CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42361 – GHSL-2023-256: HertzBeat Authenticated (guest role) SQL injection in /api/monitor/{monitorId}/metric/{metricFull}
https://notcve.org/view.php?id=CVE-2024-42361
Hertzbeat is an open source, real-time monitoring system. Hertzbeat 1.6.0 and earlier declares a /api/monitor/{monitorId}/metric/{metricFull} endpoint to download job metrics. In the process, it executes a SQL query with user-controlled data, allowing for SQL injection. • https://securitylab.github.com/advisories/GHSL-2023-254_GHSL-2023-256_HertzBeat https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/manager/src/main/java/org/dromara/hertzbeat/manager/controller/MonitorsController.java#L202 https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/warehouse/src/main/java/org/dromara/hertzbeat/warehouse/store/HistoryTdEngineDataStorage.java#L242 https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/warehouse/src/main/java/org/dromara/hertzbeat&# • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43202 – Apache DolphinScheduler: Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-43202
Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.2. We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue. • https://github.com/apache/dolphinscheduler/pull/15758 https://lists.apache.org/thread/nlmdp7q7l7o3l27778vxc5px24ncr5r5 https://lists.apache.org/thread/qbhk9wqyxhrn4z7m4m343wqxpwg926nh https://www.cve.org/CVERecord?id=CVE-2023-49109 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41909 – Apache MINA SSHD: integrity check bypass
https://notcve.org/view.php?id=CVE-2024-41909
Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack The mitigations to prevent this type of attack were implemented in Apache MINA SSHD 2.12.0, both client and server side. Users are recommended to upgrade to at least this version. Note that both the client and the server implementation must have mitigations applied against this issue, otherwise the connection may still be affected. A flaw was found in Apache MINA SSHD. • https://github.com/apache/mina-sshd/issues/445 https://lists.apache.org/thread/vwf1ot8wx1njyy8n19j5j2tcnjnozt3b https://access.redhat.com/security/cve/CVE-2024-41909 https://bugzilla.redhat.com/show_bug.cgi?id=2304442 • CWE-354: Improper Validation of Integrity Check Value •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41888 – Apache Answer: The link for resetting user password is not Single-Use
https://notcve.org/view.php?id=CVE-2024-41888
Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. The password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue. • https://lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41890 – Apache Answer: The link to reset the user's password will remain valid after sending a new link
https://notcve.org/view.php?id=CVE-2024-41890
Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. User sends multiple password reset emails, each containing a valid link. Within the link's validity period, this could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue. • https://lists.apache.org/thread/j7c080xj31x8rvz1pyk2h47rdd9pwbv9 • CWE-772: Missing Release of Resource after Effective Lifetime •