CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25141 – Apache Airflow Mongo Provider: Certificate validation isn't respected even if SSL is enabled for apache-airflow-providers-mongo
https://notcve.org/view.php?id=CVE-2024-25141
When ssl was enabled for Mongo Hook, default settings included "allow_insecure" which caused that certificates were not validated. This was unexpected and undocumented. Users are recommended to upgrade to version 4.0.0, which fixes this issue. Cuando se habilitó SSL para Mongo Hook, la configuración predeterminada incluía "allow_insecure", lo que provocaba que los certificados no se validaran. Esto fue inesperado e indocumentado. Se recomienda a los usuarios actualizar a la versión 4.0.0, que soluciona este problema. • http://www.openwall.com/lists/oss-security/2024/02/20/5 https://github.com/apache/airflow/pull/37214 https://lists.apache.org/thread/sqgbfqngjmn45ommmrgj7hvs7fgspsgm • CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-23114 – Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository
https://notcve.org/view.php?id=CVE-2024-23114
Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1 Vulnerabilidad de deserialización de datos no confiables en Apache Camel CassandraQL Component AggregationRepository que es vulnerable a una deserialización insegura. Bajo condiciones específicas, es posible deserializar la carga útil maliciosa. • https://camel.apache.org/security/CVE-2024-23114.html https://access.redhat.com/security/cve/CVE-2024-23114 https://bugzilla.redhat.com/show_bug.cgi?id=2265053 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2024-22369 – Apache Camel: Camel-SQL: Unsafe Deserialization from JDBCAggregationRepository
https://notcve.org/view.php?id=CVE-2024-22369
Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1 Vulnerabilidad de deserialización de datos no confiables en el componente SQL de Apache Camel. Este problema afecta a Apache Camel: desde 3.0.0 antes de 3.21.4, desde 3.22.0 antes de 3.22.1, desde 4.0.0 antes de 4.0.4, desde 4.1.0 antes de 4.4.0 . Se recomienda a los usuarios actualizar a la versión 4.4.0, que soluciona el problema. • https://github.com/oscerd/CVE-2024-22369 https://lists.apache.org/thread/3dko781dy2gy5l3fs48p56fgp429yb0f • CWE-502: Deserialization of Untrusted Data •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51770 – Apache DolphinScheduler: Arbitrary File Read Vulnerability
https://notcve.org/view.php?id=CVE-2023-51770
Arbitrary File Read Vulnerability in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. Vulnerabilidad de lectura de archivos arbitrarios en Apache Dolphinscheduler. Este problema afecta a Apache DolphinScheduler: versiones anteriores a 3.2.1. Recomendamos a los usuarios que actualicen Apache DolphinScheduler a la versión 3.2.1, que soluciona el problema. • http://www.openwall.com/lists/oss-security/2024/02/20/2 https://github.com/apache/dolphinscheduler/pull/15433 https://lists.apache.org/thread/4t8bdjqnfhldh73gy9p0whlgvnnbtn7g https://lists.apache.org/thread/gpks573kn00ofxn7n9gkg6o47d03p5rw • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50270 – Apache DolphinScheduler: Session do not expire after password change
https://notcve.org/view.php?id=CVE-2023-50270
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue. Corrección de sesión de Apache DolphinScheduler anterior a la versión 3.2.0, cuya sesión sigue siendo válida después del cambio de contraseña. Se recomienda a los usuarios actualizar a la versión 3.2.1, que soluciona este problema. • https://github.com/apache/dolphinscheduler/pull/15219 https://lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6 https://lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9r https://www.openwall.com/lists/oss-security/2024/02/20/3 • CWE-384: Session Fixation CWE-613: Insufficient Session Expiration •