Filtered by vendor Apache
Subscribe
Total
2238 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-28708 | 1 Apache | 1 Tomcat | 2023-11-07 | N/A | 4.3 MEDIUM |
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. | |||||
CVE-2023-28326 | 1 Apache | 1 Openmeetings | 2023-11-07 | N/A | 9.8 CRITICAL |
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Description: Attacker can elevate their privileges in any room | |||||
CVE-2023-27296 | 1 Apache | 1 Inlong | 2023-11-07 | N/A | 8.8 HIGH |
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it. [1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422 | |||||
CVE-2023-26513 | 1 Apache | 1 Sling Resource Merger | 2023-11-07 | N/A | 7.5 HIGH |
Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2. | |||||
CVE-2023-25956 | 1 Apache | 1 Apache-airflow-providers-amazon | 2023-11-07 | N/A | 7.5 HIGH |
Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1. | |||||
CVE-2023-25696 | 1 Apache | 1 Apache-airflow-providers-apache-hive | 2023-11-07 | N/A | 9.8 CRITICAL |
Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3. | |||||
CVE-2023-25695 | 1 Apache | 1 Airflow | 2023-11-07 | N/A | 5.3 MEDIUM |
Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. | |||||
CVE-2023-25693 | 1 Apache | 1 Apache-airflow-providers-apache-sqoop | 2023-11-07 | N/A | 9.8 CRITICAL |
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1. | |||||
CVE-2023-25692 | 1 Apache | 1 Apache-airflow-providers-google | 2023-11-07 | N/A | 7.5 HIGH |
Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0. | |||||
CVE-2023-25691 | 1 Apache | 1 Apache-airflow-providers-google | 2023-11-07 | N/A | 9.8 CRITICAL |
Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0. | |||||
CVE-2023-25621 | 1 Apache | 1 Sling I18n | 2023-11-07 | N/A | 6.5 MEDIUM |
Privilege Escalation vulnerability in Apache Software Foundation Apache Sling. Any content author is able to create i18n dictionaries in the repository in a location the author has write access to. As these translations are used across the whole product, it allows an author to change any text or dialog in the product. For example an attacker might fool someone by changing the text on a delete button to "Info". This issue affects the i18n module of Apache Sling up to version 2.5.18. Version 2.6.2 and higher limit by default i18m dictionaries to certain paths in the repository (/libs and /apps). Users of the module are advised to update to version 2.6.2 or higher, check the configuration for resource loading and then adjust the access permissions for the configured path accordingly. | |||||
CVE-2023-25197 | 1 Apache | 1 Fineract | 2023-11-07 | N/A | 6.3 MEDIUM |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Authorized users may be able to exploit this for limited impact on components. This issue affects apache fineract: from 1.4 through 1.8.2. | |||||
CVE-2023-25196 | 1 Apache | 1 Fineract | 2023-11-07 | N/A | 4.3 MEDIUM |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized users may be able to change or add data in certain components. This issue affects Apache Fineract: from 1.4 through 1.8.2. | |||||
CVE-2023-25195 | 1 Apache | 1 Fineract | 2023-11-07 | N/A | 8.1 HIGH |
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic. This issue affects Apache Fineract: from 1.4 through 1.8.3. | |||||
CVE-2023-25141 | 1 Apache | 1 Sling Jcr Base | 2023-11-07 | N/A | 7.5 HIGH |
Apache Sling JCR Base < 3.1.12 has a critical injection vulnerability when running on old JDK versions (JDK 1.8.191 or earlier) through utility functions in RepositoryAccessor. The functions getRepository and getRepositoryFromURL allow an application to access data stored in a remote location via JDNI and RMI. Users of Apache Sling JCR Base are recommended to upgrade to Apache Sling JCR Base 3.1.12 or later, or to run on a more recent JDK. | |||||
CVE-2023-24997 | 1 Apache | 1 Inlong | 2023-11-07 | N/A | 9.8 CRITICAL |
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7223 https://github.com/apache/inlong/pull/7223 to solve it. | |||||
CVE-2023-24977 | 1 Apache | 1 Inlong | 2023-11-07 | N/A | 7.5 HIGH |
Out-of-bounds Read vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7214 https://github.com/apache/inlong/pull/7214 to solve it. | |||||
CVE-2023-24830 | 1 Apache | 1 Iotdb | 2023-11-07 | N/A | 7.5 HIGH |
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects iotdb-web-workbench component: from 0.13.0 before 0.13.3. | |||||
CVE-2023-24829 | 1 Apache | 1 Iotdb | 2023-11-07 | N/A | 8.8 HIGH |
Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.3 of iotdb-web-workbench onwards. | |||||
CVE-2023-23638 | 1 Apache | 1 Dubbo | 2023-11-07 | N/A | 9.8 CRITICAL |
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. |