Filtered by vendor Apache
Subscribe
Total
526 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-26268 | 2 Apache, Ibm | 2 Couchdb, Cloudant | 2023-12-10 | N/A | 5.3 MEDIUM |
Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list * filter * filter views (using view functions as filters) * rewrite * update This doesn't affect map/reduce or search (Dreyfus) index functions. Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3). Workaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment. | |||||
CVE-2023-25196 | 1 Apache | 1 Fineract | 2023-12-10 | N/A | 4.3 MEDIUM |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized users may be able to change or add data in certain components. This issue affects Apache Fineract: from 1.4 through 1.8.2. | |||||
CVE-2023-25504 | 1 Apache | 1 Superset | 2023-12-10 | N/A | 6.5 MEDIUM |
A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1. | |||||
CVE-2023-31101 | 1 Apache | 1 Inlong | 2023-12-10 | N/A | 6.5 MEDIUM |
Insecure Default Initialization of Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.6.0. Users registered in InLong who joined later can see deleted users' data. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 to solve it. | |||||
CVE-2022-46769 | 1 Apache | 1 Sling Cms | 2023-12-10 | N/A | 5.4 MEDIUM |
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature. Upgrade to Apache Sling App CMS >= 1.1.4 | |||||
CVE-2022-37436 | 1 Apache | 1 Http Server | 2023-12-10 | N/A | 5.3 MEDIUM |
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. | |||||
CVE-2022-40743 | 1 Apache | 1 Traffic Server | 2023-12-10 | N/A | 6.1 MEDIUM |
Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions. | |||||
CVE-2021-28655 | 1 Apache | 1 Zeppelin | 2023-12-10 | N/A | 6.5 MEDIUM |
The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions. | |||||
CVE-2022-45910 | 1 Apache | 1 Manifoldcf | 2023-12-10 | N/A | 5.3 MEDIUM |
Improper neutralization of special elements used in an LDAP query ('LDAP Injection') vulnerability in ActiveDirectory and Sharepoint ActiveDirectory authority connectors of Apache ManifoldCF allows an attacker to manipulate the LDAP search queries (DoS, additional queries, filter manipulation) during user lookup, if the username or the domain string are passed to the UserACLs servlet without validation. This issue affects Apache ManifoldCF version 2.23 and prior versions. | |||||
CVE-2021-37533 | 2 Apache, Debian | 2 Commons Net, Debian Linux | 2023-12-10 | N/A | 6.5 MEDIUM |
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711. | |||||
CVE-2022-43717 | 1 Apache | 1 Superset | 2023-12-10 | N/A | 5.4 MEDIUM |
Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | |||||
CVE-2022-43721 | 1 Apache | 1 Superset | 2023-12-10 | N/A | 5.4 MEDIUM |
An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | |||||
CVE-2022-32531 | 1 Apache | 1 Bookkeeper | 2023-12-10 | N/A | 5.9 MEDIUM |
The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1. | |||||
CVE-2022-41703 | 1 Apache | 1 Superset | 2023-12-10 | N/A | 5.4 MEDIUM |
A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUBQUERY" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | |||||
CVE-2023-25621 | 1 Apache | 1 Sling I18n | 2023-12-10 | N/A | 6.5 MEDIUM |
Privilege Escalation vulnerability in Apache Software Foundation Apache Sling. Any content author is able to create i18n dictionaries in the repository in a location the author has write access to. As these translations are used across the whole product, it allows an author to change any text or dialog in the product. For example an attacker might fool someone by changing the text on a delete button to "Info". This issue affects the i18n module of Apache Sling up to version 2.5.18. Version 2.6.2 and higher limit by default i18m dictionaries to certain paths in the repository (/libs and /apps). Users of the module are advised to update to version 2.6.2 or higher, check the configuration for resource loading and then adjust the access permissions for the configured path accordingly. | |||||
CVE-2022-45787 | 1 Apache | 1 James | 2023-12-10 | N/A | 5.5 MEDIUM |
Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions. We recommend users to upgrade to MIME4j version 0.8.9 or later. | |||||
CVE-2022-47500 | 1 Apache | 1 Helix | 2023-12-10 | N/A | 6.1 MEDIUM |
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Software Foundation Apache Helix UI component.This issue affects Apache Helix all releases from 0.8.0 to 1.0.4. Solution: removed the the forward component since it was improper designed for UI embedding. User please upgrade to 1.1.0 to fix this issue. | |||||
CVE-2022-44644 | 1 Apache | 1 Linkis | 2023-12-10 | N/A | 6.5 MEDIUM |
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.1 | |||||
CVE-2022-46870 | 1 Apache | 1 Zeppelin | 2023-12-10 | N/A | 5.4 MEDIUM |
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers. This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin. | |||||
CVE-2022-37392 | 1 Apache | 1 Traffic Server | 2023-12-10 | N/A | 5.3 MEDIUM |
Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. |