Page 34 of 401 results (0.006 seconds)

CVSS: -EPSS: 0%CPEs: 1EXPL: 0

In Apache Linkis <=1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious db2 parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted.  This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis <=1.5.0 will be affected. We recommend users upgrade the version of Linkis to version 1.6.0. En Apache Linkis &lt;= 1.5.0, debido a la falta de un filtrado efectivo de parámetros, un atacante que configure parámetros db2 maliciosos en el módulo DataSource Manager resultará en una inyección de jndi. Por lo tanto, los parámetros en la URL de DB2 deben estar en la lista negra. Este ataque requiere que el atacante obtenga una cuenta autorizada de Linkis antes de poder llevarse a cabo. • https://lists.apache.org/thread/t68yy52lmv7pxgrxnq6rw7rwvk9tb1xj • CWE-502: Deserialization of Untrusted Data •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files into the server and execute them. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.  We recommend that users upgrade the java version to >= 1.8.0_241. Or users upgrade Linkis to version 1.6.0. En Apache Linkis &lt;= 1.5.0, el módulo de administración de fuentes de datos, al agregar una fuente de datos Mysql, existe una vulnerabilidad de ejecución remota de código para la versión de Java &lt;1.8.0_241. • https://lists.apache.org/thread/0dnzh64xy1n7qo3rgo2loz9zn7m9xgdx • CWE-502: Deserialization of Untrusted Data •

CVSS: -EPSS: 0%CPEs: 1EXPL: 0

In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis = 1.4.0 will be affected.  We recommend users upgrade the version of Linkis to version 1.5.0. En Apache Linkis = 1.4.0, debido a la falta de filtrado efectivo de parámetros, un atacante que configure parámetros maliciosos de Mysql JDBC en el módulo DataSource Manager activará la lectura de archivos arbitrarios. • https://lists.apache.org/thread/dxkpwyoxy1jpdwlpqp15zvo0jxn4v729 • CWE-552: Files or Directories Accessible to External Parties •

CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue. • http://www.openwall.com/lists/oss-security/2024/07/12/2 https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 0

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. Una regresión en el núcleo de Apache HTTP Server 2.4.60 ignora parte del uso de la configuración de controladores heredada basada en el tipo de contenido. "AddType" y configuraciones similares, en algunas circunstancias en las que los archivos se solicitan indirectamente, dan como resultado la divulgación del código fuente del contenido local. • http://www.openwall.com/lists/oss-security/2024/07/17/6 https://httpd.apache.org/security/vulnerabilities_24.html https://security.netapp.com/advisory/ntap-20240712-0002 •