CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56195 – Apache Traffic Server: Intercept plugins are not access controlled
https://notcve.org/view.php?id=CVE-2024-56195
06 Mar 2025 — Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue. Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling, cache poisoning or incomplete dropping of privileges. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56196 – Apache Traffic Server: ACL is not fully compatible with older versions
https://notcve.org/view.php?id=CVE-2024-56196
06 Mar 2025 — Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 10.0.4, which fixes the issue. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56202 – Apache Traffic Server: Expect header field can unreasonably retain resource
https://notcve.org/view.php?id=CVE-2024-56202
06 Mar 2025 — Expected Behavior Violation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue. Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling, cache poisoning or incomplete dropping of privileges. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-440: Expected Behavior Violation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55532 – Apache Ranger: Improper Neutralization of Formula Elements in a CSV File
https://notcve.org/view.php?id=CVE-2024-55532
03 Mar 2025 — Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to version 2.6.0, which fixes this issue. Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to version 2.6.0, which fixes this issue. • https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24778 – Apache StreamPipes: Resources Permission Escalation
https://notcve.org/view.php?id=CVE-2024-24778
03 Mar 2025 — Improper privilege management in a REST interface allowed registered users to access unauthorized resources if the resource ID was know. This issue affects Apache StreamPipes: through 0.95.1. Users are recommended to upgrade to version 0.97.0 which fixes the issue. • https://lists.apache.org/thread/j14w6wghlwwrgfgc6hoz9f94fwxtlgzh • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-56325 – Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required
https://notcve.org/view.php?id=CVE-2024-56325
03 Mar 2025 — Authentication Bypass Issue If the path does not contain / and contain., authentication is not required. Expected Normal Request and Response Example curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users Return: {"code":401,"error":"HTTP 401 Unauthorized"} Malicious Request and Response Example curl -X POST -... • https://lists.apache.org/thread/ksf8qsndr1h66otkbjz2wrzsbw992r8v • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56180 – Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution
https://notcve.org/view.php?id=CVE-2024-56180
14 Feb 2025 — CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue. CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch witho... • https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52577 – Apache Ignite: Possible RCE when deserializing incoming messages by the server node
https://notcve.org/view.php?id=CVE-2024-52577
14 Feb 2025 — In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side. • https://lists.apache.org/thread/1bst0n27m9kb3b6f6hvlghn182vqb2hh • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46910 – Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user
https://notcve.org/view.php?id=CVE-2024-46910
13 Feb 2025 — An authenticated user can perform XSS and potentially impersonate another user. This issue affects Apache Atlas versions 2.3.0 and earlier. Users are recommended to upgrade to version 2.4.0, which fixes the issue. An authenticated user can perform XSS and potentially impersonate another user. This issue affects Apache Atlas versions 2.3.0 and earlier. • https://lists.apache.org/thread/sqzp34l4cdk21zoq5g31qlsvr7jvb1fy • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32838 – Apache Fineract: SQL injection vulnerabilities in offices API endpoint
https://notcve.org/view.php?id=CVE-2024-32838
12 Feb 2025 — SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints' query parameter. Users are recommended to upgrade to version 1.10.1, which fixes this issue. A SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly ... • https://lists.apache.org/thread/7l88h17pn9nf8zpx5bbojk7ko5oxo1dy • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •