Apache Apache The Apache Software Foundation

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Apache product.

Products by Apache Sorted by Most Security Vulnerabilities since 2018

Apache HTTP Server258 vulnerabilities

Apache Tomcat123 vulnerabilities
JEE Compliant Servlet Container

Apache AirFlow93 vulnerabilities

Apache Traffic Server56 vulnerabilities

Apache OpenOffice47 vulnerabilities

Apache Superset46 vulnerabilities

Apache CXF39 vulnerabilities

Apache Solr34 vulnerabilities
Search engine written in java

Apache OFBiz34 vulnerabilities

Apache NiFi29 vulnerabilities

Apache InLong26 vulnerabilities

Apache Struts24 vulnerabilities

Apache Tika22 vulnerabilities

Apache JSPWiki22 vulnerabilities

Apache ActiveMQ20 vulnerabilities

Apache Hadoop19 vulnerabilities

Apache Dubbo19 vulnerabilities

Apache Spark17 vulnerabilities

Apache Kylin16 vulnerabilities

Apache DolphinScheduler15 vulnerabilities

Apache Camel14 vulnerabilities

Apache Log4j14 vulnerabilities

Apache Zookeeper13 vulnerabilities

Apache Plusar13 vulnerabilities

Apache Shiro13 vulnerabilities

Apache Hive12 vulnerabilities

Apache CloudStack12 vulnerabilities

Apache Guacamole12 vulnerabilities

Apache Linkis12 vulnerabilities

Apache Commons Compress11 vulnerabilities

Apache Iotdb11 vulnerabilities

Apache Kafka11 vulnerabilities

Apache Karaf11 vulnerabilities

Apache Fineract11 vulnerabilities

Apache Geode11 vulnerabilities

Apache Ozone10 vulnerabilities

Apache Tapestry10 vulnerabilities

Apache James10 vulnerabilities

Apache Activemq Artemis9 vulnerabilities

Apache Subversion9 vulnerabilities

Apache Syncope9 vulnerabilities

Apache Shenyu9 vulnerabilities

Apache Tomee9 vulnerabilities

Apache Streampark9 vulnerabilities

Apache Druid9 vulnerabilities

Apache Spamassassin9 vulnerabilities

Apache Qpid Broker J8 vulnerabilities

Apache Storm8 vulnerabilities

Apache Archiva8 vulnerabilities

Apache Batik8 vulnerabilities

Apache Cassandra8 vulnerabilities

Apache Couchdb8 vulnerabilities

Apache Pluto7 vulnerabilities

Apache Thrift7 vulnerabilities

Apache Ambari7 vulnerabilities

Apache Portable Runtime7 vulnerabilities

Apache Drill7 vulnerabilities

Apache Zeppelin7 vulnerabilities

Apache Openmeetings7 vulnerabilities

Apache Traffic Control6 vulnerabilities

Apache Apisix6 vulnerabilities

Apache Roller6 vulnerabilities

Apache Apr Util6 vulnerabilities

Apache Avro6 vulnerabilities

Apache Bookkeeper6 vulnerabilities

Apache Commons Jxpath6 vulnerabilities

Apache Allura5 vulnerabilities

Apache Httpclient5 vulnerabilities

Apache Axis5 vulnerabilities

Apache Hertzbeat5 vulnerabilities

Apache Commons Fileupload5 vulnerabilities

Apache Xerces C5 vulnerabilities

Apache Ranger5 vulnerabilities

Apache Jena4 vulnerabilities

Apache Any234 vulnerabilities

Apache Qpid4 vulnerabilities

Apache Sling Cms4 vulnerabilities

Apache Sshd4 vulnerabilities

Apache Streampipes4 vulnerabilities

Apache Submarine4 vulnerabilities

Apache Openoffice Org4 vulnerabilities

Apache RocketMQ4 vulnerabilities

Apache Groovy4 vulnerabilities

Apache Mina3 vulnerabilities

Apache Ivy3 vulnerabilities

Apache Atlas3 vulnerabilities

Apache Brpc3 vulnerabilities

Apache Commons Beanutils3 vulnerabilities

Recent Apache Security Advisories

Advisory Title Published
2.4.62 2 Vulnerabilities Fixed in Apache HTTP Server 2.4.62 July 17, 2024
2.4.61 Vulnerability Fixed in Apache HTTP Server 2.4.61 July 16, 2024
2.4.60 8 Vulnerabilities Fixed in Apache HTTP Server 2.4.60 July 15, 2024
2.4.59 3 Vulnerabilities Fixed in Apache HTTP Server 2.4.59 April 4, 2024
2.4.58 4 Vulnerabilities Fixed in Apache HTTP Server 2.4.58 October 19, 2023
2.4.56 2 Vulnerabilities Fixed in Apache HTTP Server 2.4.56 March 7, 2023
2.4.55 3 Vulnerabilities Fixed in Apache HTTP Server 2.4.55 January 17, 2023
2.4.54 8 Vulnerabilities Fixed in Apache HTTP Server 2.4.54 June 8, 2022
2.4.53 4 Vulnerabilities Fixed in Apache HTTP Server 2.4.53 March 14, 2022
2.4.52 2 Vulnerabilities Fixed in Apache HTTP Server 2.4.52 December 20, 2021

Known Exploited Apache Vulnerabilities

The following Apache vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Apache HugeGraph-Server Improper Access Control Vulnerability Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code. CVE-2024-27348 September 18, 2024
Apache OFBiz Incorrect Authorization Vulnerability Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker. CVE-2024-38856 August 27, 2024
Apache OFBiz Path Traversal Vulnerability Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution. CVE-2024-32113 August 7, 2024
Apache Flink Improper Access Control Vulnerability Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface. CVE-2020-17519 May 23, 2024
Apache Superset Insecure Default Initialization of Resource Vulnerability Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions. CVE-2023-27524 January 8, 2024
Apache ActiveMQ Deserialization of Untrusted Data Vulnerability Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. CVE-2023-46604 November 2, 2023
Apache RocketMQ Command Execution Vulnerability Several components of Apache RocketMQ, including NameServer, Broker, and Controller, are exposed to the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as or achieve the same effect by forging the RocketMQ protocol content. CVE-2023-33246 September 6, 2023
Apache Tomcat Remote Code Execution Vulnerability Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types. CVE-2016-8735 May 12, 2023
Apache Log4j2 Deserialization of Untrusted Data Vulnerability Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations. CVE-2021-45046 May 1, 2023
Apache Spark Command Injection Vulnerability Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled. CVE-2022-33891 March 7, 2023
Apache CouchDB Insecure Default Initialization of Resource Vulnerability Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges. CVE-2022-24706 August 25, 2022
Apache APISIX Authentication Bypass Vulnerability Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution. CVE-2022-24112 August 25, 2022
Apache Struts Improper Input Validation Vulnerability Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions. CVE-2013-2251 March 25, 2022
Apache Tomcat on Windows Remote Code Execution Vulnerability When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12615 March 25, 2022
Apache Kylin OS Command Injection Vulnerability Apache Kylin contains an OS command injection vulnerability which could permit an attacker to perform remote code execution. CVE-2020-1956 March 25, 2022
Apache Tomcat Remote Code Execution Vulnerability When running Apache Tomcat, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12617 March 25, 2022
Apache Tomcat Improper Privilege Management Vulnerability Apache Tomcat treats Apache JServ Protocol (AJP) connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited. CVE-2020-1938 March 3, 2022
Apache Struts 1 Improper Input Validation Vulnerability The Struts 1 plugin in Apache Struts might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. CVE-2017-9791 February 10, 2022
Apache ActiveMQ Improper Input Validation Vulnerability The Fileserver web application in Apache ActiveMQ allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request CVE-2016-3088 February 10, 2022
Apache Struts 1 ActionForm Denial-of-Service Vulnerability ActionForm in Apache Struts versions before 1.2.9 with BeanUtils 1.7 contains a vulnerability which allows for denial-of-service. CVE-2006-1547 January 21, 2022

By the Year

In 2024 there have been 120 vulnerabilities in Apache with an average score of 7.3 out of ten. Last year Apache had 265 security vulnerabilities published. Right now, Apache is on track to have less security vulnerabilities in 2024 than it did last year. Last year, the average CVE base score was greater by 0.15

Year Vulnerabilities Average Score
2024 120 7.31
2023 265 7.46
2022 224 7.64
2021 201 7.52
2020 158 7.59
2019 158 7.28
2018 144 7.26

It may take a day or so for new Apache vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Security Vulnerabilities

Account users in Apache CloudStack by default are

CVE-2024-50386 - November 12, 2024

Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. Additionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives. for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "\n\n"; done For checking the whole template/volume features of each disk, operators can run the following command: for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done

Improper Input Validation

Airflow Audit Log Sensitive Data Exposure before 2.10.3 - November 2024

CVE-2024-50378 - November 08, 2024

Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.

Insertion of Sensitive Information Into Sent Data

ZooKeeper 3.9 IP Spoofing Auth Bypass

CVE-2024-51504 - November 07, 2024

When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.

Authentication Bypass by Spoofing

Apache Tomcat TLS Handshake DoS

CVE-2024-38286 - November 07, 2024

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Allocation of Resources Without Limits or Throttling

Apache Kylin Session Fixation Vulnerability in Authentication Module

CVE-2024-23590 - November 04, 2024

Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue.

Session Fixation

Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration

CVE-2024-45477 4.6 - Medium - October 29, 2024

Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.

XSS

The CloudStack Quota feature

CVE-2024-45461 6.3 - Medium - October 16, 2024

The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting "quota.enable.service" to "false".

AuthZ

The logout operation in the CloudStack web interface does not expire the user session completely

CVE-2024-45462 7.1 - High - October 16, 2024

The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.

Insufficient Session Expiration

Users logged into the Apache CloudStack's web interface

CVE-2024-45693 8.8 - High - October 16, 2024

Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead to account takeover, disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1 Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.

Session Riding

Improper Authentication vulnerability in Apache Solr

CVE-2024-45216 - October 16, 2024

Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing. This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0. Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.

authentification

Insecure Default Initialization of Resource vulnerability in Apache Solr

CVE-2024-45217 - October 16, 2024

Insecure Default Initialization of Resource vulnerability in Apache Solr. New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. ConfigSets that do not contain the flag are trusted implicitly if the metadata is missing, therefore this leads to "trusted" ConfigSets that may not have been created with an Authenticated request. "trusted" ConfigSets are able to load custom code into classloaders, therefore the flag is supposed to only be set when the request that uploads the ConfigSet is Authenticated & Authorized. This issue affects Apache Solr: from 6.6.0 before 8.11.4, from 9.0.0 before 9.7.0. This issue does not affect Solr instances that are secured via Authentication/Authorization. Users are primarily recommended to use Authentication and Authorization when running Solr. However, upgrading to version 9.7.0, or 8.11.4 will mitigate this issue otherwise.

Insecure Default Initialization of Resource

Apache ActiveMQ Artemis

CVE-2023-50780 8.8 - High - October 14, 2024

Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint. Before version 2.29.0, this also included the Log4J2 MBean. This MBean is not meant for exposure to non-administrative users. This could eventually allow an authenticated attacker to write arbitrary files to the filesystem and indirectly achieve RCE. Users are recommended to upgrade to version 2.29.0 or later, which fixes the issue.

Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator

CVE-2024-45772 8 - High - September 30, 2024

Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.

Marshaling, Unmarshaling

Exposure of Sensitive Information to an Unauthorized Actor

CVE-2024-47197 7.5 - High - September 26, 2024

Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin. This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0. Users are recommended to upgrade to version 3.3.0, which fixes the issue. Archetype integration testing creates a file called ./target/classes/archetype-it/archetype-settings.xml This file contains all the content from the users ~/.m2/settings.xml file, which often contains information they do not want to publish. We expect that on many developer machines, this also contains credentials. When the user runs mvn verify again (without a mvn clean), this file becomes part of the final artifact. If a developer were to publish this into Maven Central or any other remote repository (whether as a release or a snapshot) their credentials would be published without them knowing.

Insecure Storage of Sensitive Information

Apache Hadoops RunJar.run() does not set permissions for temporary directory by default

CVE-2024-23454 - September 25, 2024

Apache Hadoops RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.

Improper Privilege Management

Incorrect Default Permissions vulnerability in Apache Tomcat Connectors

CVE-2024-46544 - September 23, 2024

Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service. This issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected. Users are recommended to upgrade to version 1.2.50, which fixes the issue.

Incorrect Default Permissions

Padding Oracle vulnerability in Apache Druid extension, druid-pac4j

CVE-2024-45384 5.3 - Medium - September 17, 2024

Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability. While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.

Apache Druid allows users with certain permissions to read data from other database systems using JDBC

CVE-2024-45537 6.5 - Medium - September 17, 2024

Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC connection string to provide properties that are not on this allow list. Users without the permission to configure JDBC connections are not able to exploit this vulnerability. CVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2. This issue is fixed in Apache Druid 30.0.1.

Improper Input Validation

Deserialization of Untrusted Data vulnerability in Apache Seata

CVE-2024-22399 9.8 - Critical - September 16, 2024

Deserialization of Untrusted Data vulnerability in Apache Seata.  When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.

Marshaling, Unmarshaling

Apache Airflow versions before 2.10.1 have a vulnerability

CVE-2024-45034 - September 07, 2024

Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability

CVE-2024-45498 - September 07, 2024

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.

Output Sanitization

Direct Request ('Forced Browsing') vulnerability in Apache OFBiz

CVE-2024-45195 7.5 - High - September 04, 2024

Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

forced browsing

Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz

CVE-2024-45507 9.8 - Critical - September 04, 2024

Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

Code Injection

D-Link DAP-2310 Hardware A Firmware 1.16RC028 allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the ATP binary

CVE-2024-45623 - September 02, 2024

D-Link DAP-2310 Hardware A Firmware 1.16RC028 allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the ATP binary that handles PHP HTTP GET requests for the Apache HTTP Server (httpd). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Lax permissions set by the Apache Portable Runtime library on Unix platforms would

CVE-2023-49582 5.5 - Medium - August 26, 2024

Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h) Users are recommended to upgrade to APR version 1.7.5, which fixes this issue.

Incorrect Permission Assignment for Critical Resource

Apache Airflow, versions before 2.10.0, have a vulnerability

CVE-2024-41937 6.1 - Medium - August 21, 2024

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.

XSS

Mysql security vulnerability in Apache SeaTunnel

CVE-2023-49198 7.5 - High - August 21, 2024

Mysql security vulnerability in Apache SeaTunnel. Attackers can read files on the MySQL server by modifying the information in the MySQL URL allowLoadLocalInfile=true&allowUrlInLocalInfile=true&allowLoadLocalInfileInPath=/&maxAllowedPacket=655360 This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version [1.0.1], which fixes the issue.

Files or Directories Accessible to External Parties

Hertzbeat is an open source, real-time monitoring system

CVE-2024-42362 8.8 - High - August 20, 2024

Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0.

Marshaling, Unmarshaling

Hertzbeat is an open source, real-time monitoring system

CVE-2024-42361 9.8 - Critical - August 20, 2024

Hertzbeat is an open source, real-time monitoring system. Hertzbeat 1.6.0 and earlier declares a /api/monitor/{monitorId}/metric/{metricFull} endpoint to download job metrics. In the process, it executes a SQL query with user-controlled data, allowing for SQL injection.

SQL Injection

An improper access control vulnerability in the Azure Managed Instance for Apache Cassandra

CVE-2024-38175 9.6 - Critical - August 20, 2024

An improper access control vulnerability in the Azure Managed Instance for Apache Cassandra allows an authenticated attacker to elevate privileges over a network.

Authorization

Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795

CVE-2024-41909 5.9 - Medium - August 12, 2024

Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack The mitigations to prevent this type of attack were implemented in Apache MINA SSHD 2.12.0, both client and server side. Users are recommended to upgrade to at least this version. Note that both the client and the server implementation must have mitigations applied against this issue, otherwise the connection may still be affected.

Improper Validation of Integrity Check Value

File read and write vulnerability in Apache DolphinScheduler ,  authenticated users can illegally access additional resource files

CVE-2024-30188 8.1 - High - August 12, 2024

File read and write vulnerability in Apache DolphinScheduler ,  authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2. Users are recommended to upgrade to version 3.2.2, which fixes the issue.

Improper Input Validation

Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer

CVE-2024-41890 5.3 - Medium - August 12, 2024

Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. User sends multiple password reset emails, each containing a valid link. Within the link's validity period, this could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue.

Missing Release of Resource after Effective Lifetime

Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer

CVE-2024-41888 5.3 - Medium - August 12, 2024

Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. The password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue.

Missing Release of Resource after Effective Lifetime

CloudStack account-users by default use username and password based authentication for API and UI access

CVE-2024-42062 7.2 - High - August 07, 2024

CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.

AuthZ

In Apache CloudStack 4.19.1.0, a regression in the network listing API

CVE-2024-42222 4.3 - Medium - August 07, 2024

In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data. Affected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1.

Information Disclosure

** UNSUPPORTED WHEN ASSIGNED ** Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Workbench

CVE-2024-36448 7.3 - High - August 05, 2024

** UNSUPPORTED WHEN ASSIGNED ** Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Workbench. This issue affects Apache IoTDB Workbench: from 0.13.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

XSPA

Incorrect Authorization vulnerability in Apache OFBiz

CVE-2024-38856 9.8 - Critical - August 05, 2024

Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

AuthZ

Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB

CVE-2024-42447 9.8 - Critical - August 05, 2024

Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out.   * FAB provider 1.2.1 only affected Airflow 2.9.3 (earlier and later versions of Airflow are not affected) * FAB provider 1.2.0 affected all versions of Airflow. Users who run Apache Airflow 2.9.3 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2 which fixes the issue. Users who run Any Apache Airflow version and have FAB provider 1.2.0 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2 which fixes the issue. Also upgrading Apache Airflow to latest version available is recommended. Note: Early version of Airflow reference container images of Airflow 2.9.3 and constraint files contained FAB provider 1.2.1 version, but this is fixed in updated versions of the images.  Users are advised to pull the latest Airflow images or reinstall FAB provider according to the current constraints.

Insufficient Session Expiration

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong

CVE-2024-36268 9.8 - Critical - August 02, 2024

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it. [1]  https://github.com/apache/inlong/pull/10251

Code Injection

In Apache Linkis <= 1.5.0

CVE-2024-27182 4.9 - Medium - August 02, 2024

In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on A user with an administrator account could delete any file accessible by the Linkis system user . Users are recommended to upgrade to version 1.6.0, which fixes this issue.

Files or Directories Accessible to External Parties

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers

CVE-2023-38522 7.5 - High - July 26, 2024

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

HTTP Request Smuggling

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers

CVE-2024-35161 7.5 - High - July 26, 2024

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

HTTP Request Smuggling

Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests

CVE-2024-35296 8.2 - High - July 26, 2024

Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

Improper Input Validation

Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms

CVE-2024-25090 5.4 - Medium - July 26, 2024

Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. If you are running with untrusted users then you should upgrade to Roller 6.1.3. This issue affects Apache Roller: from 5.0.0 before 6.1.3. Users are recommended to upgrade to version 6.1.3, which fixes the issue.

XSS

XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater

CVE-2023-48362 8.8 - High - July 24, 2024

XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue.

XXE

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot

CVE-2024-39676 7.5 - High - July 24, 2024

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot. This issue affects Apache Pinot: from 0.1 before 1.0.0. Users are recommended to upgrade to version 1.0.0 and configure RBAC, which fixes the issue. Details:  When using a request to path /appconfigs to the controller, it can lead to the disclosure of sensitive information such as system information (e.g. arch, os version), environment information (e.g. maxHeapSize) and Pinot configurations (e.g. zookeeper path). This issue was addressed by the Role-based Access Control https://docs.pinot.apache.org/operators/tutorials/authentication/basic-auth-access-control , so that /appConfigs` and all other APIs can be access controlled. Only authorized users have access to it. Note the user needs to add the admin role accordingly to the RBAC guide to control access to this endpoint, and in the future version of Pinot, a default admin role is planned to be added.

When editing a user

CVE-2024-38503 5.4 - Medium - July 22, 2024

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing Personal Information or User Requests. Users are recommended to upgrade to version 3.0.8, which fixes this issue.

XSS

On versions before 2.1.4, after a regular user successfully logs in, they

CVE-2024-34457 6.5 - Medium - July 22, 2024

On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config. Mitigation: all users should upgrade to 2.1.4

Insecure Direct Object Reference / IDOR

For RocketMQ versions 5.2.0 and below

CVE-2024-23321 8.8 - High - July 22, 2024

For RocketMQ versions 5.2.0 and below, under certain conditions, there is a risk of exposure of sensitive Information to an unauthorized actor even if RocketMQ is enabled with authentication and authorization functions. An attacker, possessing regular user privileges or listed in the IP whitelist, could potentially acquire the administrator's account and password through specific interfaces. Such an action would grant them full control over RocketMQ, provided they have access to the broker IP address list. To mitigate these security threats, it is strongly advised that users upgrade to version 5.3.0 or newer. Additionally, we recommend users to use RocketMQ ACL 2.0 instead of the original RocketMQ ACL when upgrading to version Apache RocketMQ 5.3.0.

Information Disclosure

The CloudStack SAML authentication (disabled by default) does not enforce signature check

CVE-2024-41107 8.1 - High - July 19, 2024

The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account. In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account. Affected users are recommended to disable the SAML authentication plugin by setting the "saml2.enabled" global setting to "false", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.

Authentication Bypass by Spoofing

A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9

CVE-2024-29736 9.1 - Critical - July 19, 2024

A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured.

XSPA

In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible

CVE-2024-41172 7.5 - High - July 19, 2024

In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory

Memory Leak

An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 

CVE-2024-32007 7.5 - High - July 19, 2024

An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token. 

On versions before 2.1.4

CVE-2024-29178 8.8 - High - July 18, 2024

On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability. Mitigation: all users should upgrade to 2.1.4

Code Injection

SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context

CVE-2024-40898 7.5 - High - July 18, 2024

SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue. 

XSPA

A partial fix for  CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers

CVE-2024-40725 5.3 - Medium - July 18, 2024

A partial fix for  CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue.

Exposure of Resource to Wrong Sphere

Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes

CVE-2024-31411 8.8 - High - July 17, 2024

Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes. Such a dangerous type might be an executable file that may lead to a remote code execution (RCE). The unrestricted upload is only possible for authenticated and authorized users. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.

Unrestricted File Upload

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration

CVE-2024-30471 3.7 - Low - July 17, 2024

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration. This allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and corrupting StreamPipe's user management. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.

TOCTTOU

Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements

CVE-2024-31979 4.3 - Medium - July 17, 2024

Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.

XSPA

In streampark, the project module integrates Maven's compilation capabilities

CVE-2023-52291 4.7 - Medium - July 17, 2024

In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args  < operator causes command injection. e.g : < (curl  http://xxx.com ) will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4,  The "<" operator will blocked?

Command Injection

In streampark, the project module integrates Maven's compilation capabilities

CVE-2024-29737 4.7 - Medium - July 17, 2024

In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Mitigation: all users should upgrade to 2.1.4 Background info: Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input `touch /tmp/success_2.1.2` as the "Build Argument". Note that there is no verification and interception of the special character "`". As a result, you will find that this injection command will be successfully executed after executing the build. In the latest version, the special symbol ` is intercepted.

Command Injection

Apache Airflow versions before 2.9.3 have a vulnerability

CVE-2024-39863 5.4 - Medium - July 17, 2024

Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.

XSS

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability

CVE-2024-39877 8.8 - High - July 17, 2024

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.

Code Injection

In Apache Linkis =1.4.0

CVE-2023-41916 6.5 - Medium - July 15, 2024

In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis = 1.4.0 will be affected.  We recommend users upgrade the version of Linkis to version 1.5.0.

Files or Directories Accessible to External Parties

In Apache Linkis <= 1.5.0

CVE-2023-46801 8.8 - High - July 15, 2024

In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files into the server and execute them. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.  We recommend that users upgrade the java version to >= 1.8.0_241. Or users upgrade Linkis to version 1.6.0.

Marshaling, Unmarshaling

In Apache Linkis <=1.5.0

CVE-2023-49566 8.8 - High - July 15, 2024

In Apache Linkis <=1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious db2 parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted.  This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis <=1.5.0 will be affected. We recommend users upgrade the version of Linkis to version 1.6.0.

Marshaling, Unmarshaling

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration

CVE-2024-37389 5.4 - Medium - July 08, 2024

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

XSS

The CloudStack integration API service

CVE-2024-39864 9.8 - Critical - July 05, 2024

The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.

Code Injection

The CloudStack cluster service runs on unauthenticated port (default 9090)

CVE-2024-38346 9.8 - Critical - July 05, 2024

The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts. Some of these commands were found to have command injection vulnerabilities that can result in arbitrary code execution via agents on the hosts that may run as a privileged user. An attacker that can reach the cluster service on the unauthenticated port (default 9090), can exploit this to perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access to the cluster service port (default 9090) on a CloudStack management server host to only its peer CloudStack management server hosts. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.

Code Injection

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers

CVE-2024-39884 - July 04, 2024

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers

CVE-2024-39884 - July 04, 2024

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier

CVE-2024-38477 7.5 - High - July 01, 2024

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

NULL Pointer Dereference

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution

CVE-2024-38476 9.8 - Critical - July 01, 2024

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Inclusion of Functionality from Untrusted Control Sphere

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations

CVE-2024-38475 - July 01, 2024

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

Output Sanitization

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier

CVE-2024-38474 9.8 - Critical - July 01, 2024

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

Output Sanitization

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier

CVE-2024-39573 - July 01, 2024

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Improper Input Validation

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier

CVE-2024-38473 - July 01, 2024

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Output Sanitization

SSRF in Apache HTTP Server on Windows

CVE-2024-38472 - July 01, 2024

SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue.  Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference

CVE-2024-36387 - July 01, 2024

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.

NULL Pointer Dereference

XSS in Upload page in Apache JSPWiki 2.12.1 and priors

CVE-2024-27136 6.1 - Medium - June 24, 2024

XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later.

XSS

Apache Allura's neighborhood settings are vulnerable to a stored XSS attack

CVE-2024-38379 4.8 - Medium - June 22, 2024

Apache Allura's neighborhood settings are vulnerable to a stored XSS attack.  Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted. This issue affects Apache Allura: from 1.4.0 through 1.17.0. Users are recommended to upgrade to version 1.17.1, which fixes the issue.

XSS

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Submarine Server Core

CVE-2024-36265 9.8 - Critical - June 12, 2024

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Submarine Server Core. This issue affects Apache Submarine Server Core: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

AuthZ

** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils

CVE-2024-36264 9.8 - Critical - June 12, 2024

** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils. If the user doesn't explicitly set `submarine.auth.default.secret`, a default value will be used. This issue affects Apache Submarine Commons Utils: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Use of Hard-coded Credentials

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13

CVE-2024-32113 9.8 - Critical - May 08, 2024

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.

Directory traversal

RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server:

CVE-2024-27348 9.8 - Critical - April 22, 2024

RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.

Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator

CVE-2024-31391 - April 12, 2024

Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator. This issue affects all versions of the Apache Solr Operator from 0.3.0 through 0.8.0. When asked to bootstrap Solr security, the operator will enable basic authentication and create several accounts for accessing Solr: including the "solr" and "admin" accounts for use by end-users, and a "k8s-oper" account which the operator uses for its own requests to Solr. One common source of these operator requests is healthchecks: liveness, readiness, and startup probes are all used to determine Solr's health and ability to receive traffic. By default, the operator configures the Solr APIs used for these probes to be exempt from authentication, but users may specifically request that authentication be required on probe endpoints as well. Whenever one of these probes would fail, if authentication was in use, the Solr Operator would create a Kubernetes "event" containing the username and password of the "k8s-oper" account. Within the affected version range, this vulnerability affects any solrcloud resource which (1) bootstrapped security through use of the `.solrOptions.security.authenticationType=basic` option, and (2) required authentication be used on probes by setting `.solrOptions.security.probesRequireAuth=true`. Users are recommended to upgrade to Solr Operator version 0.8.1, which fixes this issue by ensuring that probes no longer print the credentials used for Solr requests.  Users may also mitigate the vulnerability by disabling authentication on their healthcheck probes using the setting `.solrOptions.security.probesRequireAuth=false`.

Insertion of Sensitive Information into Log File

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response

CVE-2024-27316 7.5 - High - April 04, 2024

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

Allocation of Resources Without Limits or Throttling

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response

CVE-2024-27316 7.5 - High - April 04, 2024

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

Allocation of Resources Without Limits or Throttling

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker

CVE-2024-24795 - April 04, 2024

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses

CVE-2023-38709 - April 04, 2024

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.

Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3

CVE-2024-29735 - March 26, 2024

Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders of log folder, in default configuration adding write access to Unix group of the folders. In the case Airflow is run with the root user (not recommended) it added group write permission to all folders up to the root of the filesystem. If your log files are stored in the home directory, these permission changes might impact your ability to run SSH operations after your home directory becomes group-writeable. This issue does not affect users who use or extend Airflow using Official Airflow Docker reference images ( https://hub.docker.com/r/apache/airflow/ ) - those images require to have group write permission set anyway. You are affected only if you install Airflow using local installation / virtualenv or other Docker images, but the issue has no impact if docker containers are used as intended, i.e. where Airflow components do not share containers with other applications and users. Also you should not be affected if your umask is 002 (group write enabled) - this is the default on many linux systems. Recommendation for users using Airflow outside of the containers: * if you are using root to run Airflow, change your Airflow user to use non-root * upgrade Apache Airflow to 2.8.4 or above * If you prefer not to upgrade, you can change the https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#file-task-handler-new-folder-permissions  to 0o755 (original value 0o775). * if you already ran Airflow tasks before and your default umask is 022 (group write disabled) you should stop Airflow components, check permissions of AIRFLOW_HOME/logs in all your components and all parent directories of this directory and remove group write access for all the parent directories

Improper Preservation of Permissions

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat

CVE-2024-24549 - March 13, 2024

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Improper Input Validation

Apache Airflow, versions before 2.8.2, has a vulnerability

CVE-2024-26280 - March 01, 2024

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

Incorrect Default Permissions

Possible path traversal in Apache OFBiz allowing file inclusion

CVE-2024-23946 5.3 - Medium - February 29, 2024

Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.

Directory traversal

An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement

CVE-2024-27315 - February 28, 2024

An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert exposing possibly sensitive data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

Generation of Error Message Containing Sensitive Information

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress:

CVE-2024-25710 5.5 - Medium - February 19, 2024

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Infinite Loop

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress:

CVE-2024-26308 5.5 - Medium - February 19, 2024

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.

Allocation of Resources Without Limits or Throttling

This is a duplicate for CVE-2023-46104

CVE-2024-23952 6.5 - Medium - February 14, 2024

This is a duplicate for CVE-2023-46104. With correct CVE version ranges for affected Apache Superset. Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets.   This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.

Resource Exhaustion

Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality

CVE-2023-50386 8.8 - High - February 09, 2024

Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted. When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. In these versions, the following protections have been added: * Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader. * The Backup API restricts saving backups to directories that are used in the ClassLoader.

Improper Control of Dynamically-Managed Code Resources

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.