Apache The Apache Software Foundation
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Apache product.
Products by Apache Sorted by Most Security Vulnerabilities since 2018
Recent Apache Security Advisories
Advisory | Title | Published |
---|---|---|
2.4.62 | 2 Vulnerabilities Fixed in Apache HTTP Server 2.4.62 | July 17, 2024 |
2.4.61 | Vulnerability Fixed in Apache HTTP Server 2.4.61 | July 16, 2024 |
2.4.60 | 8 Vulnerabilities Fixed in Apache HTTP Server 2.4.60 | July 15, 2024 |
2.4.59 | 3 Vulnerabilities Fixed in Apache HTTP Server 2.4.59 | April 4, 2024 |
2.4.58 | 4 Vulnerabilities Fixed in Apache HTTP Server 2.4.58 | October 19, 2023 |
2.4.56 | 2 Vulnerabilities Fixed in Apache HTTP Server 2.4.56 | March 7, 2023 |
2.4.55 | 3 Vulnerabilities Fixed in Apache HTTP Server 2.4.55 | January 17, 2023 |
2.4.54 | 8 Vulnerabilities Fixed in Apache HTTP Server 2.4.54 | June 8, 2022 |
2.4.53 | 4 Vulnerabilities Fixed in Apache HTTP Server 2.4.53 | March 14, 2022 |
2.4.52 | 2 Vulnerabilities Fixed in Apache HTTP Server 2.4.52 | December 20, 2021 |
Known Exploited Apache Vulnerabilities
The following Apache vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
Title | Description | Added |
---|---|---|
Apache HugeGraph-Server Improper Access Control Vulnerability | Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code. CVE-2024-27348 | September 18, 2024 |
Apache OFBiz Incorrect Authorization Vulnerability | Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker. CVE-2024-38856 | August 27, 2024 |
Apache OFBiz Path Traversal Vulnerability | Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution. CVE-2024-32113 | August 7, 2024 |
Apache Flink Improper Access Control Vulnerability | Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface. CVE-2020-17519 | May 23, 2024 |
Apache Superset Insecure Default Initialization of Resource Vulnerability | Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions. CVE-2023-27524 | January 8, 2024 |
Apache ActiveMQ Deserialization of Untrusted Data Vulnerability | Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. CVE-2023-46604 | November 2, 2023 |
Apache RocketMQ Command Execution Vulnerability | Several components of Apache RocketMQ, including NameServer, Broker, and Controller, are exposed to the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as or achieve the same effect by forging the RocketMQ protocol content. CVE-2023-33246 | September 6, 2023 |
Apache Tomcat Remote Code Execution Vulnerability | Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types. CVE-2016-8735 | May 12, 2023 |
Apache Log4j2 Deserialization of Untrusted Data Vulnerability | Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations. CVE-2021-45046 | May 1, 2023 |
Apache Spark Command Injection Vulnerability | Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled. CVE-2022-33891 | March 7, 2023 |
Apache CouchDB Insecure Default Initialization of Resource Vulnerability | Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges. CVE-2022-24706 | August 25, 2022 |
Apache APISIX Authentication Bypass Vulnerability | Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution. CVE-2022-24112 | August 25, 2022 |
Apache Struts Improper Input Validation Vulnerability | Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions. CVE-2013-2251 | March 25, 2022 |
Apache Tomcat on Windows Remote Code Execution Vulnerability | When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12615 | March 25, 2022 |
Apache Kylin OS Command Injection Vulnerability | Apache Kylin contains an OS command injection vulnerability which could permit an attacker to perform remote code execution. CVE-2020-1956 | March 25, 2022 |
Apache Tomcat Remote Code Execution Vulnerability | When running Apache Tomcat, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12617 | March 25, 2022 |
Apache Tomcat Improper Privilege Management Vulnerability | Apache Tomcat treats Apache JServ Protocol (AJP) connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited. CVE-2020-1938 | March 3, 2022 |
Apache Struts 1 Improper Input Validation Vulnerability | The Struts 1 plugin in Apache Struts might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. CVE-2017-9791 | February 10, 2022 |
Apache ActiveMQ Improper Input Validation Vulnerability | The Fileserver web application in Apache ActiveMQ allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request CVE-2016-3088 | February 10, 2022 |
Apache Struts 1 ActionForm Denial-of-Service Vulnerability | ActionForm in Apache Struts versions before 1.2.9 with BeanUtils 1.7 contains a vulnerability which allows for denial-of-service. CVE-2006-1547 | January 21, 2022 |
By the Year
In 2024 there have been 120 vulnerabilities in Apache with an average score of 7.3 out of ten. Last year Apache had 265 security vulnerabilities published. Right now, Apache is on track to have less security vulnerabilities in 2024 than it did last year. Last year, the average CVE base score was greater by 0.15
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 120 | 7.31 |
2023 | 265 | 7.46 |
2022 | 224 | 7.64 |
2021 | 201 | 7.52 |
2020 | 158 | 7.59 |
2019 | 158 | 7.28 |
2018 | 144 | 7.26 |
It may take a day or so for new Apache vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Security Vulnerabilities
Account users in Apache CloudStack by default are
CVE-2024-50386
- November 12, 2024
Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. Additionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives. for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "\n\n"; done For checking the whole template/volume features of each disk, operators can run the following command: for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done
Improper Input Validation
Airflow Audit Log Sensitive Data Exposure before 2.10.3 - November 2024
CVE-2024-50378
- November 08, 2024
Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.
Insertion of Sensitive Information Into Sent Data
ZooKeeper 3.9 IP Spoofing Auth Bypass
CVE-2024-51504
- November 07, 2024
When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.
Authentication Bypass by Spoofing
Apache Tomcat TLS Handshake DoS
CVE-2024-38286
- November 07, 2024
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
Allocation of Resources Without Limits or Throttling
Apache Kylin Session Fixation Vulnerability in Authentication Module
CVE-2024-23590
- November 04, 2024
Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue.
Session Fixation
Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration
CVE-2024-45477
4.6 - Medium
- October 29, 2024
Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.
XSS
The CloudStack Quota feature
CVE-2024-45461
6.3 - Medium
- October 16, 2024
The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting "quota.enable.service" to "false".
AuthZ
The logout operation in the CloudStack web interface does not expire the user session completely
CVE-2024-45462
7.1 - High
- October 16, 2024
The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
Insufficient Session Expiration
Users logged into the Apache CloudStack's web interface
CVE-2024-45693
8.8 - High
- October 16, 2024
Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead to account takeover, disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1 Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
Session Riding
Improper Authentication vulnerability in Apache Solr
CVE-2024-45216
- October 16, 2024
Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing. This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0. Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.
authentification
Insecure Default Initialization of Resource vulnerability in Apache Solr
CVE-2024-45217
- October 16, 2024
Insecure Default Initialization of Resource vulnerability in Apache Solr. New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. ConfigSets that do not contain the flag are trusted implicitly if the metadata is missing, therefore this leads to "trusted" ConfigSets that may not have been created with an Authenticated request. "trusted" ConfigSets are able to load custom code into classloaders, therefore the flag is supposed to only be set when the request that uploads the ConfigSet is Authenticated & Authorized. This issue affects Apache Solr: from 6.6.0 before 8.11.4, from 9.0.0 before 9.7.0. This issue does not affect Solr instances that are secured via Authentication/Authorization. Users are primarily recommended to use Authentication and Authorization when running Solr. However, upgrading to version 9.7.0, or 8.11.4 will mitigate this issue otherwise.
Insecure Default Initialization of Resource
Apache ActiveMQ Artemis
CVE-2023-50780
8.8 - High
- October 14, 2024
Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint. Before version 2.29.0, this also included the Log4J2 MBean. This MBean is not meant for exposure to non-administrative users. This could eventually allow an authenticated attacker to write arbitrary files to the filesystem and indirectly achieve RCE. Users are recommended to upgrade to version 2.29.0 or later, which fixes the issue.
Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator
CVE-2024-45772
8 - High
- September 30, 2024
Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.
Marshaling, Unmarshaling
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-47197
7.5 - High
- September 26, 2024
Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin. This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0. Users are recommended to upgrade to version 3.3.0, which fixes the issue. Archetype integration testing creates a file called ./target/classes/archetype-it/archetype-settings.xml This file contains all the content from the users ~/.m2/settings.xml file, which often contains information they do not want to publish. We expect that on many developer machines, this also contains credentials. When the user runs mvn verify again (without a mvn clean), this file becomes part of the final artifact. If a developer were to publish this into Maven Central or any other remote repository (whether as a release or a snapshot) their credentials would be published without them knowing.
Insecure Storage of Sensitive Information
Apache Hadoops RunJar.run() does not set permissions for temporary directory by default
CVE-2024-23454
- September 25, 2024
Apache Hadoops RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.
Improper Privilege Management
Incorrect Default Permissions vulnerability in Apache Tomcat Connectors
CVE-2024-46544
- September 23, 2024
Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service. This issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected. Users are recommended to upgrade to version 1.2.50, which fixes the issue.
Incorrect Default Permissions
Padding Oracle vulnerability in Apache Druid extension, druid-pac4j
CVE-2024-45384
5.3 - Medium
- September 17, 2024
Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability. While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.
Apache Druid allows users with certain permissions to read data from other database systems using JDBC
CVE-2024-45537
6.5 - Medium
- September 17, 2024
Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC connection string to provide properties that are not on this allow list. Users without the permission to configure JDBC connections are not able to exploit this vulnerability. CVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2. This issue is fixed in Apache Druid 30.0.1.
Improper Input Validation
Deserialization of Untrusted Data vulnerability in Apache Seata
CVE-2024-22399
9.8 - Critical
- September 16, 2024
Deserialization of Untrusted Data vulnerability in Apache Seata. When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.
Marshaling, Unmarshaling
Apache Airflow versions before 2.10.1 have a vulnerability
CVE-2024-45034
- September 07, 2024
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.
Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability
CVE-2024-45498
- September 07, 2024
Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873 for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.
Output Sanitization
Direct Request ('Forced Browsing') vulnerability in Apache OFBiz
CVE-2024-45195
7.5 - High
- September 04, 2024
Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.
forced browsing
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz
CVE-2024-45507
9.8 - Critical
- September 04, 2024
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.
Code Injection
D-Link DAP-2310 Hardware A Firmware 1.16RC028 allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the ATP binary
CVE-2024-45623
- September 02, 2024
D-Link DAP-2310 Hardware A Firmware 1.16RC028 allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the ATP binary that handles PHP HTTP GET requests for the Apache HTTP Server (httpd). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Lax permissions set by the Apache Portable Runtime library on Unix platforms would
CVE-2023-49582
5.5 - Medium
- August 26, 2024
Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h) Users are recommended to upgrade to APR version 1.7.5, which fixes this issue.
Incorrect Permission Assignment for Critical Resource
Apache Airflow, versions before 2.10.0, have a vulnerability
CVE-2024-41937
6.1 - Medium
- August 21, 2024
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.
XSS
Mysql security vulnerability in Apache SeaTunnel
CVE-2023-49198
7.5 - High
- August 21, 2024
Mysql security vulnerability in Apache SeaTunnel. Attackers can read files on the MySQL server by modifying the information in the MySQL URL allowLoadLocalInfile=true&allowUrlInLocalInfile=true&allowLoadLocalInfileInPath=/&maxAllowedPacket=655360 This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version [1.0.1], which fixes the issue.
Files or Directories Accessible to External Parties
Hertzbeat is an open source, real-time monitoring system
CVE-2024-42362
8.8 - High
- August 20, 2024
Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0.
Marshaling, Unmarshaling
Hertzbeat is an open source, real-time monitoring system
CVE-2024-42361
9.8 - Critical
- August 20, 2024
Hertzbeat is an open source, real-time monitoring system. Hertzbeat 1.6.0 and earlier declares a /api/monitor/{monitorId}/metric/{metricFull} endpoint to download job metrics. In the process, it executes a SQL query with user-controlled data, allowing for SQL injection.
SQL Injection
An improper access control vulnerability in the Azure Managed Instance for Apache Cassandra
CVE-2024-38175
9.6 - Critical
- August 20, 2024
An improper access control vulnerability in the Azure Managed Instance for Apache Cassandra allows an authenticated attacker to elevate privileges over a network.
Authorization
Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795
CVE-2024-41909
5.9 - Medium
- August 12, 2024
Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack The mitigations to prevent this type of attack were implemented in Apache MINA SSHD 2.12.0, both client and server side. Users are recommended to upgrade to at least this version. Note that both the client and the server implementation must have mitigations applied against this issue, otherwise the connection may still be affected.
Improper Validation of Integrity Check Value
File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files
CVE-2024-30188
8.1 - High
- August 12, 2024
File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2. Users are recommended to upgrade to version 3.2.2, which fixes the issue.
Improper Input Validation
Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer
CVE-2024-41890
5.3 - Medium
- August 12, 2024
Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. User sends multiple password reset emails, each containing a valid link. Within the link's validity period, this could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue.
Missing Release of Resource after Effective Lifetime
Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer
CVE-2024-41888
5.3 - Medium
- August 12, 2024
Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. The password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue.
Missing Release of Resource after Effective Lifetime
CloudStack account-users by default use username and password based authentication for API and UI access
CVE-2024-42062
7.2 - High
- August 07, 2024
CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.
AuthZ
In Apache CloudStack 4.19.1.0, a regression in the network listing API
CVE-2024-42222
4.3 - Medium
- August 07, 2024
In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data. Affected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1.
Information Disclosure
** UNSUPPORTED WHEN ASSIGNED ** Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Workbench
CVE-2024-36448
7.3 - High
- August 05, 2024
** UNSUPPORTED WHEN ASSIGNED ** Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Workbench. This issue affects Apache IoTDB Workbench: from 0.13.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
XSPA
Incorrect Authorization vulnerability in Apache OFBiz
CVE-2024-38856
9.8 - Critical
- August 05, 2024
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
AuthZ
Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB
CVE-2024-42447
9.8 - Critical
- August 05, 2024
Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out. * FAB provider 1.2.1 only affected Airflow 2.9.3 (earlier and later versions of Airflow are not affected) * FAB provider 1.2.0 affected all versions of Airflow. Users who run Apache Airflow 2.9.3 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2 which fixes the issue. Users who run Any Apache Airflow version and have FAB provider 1.2.0 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2 which fixes the issue. Also upgrading Apache Airflow to latest version available is recommended. Note: Early version of Airflow reference container images of Airflow 2.9.3 and constraint files contained FAB provider 1.2.1 version, but this is fixed in updated versions of the images. Users are advised to pull the latest Airflow images or reinstall FAB provider according to the current constraints.
Insufficient Session Expiration
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong
CVE-2024-36268
9.8 - Critical
- August 02, 2024
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/10251
Code Injection
In Apache Linkis <= 1.5.0
CVE-2024-27182
4.9 - Medium
- August 02, 2024
In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on A user with an administrator account could delete any file accessible by the Linkis system user . Users are recommended to upgrade to version 1.6.0, which fixes this issue.
Files or Directories Accessible to External Parties
Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers
CVE-2023-38522
7.5 - High
- July 26, 2024
Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.
HTTP Request Smuggling
Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers
CVE-2024-35161
7.5 - High
- July 26, 2024
Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.
HTTP Request Smuggling
Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests
CVE-2024-35296
8.2 - High
- July 26, 2024
Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.
Improper Input Validation
Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms
CVE-2024-25090
5.4 - Medium
- July 26, 2024
Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. If you are running with untrusted users then you should upgrade to Roller 6.1.3. This issue affects Apache Roller: from 5.0.0 before 6.1.3. Users are recommended to upgrade to version 6.1.3, which fixes the issue.
XSS
XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater
CVE-2023-48362
8.8 - High
- July 24, 2024
XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue.
XXE
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot
CVE-2024-39676
7.5 - High
- July 24, 2024
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot. This issue affects Apache Pinot: from 0.1 before 1.0.0. Users are recommended to upgrade to version 1.0.0 and configure RBAC, which fixes the issue. Details: When using a request to path /appconfigs to the controller, it can lead to the disclosure of sensitive information such as system information (e.g. arch, os version), environment information (e.g. maxHeapSize) and Pinot configurations (e.g. zookeeper path). This issue was addressed by the Role-based Access Control https://docs.pinot.apache.org/operators/tutorials/authentication/basic-auth-access-control , so that /appConfigs` and all other APIs can be access controlled. Only authorized users have access to it. Note the user needs to add the admin role accordingly to the RBAC guide to control access to this endpoint, and in the future version of Pinot, a default admin role is planned to be added.
When editing a user
CVE-2024-38503
5.4 - Medium
- July 22, 2024
When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing Personal Information or User Requests. Users are recommended to upgrade to version 3.0.8, which fixes this issue.
XSS
On versions before 2.1.4, after a regular user successfully logs in, they
CVE-2024-34457
6.5 - Medium
- July 22, 2024
On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config. Mitigation: all users should upgrade to 2.1.4
Insecure Direct Object Reference / IDOR
For RocketMQ versions 5.2.0 and below
CVE-2024-23321
8.8 - High
- July 22, 2024
For RocketMQ versions 5.2.0 and below, under certain conditions, there is a risk of exposure of sensitive Information to an unauthorized actor even if RocketMQ is enabled with authentication and authorization functions. An attacker, possessing regular user privileges or listed in the IP whitelist, could potentially acquire the administrator's account and password through specific interfaces. Such an action would grant them full control over RocketMQ, provided they have access to the broker IP address list. To mitigate these security threats, it is strongly advised that users upgrade to version 5.3.0 or newer. Additionally, we recommend users to use RocketMQ ACL 2.0 instead of the original RocketMQ ACL when upgrading to version Apache RocketMQ 5.3.0.
Information Disclosure
The CloudStack SAML authentication (disabled by default) does not enforce signature check
CVE-2024-41107
8.1 - High
- July 19, 2024
The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account. In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account. Affected users are recommended to disable the SAML authentication plugin by setting the "saml2.enabled" global setting to "false", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.
Authentication Bypass by Spoofing
A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9
CVE-2024-29736
9.1 - Critical
- July 19, 2024
A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured.
XSPA
In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible
CVE-2024-41172
7.5 - High
- July 19, 2024
In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory
Memory Leak
An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9
CVE-2024-32007
7.5 - High
- July 19, 2024
An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.
On versions before 2.1.4
CVE-2024-29178
8.8 - High
- July 18, 2024
On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability. Mitigation: all users should upgrade to 2.1.4
Code Injection
SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context
CVE-2024-40898
7.5 - High
- July 18, 2024
SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue.
XSPA
A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers
CVE-2024-40725
5.3 - Medium
- July 18, 2024
A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue.
Exposure of Resource to Wrong Sphere
Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes
CVE-2024-31411
8.8 - High
- July 17, 2024
Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes. Such a dangerous type might be an executable file that may lead to a remote code execution (RCE). The unrestricted upload is only possible for authenticated and authorized users. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.
Unrestricted File Upload
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration
CVE-2024-30471
3.7 - Low
- July 17, 2024
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration. This allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and corrupting StreamPipe's user management. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.
TOCTTOU
Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements
CVE-2024-31979
4.3 - Medium
- July 17, 2024
Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.
XSPA
In streampark, the project module integrates Maven's compilation capabilities
CVE-2023-52291
4.7 - Medium
- July 17, 2024
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args < operator causes command injection. e.g : < (curl http://xxx.com ) will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4, The "<" operator will blocked?
Command Injection
In streampark, the project module integrates Maven's compilation capabilities
CVE-2024-29737
4.7 - Medium
- July 17, 2024
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Mitigation: all users should upgrade to 2.1.4 Background info: Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input `touch /tmp/success_2.1.2` as the "Build Argument". Note that there is no verification and interception of the special character "`". As a result, you will find that this injection command will be successfully executed after executing the build. In the latest version, the special symbol ` is intercepted.
Command Injection
Apache Airflow versions before 2.9.3 have a vulnerability
CVE-2024-39863
5.4 - Medium
- July 17, 2024
Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.
XSS
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability
CVE-2024-39877
8.8 - High
- July 17, 2024
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.
Code Injection
In Apache Linkis =1.4.0
CVE-2023-41916
6.5 - Medium
- July 15, 2024
In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis = 1.4.0 will be affected. We recommend users upgrade the version of Linkis to version 1.5.0.
Files or Directories Accessible to External Parties
In Apache Linkis <= 1.5.0
CVE-2023-46801
8.8 - High
- July 15, 2024
In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files into the server and execute them. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. We recommend that users upgrade the java version to >= 1.8.0_241. Or users upgrade Linkis to version 1.6.0.
Marshaling, Unmarshaling
In Apache Linkis <=1.5.0
CVE-2023-49566
8.8 - High
- July 15, 2024
In Apache Linkis <=1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious db2 parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis <=1.5.0 will be affected. We recommend users upgrade the version of Linkis to version 1.6.0.
Marshaling, Unmarshaling
Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration
CVE-2024-37389
5.4 - Medium
- July 08, 2024
Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.
XSS
The CloudStack integration API service
CVE-2024-39864
9.8 - Critical
- July 05, 2024
The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.
Code Injection
The CloudStack cluster service runs on unauthenticated port (default 9090)
CVE-2024-38346
9.8 - Critical
- July 05, 2024
The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts. Some of these commands were found to have command injection vulnerabilities that can result in arbitrary code execution via agents on the hosts that may run as a privileged user. An attacker that can reach the cluster service on the unauthenticated port (default 9090), can exploit this to perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access to the cluster service port (default 9090) on a CloudStack management server host to only its peer CloudStack management server hosts. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.
Code Injection
A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers
CVE-2024-39884
- July 04, 2024
A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.
A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers
CVE-2024-39884
- July 04, 2024
A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier
CVE-2024-38477
7.5 - High
- July 01, 2024
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
NULL Pointer Dereference
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution
CVE-2024-38476
9.8 - Critical
- July 01, 2024
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
Inclusion of Functionality from Untrusted Control Sphere
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations
CVE-2024-38475
- July 01, 2024
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
Output Sanitization
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier
CVE-2024-38474
9.8 - Critical
- July 01, 2024
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
Output Sanitization
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier
CVE-2024-39573
- July 01, 2024
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
Improper Input Validation
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier
CVE-2024-38473
- July 01, 2024
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
Output Sanitization
SSRF in Apache HTTP Server on Windows
CVE-2024-38472
- July 01, 2024
SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.
Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference
CVE-2024-36387
- July 01, 2024
Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.
NULL Pointer Dereference
XSS in Upload page in Apache JSPWiki 2.12.1 and priors
CVE-2024-27136
6.1 - Medium
- June 24, 2024
XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later.
XSS
Apache Allura's neighborhood settings are vulnerable to a stored XSS attack
CVE-2024-38379
4.8 - Medium
- June 22, 2024
Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted. This issue affects Apache Allura: from 1.4.0 through 1.17.0. Users are recommended to upgrade to version 1.17.1, which fixes the issue.
XSS
** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Submarine Server Core
CVE-2024-36265
9.8 - Critical
- June 12, 2024
** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Submarine Server Core. This issue affects Apache Submarine Server Core: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
AuthZ
** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils
CVE-2024-36264
9.8 - Critical
- June 12, 2024
** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils. If the user doesn't explicitly set `submarine.auth.default.secret`, a default value will be used. This issue affects Apache Submarine Commons Utils: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Use of Hard-coded Credentials
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13
CVE-2024-32113
9.8 - Critical
- May 08, 2024
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.
Directory traversal
RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server:
CVE-2024-27348
9.8 - Critical
- April 22, 2024
RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.
Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator
CVE-2024-31391
- April 12, 2024
Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator. This issue affects all versions of the Apache Solr Operator from 0.3.0 through 0.8.0. When asked to bootstrap Solr security, the operator will enable basic authentication and create several accounts for accessing Solr: including the "solr" and "admin" accounts for use by end-users, and a "k8s-oper" account which the operator uses for its own requests to Solr. One common source of these operator requests is healthchecks: liveness, readiness, and startup probes are all used to determine Solr's health and ability to receive traffic. By default, the operator configures the Solr APIs used for these probes to be exempt from authentication, but users may specifically request that authentication be required on probe endpoints as well. Whenever one of these probes would fail, if authentication was in use, the Solr Operator would create a Kubernetes "event" containing the username and password of the "k8s-oper" account. Within the affected version range, this vulnerability affects any solrcloud resource which (1) bootstrapped security through use of the `.solrOptions.security.authenticationType=basic` option, and (2) required authentication be used on probes by setting `.solrOptions.security.probesRequireAuth=true`. Users are recommended to upgrade to Solr Operator version 0.8.1, which fixes this issue by ensuring that probes no longer print the credentials used for Solr requests. Users may also mitigate the vulnerability by disabling authentication on their healthcheck probes using the setting `.solrOptions.security.probesRequireAuth=false`.
Insertion of Sensitive Information into Log File
HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response
CVE-2024-27316
7.5 - High
- April 04, 2024
HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.
Allocation of Resources Without Limits or Throttling
HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response
CVE-2024-27316
7.5 - High
- April 04, 2024
HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.
Allocation of Resources Without Limits or Throttling
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker
CVE-2024-24795
- April 04, 2024
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.
Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses
CVE-2023-38709
- April 04, 2024
Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.
Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3
CVE-2024-29735
- March 26, 2024
Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders of log folder, in default configuration adding write access to Unix group of the folders. In the case Airflow is run with the root user (not recommended) it added group write permission to all folders up to the root of the filesystem. If your log files are stored in the home directory, these permission changes might impact your ability to run SSH operations after your home directory becomes group-writeable. This issue does not affect users who use or extend Airflow using Official Airflow Docker reference images ( https://hub.docker.com/r/apache/airflow/ ) - those images require to have group write permission set anyway. You are affected only if you install Airflow using local installation / virtualenv or other Docker images, but the issue has no impact if docker containers are used as intended, i.e. where Airflow components do not share containers with other applications and users. Also you should not be affected if your umask is 002 (group write enabled) - this is the default on many linux systems. Recommendation for users using Airflow outside of the containers: * if you are using root to run Airflow, change your Airflow user to use non-root * upgrade Apache Airflow to 2.8.4 or above * If you prefer not to upgrade, you can change the https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#file-task-handler-new-folder-permissions to 0o755 (original value 0o775). * if you already ran Airflow tasks before and your default umask is 022 (group write disabled) you should stop Airflow components, check permissions of AIRFLOW_HOME/logs in all your components and all parent directories of this directory and remove group write access for all the parent directories
Improper Preservation of Permissions
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat
CVE-2024-24549
- March 13, 2024
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Improper Input Validation
Apache Airflow, versions before 2.8.2, has a vulnerability
CVE-2024-26280
- March 01, 2024
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
Incorrect Default Permissions
Possible path traversal in Apache OFBiz allowing file inclusion
CVE-2024-23946
5.3 - Medium
- February 29, 2024
Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.
Directory traversal
An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement
CVE-2024-27315
- February 28, 2024
An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert exposing possibly sensitive data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.
Generation of Error Message Containing Sensitive Information
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress:
CVE-2024-25710
5.5 - Medium
- February 19, 2024
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.
Infinite Loop
Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress:
CVE-2024-26308
5.5 - Medium
- February 19, 2024
Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.
Allocation of Resources Without Limits or Throttling
This is a duplicate for CVE-2023-46104
CVE-2024-23952
6.5 - Medium
- February 14, 2024
This is a duplicate for CVE-2023-46104. With correct CVE version ranges for affected Apache Superset. Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.
Resource Exhaustion
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality
CVE-2023-50386
8.8 - High
- February 09, 2024
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted. When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. In these versions, the following protections have been added: * Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader. * The Backup API restricts saving backups to directories that are used in the ClassLoader.
Improper Control of Dynamically-Managed Code Resources