Filtered by vendor Apache
Subscriptions
Total
2398 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-27603 | 1 Apache | 1 Linkis | 2024-11-21 | 9.8 Critical |
| In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability. We recommend users upgrade the version of Linkis to version 1.3.2. | ||||
| CVE-2023-27526 | 1 Apache | 1 Superset | 2024-11-21 | 4.3 Medium |
| A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0. | ||||
| CVE-2023-27525 | 1 Apache | 1 Superset | 2024-11-21 | 3.1 Low |
| An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1 | ||||
| CVE-2023-27523 | 1 Apache | 1 Superset | 2024-11-21 | 5 Medium |
| Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to. | ||||
| CVE-2023-27296 | 1 Apache | 1 Inlong | 2024-11-21 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it. [1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422 | ||||
| CVE-2023-26512 | 4 Apache, Apple, Linux and 1 more | 4 Eventmesh, Macos, Linux Kernel and 1 more | 2024-11-21 | 9.8 Critical |
| CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible. | ||||
| CVE-2023-26268 | 2 Apache, Ibm | 2 Couchdb, Cloudant | 2024-11-21 | 4.4 Medium |
| Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list * filter * filter views (using view functions as filters) * rewrite * update This doesn't affect map/reduce or search (Dreyfus) index functions. Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3). Workaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment. | ||||
| CVE-2023-25956 | 1 Apache | 1 Apache-airflow-providers-amazon | 2024-11-21 | 7.5 High |
| Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1. | ||||
| CVE-2023-25753 | 1 Apache | 1 Shenyu | 2024-11-21 | 6.5 Medium |
| There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing. This issue affects Apache ShenYu: 2.5.1. Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776 . | ||||
| CVE-2023-25696 | 1 Apache | 1 Apache-airflow-providers-apache-hive | 2024-11-21 | 9.8 Critical |
| Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3. | ||||
| CVE-2023-25613 | 1 Apache | 1 Identity Backend | 2024-11-21 | 9.8 Critical |
| An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3. | ||||
| CVE-2023-25197 | 1 Apache | 1 Fineract | 2024-11-21 | 6.3 Medium |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Authorized users may be able to exploit this for limited impact on components. This issue affects apache fineract: from 1.4 through 1.8.2. | ||||
| CVE-2023-25196 | 1 Apache | 1 Fineract | 2024-11-21 | 4.3 Medium |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized users may be able to change or add data in certain components. This issue affects Apache Fineract: from 1.4 through 1.8.2. | ||||
| CVE-2023-25195 | 1 Apache | 1 Fineract | 2024-11-21 | 8.1 High |
| Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic. This issue affects Apache Fineract: from 1.4 through 1.8.3. | ||||
| CVE-2023-24977 | 1 Apache | 1 Inlong | 2024-11-21 | 7.5 High |
| Out-of-bounds Read vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7214 https://github.com/apache/inlong/pull/7214 to solve it. | ||||
| CVE-2023-24831 | 1 Apache | 1 Iotdb | 2024-11-21 | 9.8 Critical |
| Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3. Attackers could login without authorization. This is fixed in 0.13.4. | ||||
| CVE-2023-24830 | 1 Apache | 1 Iotdb | 2024-11-21 | 7.5 High |
| Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects iotdb-web-workbench component: from 0.13.0 before 0.13.3. | ||||
| CVE-2023-24829 | 1 Apache | 1 Iotdb | 2024-11-21 | 8.8 High |
| Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.3 of iotdb-web-workbench onwards. | ||||
| CVE-2023-23638 | 1 Apache | 1 Dubbo | 2024-11-21 | 5 Medium |
| A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. | ||||
| CVE-2023-22946 | 1 Apache | 1 Spark | 2024-11-21 | 6.4 Medium |
| In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications. | ||||