view.php?id=CVE-2024-26579
08 May 2024 — Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.11.0, the attackers can bypass using malicious parameters. Users are advised to upgrade to Apache InLong's 1.12.0 or cherry-pick [1], [2] to solve it. [1] https://github.com/apache/inlong/pull/9694 [2] https://github.com/apache/inlong/pull/9707 Vulnerabilidad de deserialización de datos no confiables en Apache InLong. Este problema afecta a Apache InLong: desde 1.7.0 hasta 1.11.0, los atac... • http://www.openwall.com/lists/oss-security/2024/05/09/2 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 93%CPEs: 1EXPL: 7CVE-2024-32113 – Apache OFBiz Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2024-32113
08 May 2024 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue. Limitación inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en Apache OFBiz. Este problema afecta a Apache OFBiz: antes del 18.12.13. Se recomienda a los usuarios actualizar a la versión 18.12.13, que soluciona el problema. • https://packetstorm.news/files/id/179138 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28148 – Apache Superset: Incorrect datasource authorization on explore REST API
https://notcve.org/view.php?id=CVE-2024-28148
07 May 2024 — An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.This issue affects Apache Superset: before 3.1.2. Users are recommended to upgrade to version 3.1.2 or above, which fixes the issue. Un usuario autenticado podría acceder a los metadatos de una fuente de datos para la que no está autorizado a ver enviando una solicitud de API REST específica. Este problema afecta a Apache Superset: anterior a 4.0.0. Se recomienda... • https://lists.apache.org/thread/n27wlbd05oc6bgjh28d5pxzsrrph8dgo • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35701 – Apache Hive: Arbitrary command execution via JDBC driver
https://notcve.org/view.php?id=CVE-2023-35701
03 May 2024 — Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Hive. The vulnerability affects the Hive JDBC driver component and it can potentially lead to arbitrary code execution on the machine/endpoint that the JDBC driver (client) is running. The malicious user must have sufficient permissions to specify/edit JDBC URL(s) in an endpoint relying on the Hive JDBC driver and the JDBC client process must run under a privileged user to fully exploit the vulnerability. The attacker can setu... • http://www.openwall.com/lists/oss-security/2024/05/03/3 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32638 – Apache APISIX: Forward-Auth Request Smuggling
https://notcve.org/view.php?id=CVE-2024-32638
02 May 2024 — Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue. Vulnerabilidad de interpretación inconsistente de solicitudes HTTP ("contrabando de solicitudes HTTP") en Apache APISIX cuando se utiliza el complemento `forward-auth`. Este problema afecta a Apache APISIX: desde 3.8.0, 3.9.0. Se re... • http://www.openwall.com/lists/oss-security/2024/05/02/2 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •