Filtered by vendor Apache
Subscribe
Total
2616 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-22887 | 1 Apache | 1 Airflow | 2023-07-20 | N/A | 6.5 MEDIUM |
| Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected | |||||
| CVE-2022-46651 | 1 Apache | 1 Airflow | 2023-07-20 | N/A | 6.5 MEDIUM |
| Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability. | |||||
| CVE-2022-42009 | 1 Apache | 1 Ambari | 2023-07-20 | N/A | 8.8 HIGH |
| SpringEL injection in the server agent in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7. | |||||
| CVE-2022-45855 | 1 Apache | 1 Ambari | 2023-07-20 | N/A | 8.8 HIGH |
| SpringEL injection in the metrics source in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7. | |||||
| CVE-2023-34442 | 1 Apache | 1 Camel | 2023-07-17 | N/A | 3.3 LOW |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Camel.This issue affects Apache Camel: from 3.X through <=3.14.8, from 3.18.X through <=3.18.7, from 3.20.X through <= 3.20.5, from 4.X through <= 4.0.0-M3. Users should upgrade to 3.14.9, 3.18.8, 3.20.6 or 3.21.0 and for users on Camel 4.x update to 4.0.0-M1 | |||||
| CVE-2022-25598 | 1 Apache | 1 Dolphinscheduler | 2023-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher. | |||||
| CVE-2022-25763 | 3 Apache, Debian, Fedoraproject | 3 Traffic Server, Debian Linux, Fedora | 2023-07-12 | N/A | 7.5 HIGH |
| Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. | |||||
| CVE-2022-26650 | 1 Apache | 1 Shenyu | 2023-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3. | |||||
| CVE-2022-23913 | 2 Apache, Netapp | 3 Activemq Artemis, Active Iq Unified Manager, Oncommand Workflow Automation | 2023-07-07 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory. | |||||
| CVE-2023-35798 | 1 Apache | 2 Apache-airflow-providers-microsoft-mssql, Apache-airflow-providers-odbc | 2023-07-06 | N/A | 4.3 MEDIUM |
| Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it. This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1. It is recommended to upgrade to a version that is not affected | |||||
| CVE-2022-29599 | 2 Apache, Debian | 2 Maven Shared Utils, Debian Linux | 2023-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. | |||||
| CVE-2021-37404 | 1 Apache | 1 Hadoop | 2023-06-27 | 7.5 HIGH | 9.8 CRITICAL |
| There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher. | |||||
| CVE-2022-45143 | 1 Apache | 1 Tomcat | 2023-06-27 | N/A | 7.5 HIGH |
| The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. | |||||
| CVE-2023-35005 | 1 Apache | 1 Airflow | 2023-06-27 | N/A | 6.5 MEDIUM |
| In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive. This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later. | |||||
| CVE-2022-25168 | 1 Apache | 1 Hadoop | 2023-06-26 | N/A | 9.8 CRITICAL |
| Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136). | |||||
| CVE-2010-5312 | 6 Apache, Debian, Drupal and 3 more | 6 Drill, Debian Linux, Drupal and 3 more | 2023-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option. | |||||
| CVE-2023-30575 | 1 Apache | 1 Guacamole | 2023-06-15 | N/A | 7.5 HIGH |
| Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths of instruction elements sent during the Guacamole protocol handshake, potentially allowing an attacker to inject Guacamole instructions during the handshake through specially-crafted data. | |||||
| CVE-2023-30776 | 1 Apache | 1 Superset | 2023-06-15 | N/A | 6.5 MEDIUM |
| An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1. | |||||
| CVE-2023-30576 | 1 Apache | 1 Guacamole | 2023-06-14 | N/A | 8.1 HIGH |
| Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a freed RDP audio input buffer. Depending on timing, this may allow an attacker to execute arbitrary code with the privileges of the guacd process. | |||||
| CVE-2023-30601 | 1 Apache | 1 Cassandra | 2023-06-05 | N/A | 7.8 HIGH |
| Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra This issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1. WORKAROUND The vulnerability requires nodetool/JMX access to be exploitable, disable access for any non-trusted users. MITIGATION Upgrade to 4.0.10 or 4.1.2 and leave the new FQL/Auditlog configuration property allow_nodetool_archive_command as false. | |||||