Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-28 | CVE-2024-24773 | Incorrect Authorization vulnerability in Apache Superset Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1, which fixes the issue. | 6.5 |
| 2024-02-28 | CVE-2024-24779 | Unspecified vulnerability in Apache Superset Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. | 6.5 |
| 2024-02-28 | CVE-2024-26016 | Unspecified vulnerability in Apache Superset A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. | 5.4 |
| 2024-02-28 | CVE-2024-27315 | Unspecified vulnerability in Apache Superset An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. | 4.3 |
| 2024-02-27 | CVE-2023-50380 | Unspecified vulnerability in Apache Ambari XML External Entity injection in apache ambari versions <= 2.7.7, Users are recommended to upgrade to version 2.7.8, which fixes this issue. More Details: Oozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and privilege escalation from low-privilege users. | 6.5 |
| 2024-02-27 | CVE-2024-21742 | Injection vulnerability in Apache James Mime4J Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages. | 5.3 |
| 2024-02-22 | CVE-2023-51388 | Injection vulnerability in Apache Hertzbeat Hertzbeat is a real-time monitoring system. | 9.8 |
| 2024-02-22 | CVE-2023-51389 | Deserialization of Untrusted Data vulnerability in Apache Hertzbeat Hertzbeat is a real-time monitoring system. | 9.8 |
| 2024-02-22 | CVE-2023-51653 | Injection vulnerability in Apache Hertzbeat Hertzbeat is a real-time monitoring system. | 9.8 |
| 2024-02-22 | CVE-2024-23349 | Unspecified vulnerability in Apache Answer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. XSS attack when user enters summary. | 5.4 |