CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-23184 – Apache CXF: Denial of Service vulnerability with temporary files
https://notcve.org/view.php?id=CVE-2025-23184
21 Jan 2025 — A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients). A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill ... • https://lists.apache.org/thread/lfs8l63rnctnj2skfrxyys7v8fgnt122 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45627 – Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability
https://notcve.org/view.php?id=CVE-2024-45627
14 Jan 2025 — In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.7.0 will be affected. We recommend users upgrade the version of... • https://lists.apache.org/thread/0zzx8lldwoqgzq98mg61hojgpvn76xsh • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 4.3EPSS: 4%CPEs: 1EXPL: 1CVE-2025-22828 – Apache CloudStack: Unauthorised access to annotations
https://notcve.org/view.php?id=CVE-2025-22828
13 Jan 2025 — CloudStack users can add and read comments (annotations) on resources they are authorised to access. Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources. An attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such ... • https://github.com/Stolichnayer/CVE-2025-22828 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45033 – Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli
https://notcve.org/view.php?id=CVE-2024-45033
08 Jan 2025 — Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is d... • https://github.com/apache/airflow/pull/45139 • CWE-613: Insufficient Session Expiration •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54676 – Apache OpenMeetings: Deserialisation of untrusted data in cluster mode
https://notcve.org/view.php?id=CVE-2024-54676
08 Jan 2025 — Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as s... • https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.5EPSS: 27%CPEs: 1EXPL: 1CVE-2024-56512 – Apache NiFi: Missing Complete Authorization for Parameter and Service References
https://notcve.org/view.php?id=CVE-2024-56512
28 Dec 2024 — Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled clients to down... • https://github.com/absholi7ly/CVE-2024-56512-Apache-NiFi-Exploit • CWE-638: Not Using Complete Mediation •
CVSS: 10.0EPSS: 10%CPEs: 2EXPL: 0CVE-2024-52046 – Apache MINA: MINA applications using unbounded deserialization may allow RCE
https://notcve.org/view.php?id=CVE-2024-52046
25 Dec 2024 — The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks. This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4. It's also important... • https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 35%CPEs: 1EXPL: 0CVE-2024-43441 – Apache HugeGraph-Server: Fixed JWT Token(Secret)
https://notcve.org/view.php?id=CVE-2024-43441
24 Dec 2024 — Authentication Bypass by Assumed-Immutable Data vulnerability in Apache HugeGraph-Server. This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue. • https://lists.apache.org/thread/h2607yv32wgcrywov960jpxhvsmmlf12 • CWE-302: Authentication Bypass by Assumed-Immutable Data •
CVSS: 9.9EPSS: 16%CPEs: 1EXPL: 0CVE-2024-45387 – Apache Traffic Control: SQL Injection in Traffic Ops endpoint PUT deliveryservice_request_comments
https://notcve.org/view.php?id=CVE-2024-45387
23 Dec 2024 — An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request. Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops. Una vulnerabilidad de inyección SQL en Traffic Ops en Apache Traffic Control <= 8.0.1, >= 8.0.0 permite que u... • https://lists.apache.org/thread/t38nk5n7t8w3pb66z7z4pqfzt4443trr • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-285: Improper Authorization •
CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0CVE-2024-23945 – Apache Hive, Apache Spark, Apache Spark: CookieSigner exposes the correct signature when message verification fails
https://notcve.org/view.php?id=CVE-2024-23945
23 Dec 2024 — Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitatio... • https://github.com/apache/hive • CWE-209: Generation of Error Message Containing Sensitive Information •