CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23537 – Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role.
https://notcve.org/view.php?id=CVE-2024-23537
29 Mar 2024 — Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.9.0, which fixes the issue. Vulnerabilidad de gestión de privilegios incorrecta en Apache Fineract. Este problema afecta a Apache Fineract: <1.8.5. Se recomienda a los usuarios actualizar a la versión 1.9.0, que soluciona el problema. • http://www.openwall.com/lists/oss-security/2024/03/29/1 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23538 – Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.
https://notcve.org/view.php?id=CVE-2024-23538
29 Mar 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en Apache Fineract. Este problema afecta a Apache Fineract: <1.8.5. Se recomienda a los usuarios actualizar a la versión 1.8.5 o 1.9.0, que soluciona ... • http://www.openwall.com/lists/oss-security/2024/03/29/2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23539 – Apache Fineract: Under certain system configurations, the sqlSearch parameter for specific endpoints was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.
https://notcve.org/view.php?id=CVE-2024-23539
29 Mar 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en Apache Fineract. Este problema afecta a Apache Fineract: <1.8.5. Se recomienda a los usuarios actualizar a la versión 1.8.5 o 1.9.0, que soluciona ... • http://www.openwall.com/lists/oss-security/2024/03/29/3 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29735 – Apache Airflow: Potentially harmful permission changing by log task handler
https://notcve.org/view.php?id=CVE-2024-29735
26 Mar 2024 — Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders of log folder, in default configuration adding write access to Unix group of the folders. In the case Airflow is run with the root user (not recommended) it added group write permission to all folders up to the root of the filesystem. If your log files are stored in the home directory, ... • http://www.openwall.com/lists/oss-security/2024/03/26/2 • CWE-281: Improper Preservation of Permissions •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2024-27438 – Apache Doris: Downloading arbitrary remote jar files resulting in remote command execution
https://notcve.org/view.php?id=CVE-2024-27438
21 Mar 2024 — Download of Code Without Integrity Check vulnerability in Apache Doris. The jdbc driver files used for JDBC catalog is not checked and may resulting in remote command execution. Once the attacker is authorized to create a JDBC catalog, he/she can use arbitrary driver jar file with unchecked code snippet. This code snippet will be run when catalog is initializing without any check. This issue affects Apache Doris: from 1.2.0 through 2.0.4. Users are recommended to upgrade to version 2.0.5 or 2.1.x, which fix... • http://www.openwall.com/lists/oss-security/2024/03/21/1 • CWE-494: Download of Code Without Integrity Check •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-26307 – Apache Doris: Possible race condition
https://notcve.org/view.php?id=CVE-2024-26307
21 Mar 2024 — Possible race condition vulnerability in Apache Doris. Some of code using `chmod()` method. This method run the risk of someone renaming the file out from under user and chmodding the wrong file. This could theoretically happen, but the impact would be minimal. This issue affects Apache Doris: before 1.2.8, before 2.0.4. Users are recommended to upgrade to version 2.0.4, which fixes the issue. Posible vulnerabilidad de condición de ejecución en Apache Doris. Parte del código que utiliza el método `chmod()`.... • http://www.openwall.com/lists/oss-security/2024/03/21/2 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29131 – Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()
https://notcve.org/view.php?id=CVE-2024-29131
21 Mar 2024 — Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue. Vulnerabilidad de escritura fuera de los límites en la configuración de Apache Commons. Este problema afecta a la configuración de Apache Commons: desde 2.0 antes de 2.10.1. Se recomienda a los usuarios actualizar a la versión 2.10.1, que soluciona el problema. • http://www.openwall.com/lists/oss-security/2024/03/20/4 • CWE-787: Out-of-bounds Write •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29133 – Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree
https://notcve.org/view.php?id=CVE-2024-29133
21 Mar 2024 — Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue. Vulnerabilidad de escritura fuera de los límites en la configuración de Apache Commons. Este problema afecta a la configuración de Apache Commons: desde 2.0 antes de 2.10.1. Se recomienda a los usuarios actualizar a la versión 2.10.1, que soluciona el problema. • http://www.openwall.com/lists/oss-security/2024/03/20/3 • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27439 – Apache Wicket: Possible bypass of CSRF protection
https://notcve.org/view.php?id=CVE-2024-27439
19 Mar 2024 — An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue. Un error en la evaluación de los encabezados de metadatos de recuperación podría permiti... • http://www.openwall.com/lists/oss-security/2024/03/19/2 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24683 – Apache Hop Engine: ID isn't escaped when generating HTML
https://notcve.org/view.php?id=CVE-2024-24683
19 Mar 2024 — Improper Input Validation vulnerability in Apache Hop Engine.This issue affects Apache Hop Engine: before 2.8.0. Users are recommended to upgrade to version 2.8.0, which fixes the issue. When Hop Server writes links to the PrepareExecutionPipelineServlet page one of the parameters provided to the user was not properly escaped. The variable not properly escaped is the "id", which is not directly accessible by users creating pipelines making the risk of exploiting this low. This issue only affects users using... • http://www.openwall.com/lists/oss-security/2024/03/18/1 • CWE-20: Improper Input Validation •