Vulnerabilities > Apache
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-09-05 | CVE-2023-40743 | Improper Input Validation vulnerability in Apache Axis ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. | 9.8 |
2023-09-03 | CVE-2023-41180 | Improper Certificate Validation vulnerability in Apache Nifi Minifi C++ 0.13.0/0.14.0 Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C++ versions 0.13 to 0.14 allows an intermediary to present a forged certificate during TLS handshake negotation. | 5.9 |
2023-08-28 | CVE-2023-27604 | Improper Input Validation vulnerability in Apache Airflow Sqoop Provider Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. | 8.8 |
2023-08-28 | CVE-2023-40195 | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Airflow Spark Provider Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. When the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to configure Spark hooks can effectively run arbitrary code on the Airflow node by pointing it at a malicious Spark server. | 8.8 |
2023-08-25 | CVE-2023-41080 | Open Redirect vulnerability in multiple products URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application. | 6.1 |
2023-08-23 | CVE-2023-37379 | Unspecified vulnerability in Apache Airflow Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. | 8.1 |
2023-08-23 | CVE-2023-39441 | Improper Certificate Validation vulnerability in Apache Airflow Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default SSL context with SSL library did not check a server's X.509 certificate. Instead, the code accepted any certificate, which could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position. Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability | 5.9 |
2023-08-23 | CVE-2023-40273 | Session Fixation vulnerability in Apache Airflow The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. | 8.0 |
2023-08-22 | CVE-2022-44729 | Server-Side Request Forgery (SSRF) vulnerability in multiple products Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. | 7.1 |
2023-08-22 | CVE-2022-44730 | Server-Side Request Forgery (SSRF) vulnerability in multiple products Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data and send it directly as parameter to a URL. | 4.4 |