CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39676 – Apache Pinot: Unauthorized endpoint exposed sensitive information
https://notcve.org/view.php?id=CVE-2024-39676
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot. This issue affects Apache Pinot: from 0.1 before 1.0.0. Users are recommended to upgrade to version 1.0.0 and configure RBAC, which fixes the issue. Details: When using a request to path “/appconfigs” to the controller, it can lead to the disclosure of sensitive information such as system information (e.g. arch, os version), environment information (e.g. maxHeapSize) and Pinot configurations (e.g. zookeeper path). This issue was addressed by the Role-based Access Control https://docs.pinot.apache.org/operators/tutorials/authentication/basic-auth-access-control , so that /appConfigs` and all other APIs can be access controlled. Only authorized users have access to it. Note the user needs to add the admin role accordingly to the RBAC guide to control access to this endpoint, and in the future version of Pinot, a default admin role is planned to be added. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en Apache Pinot. • https://lists.apache.org/thread/hsm0b2w8qr0sqy4rj1mfnnw286tslpzc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41178 – Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files
https://notcve.org/view.php?id=CVE-2024-41178
Exposure of temporary credentials in logs in Apache Arrow Rust Object Store (`object_store` crate), version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html . This allows someone with access to the logs to impersonate that identity, including performing their own calls to AssumeRoleWithWebIdentity, until the OIDC token expires. Typically OIDC tokens are valid for up to an hour, although this will vary depending on the issuer. Users are recommended to use a different AWS authentication mechanism, disable logging or upgrade to version 0.10.2, which fixes this issue. Details: When using AWS WebIdentityTokens with the object_store crate, in the event of a failure and automatic retry, the underlying reqwest error, including the full URL with the credentials, potentially in the parameters, is written to the logs. Thanks to Paul Hatcherian for reporting this vulnerability Exposición de credenciales temporales en registros en Apache Arrow Rust Object Store (caja `object_store`), versión 0.10.1 y anteriores en todas las plataformas que utilizan AWS WebIdentityTokens. En determinadas condiciones de error, los registros pueden contener el token OIDC pasado a AssumeRoleWithWebIdentity https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html. Esto permite que alguien con acceso a los registros se haga pasar por esa identidad, incluida la realización de sus propias llamadas a AssumeRoleWithWebIdentity, hasta que caduque el token OIDC. • http://www.openwall.com/lists/oss-security/2024/07/23/3 https://lists.apache.org/thread/3t0povdppnt2czv6crlsqhvyko93kcrg • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29070 – Apache StreamPark: session not invalidated after logout
https://notcve.org/view.php?id=CVE-2024-29070
On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4 En versiones anteriores a la 2.1.4, la sesión no se invalida después de cerrar sesión. Cuando el usuario inicia sesión correctamente, el servicio Backend devuelve "Authorization" como credencial de autenticación de front-end. La "Authorization" aún puede iniciar solicitudes y acceder a datos incluso después de cerrar sesión. • https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl • CWE-613: Insufficient Session Expiration •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34457 – Apache StreamPark IDOR Vulnerability
https://notcve.org/view.php?id=CVE-2024-34457
On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config. Mitigation: all users should upgrade to 2.1.4 En versiones anteriores a la 2.1.4, después de que un usuario normal inicia sesión con éxito, puede realizar una solicitud manualmente utilizando el token de autorización para ver la información de flink de todos los usuarios, incluidos runSQL y config. Mitigación: todos los usuarios deben actualizar a 2.1.4 • http://www.openwall.com/lists/oss-security/2024/07/22/2 https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j https://www.openwall.com/lists/oss-security/2024/07/22/2 • CWE-269: Improper Privilege Management CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-38503 – Apache Syncope: HTML tags can be injected into Console or Enduser text fields
https://notcve.org/view.php?id=CVE-2024-38503
When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”. Users are recommended to upgrade to version 3.0.8, which fixes this issue. Al editar un usuario, grupo o cualquier objeto en Syncope Console, se podrían agregar etiquetas HTML a cualquier campo de texto y podrían dar lugar a posibles exploits. La misma vulnerabilidad se encontró en Syncope Enduser, al editar “Personal Information” o “User Requests”. Se recomienda a los usuarios actualizar a la versión 3.0.8, que soluciona este problema. • http://www.openwall.com/lists/oss-security/2024/07/22/3 https://syncope.apache.org/security#cve-2024-38503-html-tags-can-be-injected-into-console-or-enduser https://www.openwall.com/lists/oss-security/2024/07/22/3 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •