CVE-2024-27139 – Apache Archiva: incorrect authentication potentially leading to account takeover
https://notcve.org/view.php?id=CVE-2024-27139
Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially leading to account takeover. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vulnerabilidad de autorización incorrecta en Apache Archiva: una vulnerabilidad en Apache Archiva permite que un atacante no autenticado modifique los datos de la cuenta, lo que podría llevar a la apropiación de la cuenta. Este problema afecta a Apache Archiva: desde 2.0.0. Como este proyecto está retirado, no planeamos lanzar una versión que solucione este problema. • http://www.openwall.com/lists/oss-security/2024/03/01/3 https://lists.apache.org/thread/qr8b7r86p1hkn0dc0q827s981kf1bgd8 • CWE-863: Incorrect Authorization •
CVE-2024-27140 – Apache Archiva: reflected XSS
https://notcve.org/view.php?id=CVE-2024-27140
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. Alternatively, you could configure a HTTP proxy in front of your Archiva instance to only forward requests that do not have malicious characters in the URL. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Apache Archiva. Este problema afecta a Apache Archiva: desde 2.0.0. • http://www.openwall.com/lists/oss-security/2024/03/01/2 https://lists.apache.org/thread/xrn6nt904ozh3jym60c3f5hj2fb75pjy • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-50378 – Apache Ambari: Various XSS problems
https://notcve.org/view.php?id=CVE-2023-50378
Lack of proper input validation and constraint enforcement in Apache Ambari prior to 2.7.8 Impact : As it will be stored XSS, Could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads. Users are recommended to upgrade to version 2.7.8 which fixes this issue. Falta de validación de entrada adecuada y aplicación de restricciones en Apache Ambari antes de 2.7.8 Impacto: como se almacenará XSS, podría explotarse para realizar acciones no autorizadas, que van desde el acceso a datos hasta el secuestro de sesiones y la entrega de payloads maliciosos. Se recomienda a los usuarios actualizar a la versión 2.7.8, que soluciona este problema. • http://www.openwall.com/lists/oss-security/2024/03/01/5 https://lists.apache.org/thread/6hn0thq743vz9gh283s2d87wz8tqh37c • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-26280 – Apache Airflow: Overly broad default permissions for Viewer/Ops (audit logs)
https://notcve.org/view.php?id=CVE-2024-26280
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability Apache Airflow, versiones anteriores a la 2.8.2, tiene una vulnerabilidad que permite a los usuarios autenticados de Ops y Viewers ver toda la información en los registros de auditoría, incluidos los nombres de dag y los nombres de usuario que no tenían permiso para ver. Con 2.8.2 y versiones posteriores, los usuarios de Ops y Viewer no tienen permiso de registro de auditoría de forma predeterminada; se les debe otorgar permisos explícitamente para ver los registros. De forma predeterminada, solo los usuarios administradores tienen permiso de registro de auditoría. • http://www.openwall.com/lists/oss-security/2024/03/01/1 https://github.com/apache/airflow/pull/37501 https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh • CWE-276: Incorrect Default Permissions •
CVE-2024-27906 – Apache Airflow: Dag Code and Import Error Permissions Ignored
https://notcve.org/view.php?id=CVE-2024-27906
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability Apache Airflow, versiones anteriores a la 2.8.2, tiene una vulnerabilidad que permite a los usuarios autenticados ver el código DAG e importar errores de DAG que no tienen permiso para ver a través de la API y la UI. Se recomienda a los usuarios de Apache Airflow actualizar a la versión 2.8.2 o posterior para mitigar el riesgo asociado con esta vulnerabilidad. • http://www.openwall.com/lists/oss-security/2024/02/29/1 https://github.com/apache/airflow/pull/37290 https://github.com/apache/airflow/pull/37468 https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5 • CWE-668: Exposure of Resource to Wrong Sphere •