CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45720 – Apache Subversion: Command line argument injection on Windows platforms
https://notcve.org/view.php?id=CVE-2024-45720
On Windows platforms, a "best fit" character encoding conversion of command line arguments to Subversion's executables (e.g., svn.exe, etc.) may lead to unexpected command line argument interpretation, including argument injection and execution of other programs, if a specially crafted command line argument string is processed. All versions of Subversion up to and including Subversion 1.14.3 are affected on Windows platforms only. Users are recommended to upgrade to version Subversion 1.14.4, which fixes this issue. Subversion is not affected on UNIX-like platforms. • https://subversion.apache.org/security/CVE-2024-45720-advisory.txt • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47554 – Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader
https://notcve.org/view.php?id=CVE-2024-47554
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue. A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed. • https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1 https://access.redhat.com/security/cve/CVE-2024-47554 https://bugzilla.redhat.com/show_bug.cgi?id=2316271 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47561 – Apache Avro Java SDK: Arbitrary Code Execution when reading Avro schema (Java SDK)
https://notcve.org/view.php?id=CVE-2024-47561
Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue. El análisis de esquemas en el SDK de Java de Apache Avro 1.11.3 y versiones anteriores permite que actores maliciosos ejecuten código arbitrario. Se recomienda a los usuarios actualizar a la versión 1.11.4 o 1.12.0, que solucionan este problema. A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. • https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x https://access.redhat.com/security/cve/CVE-2024-47561 https://bugzilla.redhat.com/show_bug.cgi?id=2316116 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45772 – Apache Lucene Replicator: Security Vulnerability in Lucene Replicator - Deserialization Issue
https://notcve.org/view.php?id=CVE-2024-45772
Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality. Vulnerabilidad de deserialización de datos no confiables en Apache Lucene Replicator. Este problema afecta al módulo replicador de Apache Lucene: desde la versión 4.4.0 hasta la 9.12.0. El paquete obsoleto org.apache.lucene.replicator.http está afectado. • https://lists.apache.org/thread/3f3oph7bqnqspb9q5p0gm5mgc1b6thjo • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23454 – Apache Hadoop: Temporary File Local Information Disclosure
https://notcve.org/view.php?id=CVE-2024-23454
Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users. RunJar.run() de Apache Hadoop no establece permisos para el directorio temporal de forma predeterminada. Si en este archivo se encuentran datos confidenciales, todos los demás usuarios locales podrán ver el contenido. • https://issues.apache.org/jira/browse/HADOOP-19031 https://lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfs • CWE-269: Improper Privilege Management •