CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38362 – Docker Provider <3.0 RCE vulnerability in example dag
https://notcve.org/view.php?id=CVE-2022-38362
16 Aug 2022 — Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host. El Proveedor de Apache Airflow Docker versiones anteriores a 3.0.0, incluía un ejemplo de DAG que era vulnerable a una explotación remota (autenticada) de código en el host del trabajador de Airflow. • http://www.openwall.com/lists/oss-security/2022/08/16/1 •
CVSS: 9.0EPSS: 13%CPEs: 1EXPL: 0CVE-2022-36364 – Apache Calcite Avatica JDBC driver `httpclient_impl` connection property can be used as an RCE vector
https://notcve.org/view.php?id=CVE-2022-36364
28 Jul 2022 — Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via `httpclient_impl` connection property; however, the driver does not verify if the class implements the expected interface before instantiating it, which can lead to code execution loaded via arbitrary classes and in rare cases remote code execution. To exploit the vulnerability: 1) the attacker needs to have privileges to control JDBC connection parameters; 2) and there should be a vulnerable class (constructo... • http://www.openwall.com/lists/oss-security/2022/07/28/1 • CWE-665: Improper Initialization •
CVSS: 9.8EPSS: 7%CPEs: 180EXPL: 1CVE-2019-13990 – libquartz: XXE attacks via job description
https://notcve.org/view.php?id=CVE-2019-13990
26 Jul 2019 — initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. La función initDocumentParser en el archivo xml/XMLSchedulingDataProcessor.java en Quartz Scheduler de Terracotta hasta la versión 2.3.0, permite ataques de tipo XXE por medio de una descripción del trabajo. The Terracotta Quartz Scheduler is susceptible to an XML external entity attack (XXE) through a job description. This issue stems from inadequate handling of X... • https://github.com/epicosy/Quartz-1 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2010-3845
https://notcve.org/view.php?id=CVE-2010-3845
08 Aug 2017 — libapache-authenhook-perl 2.00-04 stores usernames and passwords in plaintext in the vhost error log. libapache-authenhook-perl 2.00-04 almacena nombres de usuario y contraseñas en texto plano en el archivo de log de errores vhost. • http://seclists.org/oss-sec/2010/q4/63 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5506
https://notcve.org/view.php?id=CVE-2015-5506
18 Aug 2015 — The Apache Solr Real-Time module 7.x-1.x before 7.x-1.2 for Drupal does not check the status of an entity when indexing, which allows remote attackers to obtain information about unpublished content via a search. Vulnerabilidad en el módulo Apache Solr Real-Time 7.x-1.x en versiones anteriores a 7.x-1.2 para Drupal, no comprueba el estado de una entidad cuando indexa, lo que permite a atacantes remotos obtener información sobre contenido no publicado a través de una búsqueda. • http://www.openwall.com/lists/oss-security/2015/07/04/4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 3%CPEs: 1EXPL: 0CVE-2012-6107
https://notcve.org/view.php?id=CVE-2012-6107
29 Sep 2014 — Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Apache Axis2/C no verifica que el nombre del servidor coincide con un nombre de dominio en el campo del asunto Common Name (CN) o subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle falsificar servidores SSL a través de u... • http://mail-archives.apache.org/mod_mbox/axis-c-dev/201301.mbox/browser • CWE-310: Cryptographic Issues •
CVSS: 5.3EPSS: 2%CPEs: 3EXPL: 1CVE-2013-2254 – Apache Sling 2.2.0 / 2.3.0 Denial of Service
https://notcve.org/view.php?id=CVE-2013-2254
09 Oct 2013 — The deepGetOrCreateNode function in impl/operations/AbstractCreateOperation.java in org.apache.sling.servlets.post.bundle 2.2.0 and 2.3.0 in Apache Sling does not properly handle a NULL value that returned when the session does not have permissions to the root node, which allows remote attackers to cause a denial of service (infinite loop) via unspecified vectors. La función deepGetOrCreateNode en impl/operations/AbstractCreateOperation.java en org.apache.sling.servlets.post.bundle 2.2.0 y 2.3.0 de Apache S... • http://mail-archives.apache.org/mod_mbox/sling-dev/201310.mbox/%3CCAKkCf4pue6PnESsP1KTdEDJm1gpkANFaK%2BvUd9mzEVT7tXL%2B3A%40mail.gmail.com%3E • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.3EPSS: 25%CPEs: 2EXPL: 1CVE-2012-2138 – Apache Sling - Denial of Service
https://notcve.org/view.php?id=CVE-2012-2138
09 Jul 2012 — The @CopyFrom operation in the POST servlet in the org.apache.sling.servlets.post bundle before 2.1.2 in Apache Sling does not prevent attempts to copy an ancestor node to a descendant node, which allows remote attackers to cause a denial of service (infinite loop) via a crafted HTTP request. La operación @CopyFrom en el servlet POST en el conjunto org.apache.sling.servlets.post anteriores a v2.1.2 en Apache Sling no previene intentos de copia sobre un nodo de nivel superior sobre uno de nivel inferior, lo ... • https://www.exploit-db.com/exploits/37487 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 8%CPEs: 39EXPL: 0CVE-2011-2729 – jakarta-commons-daemon: jsvc does not drop capabilities allowing access to files and directories owned by the superuser
https://notcve.org/view.php?id=CVE-2011-2729
15 Aug 2011 — native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application. native/unix/native/jsvc-unix.c en jsvc en el componente Daemon v1.0.3 hasta v1.0.6 en Apache Commons, usado en Apache Tomcat v5.5.32 hasta v5.5.33, v6.0.30 hasta v6.0.32, y v7.0... • http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00024.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2010-1151
https://notcve.org/view.php?id=CVE-2010-1151
20 Apr 2010 — Race condition in the mod_auth_shadow module for the Apache HTTP Server allows remote attackers to bypass authentication, and read and possibly modify data, via vectors related to improper interaction with an external helper application for validation of credentials. Condición de carrera en el módulo mod_auth_shadow del servidor HTTP Apache permite a atacantes remotos evitar la autenticación, leer y posiblemente modificar datos, a través de vectores de ataque relacionados con errores en la interacción con u... • http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041326.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •