Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-26 | CVE-2023-51467 | Server-Side Request Forgery (SSRF) vulnerability in Apache Ofbiz The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code | 9.8 |
| 2023-12-26 | CVE-2023-50968 | Server-Side Request Forgery (SSRF) vulnerability in Apache Ofbiz Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue. | 7.5 |
| 2023-12-22 | CVE-2023-51387 | Unspecified vulnerability in Apache Hertzbeat Hertzbeat is an open source, real-time monitoring system. | 8.8 |
| 2023-12-22 | CVE-2023-51650 | Unspecified vulnerability in Apache Hertzbeat Hertzbeat is an open source, real-time monitoring system. | 7.5 |
| 2023-12-22 | CVE-2022-39337 | Unspecified vulnerability in Apache Hertzbeat Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. | 7.5 |
| 2023-12-21 | CVE-2023-51656 | Unspecified vulnerability in Apache Iotdb Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4. Users are recommended to upgrade to version 1.2.2, which fixes the issue. | 9.8 |
| 2023-12-21 | CVE-2023-47265 | Unspecified vulnerability in Apache Airflow Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the client side of any of the user who looks at the tasks in the browser sandbox. | 5.4 |
| 2023-12-21 | CVE-2023-48291 | Unspecified vulnerability in Apache Airflow Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2 Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability. | 4.3 |
| 2023-12-21 | CVE-2023-49920 | Unspecified vulnerability in Apache Airflow Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advised to upgrade to version 2.8.0 or later which is not affected | 6.5 |
| 2023-12-21 | CVE-2023-50783 | Unspecified vulnerability in Apache Airflow Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification. Users are recommended to upgrade to 2.8.0, which fixes this issue | 6.5 |