CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23454 – Apache Hadoop: Temporary File Local Information Disclosure
https://notcve.org/view.php?id=CVE-2024-23454
Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users. RunJar.run() de Apache Hadoop no establece permisos para el directorio temporal de forma predeterminada. Si en este archivo se encuentran datos confidenciales, todos los demás usuarios locales podrán ver el contenido. • https://issues.apache.org/jira/browse/HADOOP-19031 https://lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfs • CWE-269: Improper Privilege Management •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40761 – Apache Answer: Avatar URL leaked user email addresses
https://notcve.org/view.php?id=CVE-2024-40761
Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. Using the MD5 value of a user's email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead. Users are recommended to upgrade to version 1.4.0, which fixes the issue. Vulnerabilidad de fuerza de cifrado inadecuada en Apache Answer. Este problema afecta a Apache Answer: hasta la versión 1.3.5. El uso del valor MD5 del correo electrónico de un usuario para acceder a Gravatar es inseguro y puede provocar la filtración del correo electrónico del usuario. • https://lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x • CWE-326: Inadequate Encryption Strength •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39928 – Apache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerability
https://notcve.org/view.php?id=CVE-2024-39928
In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Users are recommended to upgrade to version 1.6.0, which fixes this issue. • https://lists.apache.org/thread/g664n13nb17rsogcfrn8kjgd8m89p8nw • CWE-326: Inadequate Encryption Strength •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46544 – Apache Tomcat Connectors: mod_jk: local users can view and modify configuration
https://notcve.org/view.php?id=CVE-2024-46544
Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service. This issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected. Users are recommended to upgrade to version 1.2.50, which fixes the issue. An Incorrect Default Permissions vulnerability was found in Apache Tomcat Connectors that allows local users to view and modify shared memory containing mod_jk configuration, which may lead to information disclosure and denial of service. • https://lists.apache.org/thread/q1gp7cc38hs1r8gj8gfnopwznd5fpr4d https://access.redhat.com/security/cve/CVE-2024-46544 https://bugzilla.redhat.com/show_bug.cgi?id=2314194 • CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42323 – Apache HertzBeat: RCE by snakeYaml deser load malicious xml
https://notcve.org/view.php?id=CVE-2024-42323
SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat (incubating): before 1.6.0. Users are recommended to upgrade to version 1.6.0, which fixes the issue. • https://lists.apache.org/thread/dwpwm572sbwon1mknlwhkpbom2y7skbx https://lists.apache.org/thread/r0c4tost4bllqc1n9q6rmzs1slgsq63t • CWE-502: Deserialization of Untrusted Data •