Filtered by vendor Apache
Subscriptions
Total
2321 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-44635 | 1 Apache | 1 Fineract | 2024-08-03 | 8.8 High |
| Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1. | ||||
| CVE-2022-44645 | 1 Apache | 1 Linkis | 2024-08-03 | 8.8 High |
| In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1. | ||||
| CVE-2022-44621 | 1 Apache | 1 Kylin | 2024-08-03 | 9.8 Critical |
| Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. | ||||
| CVE-2022-44644 | 1 Apache | 1 Linkis | 2024-08-03 | 6.5 Medium |
| In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.1 | ||||
| CVE-2022-43982 | 1 Apache | 1 Airflow | 2024-08-03 | 6.1 Medium |
| In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. | ||||
| CVE-2022-43985 | 1 Apache | 1 Airflow | 2024-08-03 | 6.1 Medium |
| In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. | ||||
| CVE-2022-43720 | 1 Apache | 1 Superset | 2024-08-03 | 5.4 Medium |
| An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | ||||
| CVE-2022-43721 | 1 Apache | 1 Superset | 2024-08-03 | 5.4 Medium |
| An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | ||||
| CVE-2022-43718 | 1 Apache | 1 Superset | 2024-08-03 | 5.4 Medium |
| Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | ||||
| CVE-2022-43766 | 1 Apache | 1 Iotdb | 2024-08-03 | 7.5 High |
| Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it. | ||||
| CVE-2022-43719 | 1 Apache | 1 Superset | 2024-08-03 | 8.8 High |
| Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | ||||
| CVE-2022-43717 | 1 Apache | 1 Superset | 2024-08-03 | 5.4 Medium |
| Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | ||||
| CVE-2022-43670 | 1 Apache | 1 Sling Cms | 2024-08-03 | 5.4 Medium |
| An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature. | ||||
| CVE-2022-43396 | 1 Apache | 1 Kylin | 2024-08-03 | 8.8 High |
| In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf. | ||||
| CVE-2022-42920 | 3 Apache, Fedoraproject, Redhat | 10 Commons Bcel, Fedora, Amq Streams and 7 more | 2024-08-03 | 9.8 Critical |
| Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0. | ||||
| CVE-2022-42890 | 3 Apache, Debian, Redhat | 4 Batik, Debian Linux, Camel Spring Boot and 1 more | 2024-08-03 | 7.5 High |
| A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16. | ||||
| CVE-2022-42889 | 4 Apache, Juniper, Netapp and 1 more | 20 Commons Text, Jsa1500, Jsa3500 and 17 more | 2024-08-03 | 9.8 Critical |
| Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. | ||||
| CVE-2022-40705 | 1 Apache | 1 Soap | 2024-08-03 | 7.5 High |
| An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | ||||
| CVE-2022-42735 | 1 Apache | 1 Shenyu | 2024-08-03 | 8.8 High |
| Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. This issue affects Apache ShenYu: 2.5.0. Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 . | ||||
| CVE-2022-42467 | 1 Apache | 1 Isis | 2024-08-03 | 5.3 Medium |
| When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database. It was felt that it is safer to require the developer to explicitly enable this capability. As of 2.0.0-M8, this can now be done using the 'isis.prototyping.h2-console.web-allow-remote-access' configuration property; the web console will be unavailable without setting this configuration. As an additional safeguard, the new 'isis.prototyping.h2-console.generate-random-web-admin-password' configuration parameter (enabled by default) requires that the administrator use a randomly generated password to use the console. The password is printed to the log, as "webAdminPass: xxx" (where "xxx") is the password. To revert to the original behaviour, the administrator would therefore need to set these configuration parameter: isis.prototyping.h2-console.web-allow-remote-access=true isis.prototyping.h2-console.generate-random-web-admin-password=false Note also that the h2 webconsole is never available in production mode, so these safeguards are only to ensure that the webconsole is secured by default also in prototype mode. | ||||