Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-12 | CVE-2023-37582 | Code Injection vulnerability in Apache Rocketmq The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. | 9.8 |
| 2023-07-12 | CVE-2023-32200 | Expression Language Injection vulnerability in Apache Jena There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. | 8.8 |
| 2023-07-10 | CVE-2023-34442 | Unspecified vulnerability in Apache Camel Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Camel.This issue affects Apache Camel: from 3.X through <=3.14.8, from 3.18.X through <=3.18.7, from 3.20.X through <= 3.20.5, from 4.X through <= 4.0.0-M3. Users should upgrade to 3.14.9, 3.18.8, 3.20.6 or 3.21.0 and for users on Camel 4.x update to 4.0.0-M1 | 3.3 |
| 2023-07-10 | CVE-2023-35887 | Path Traversal vulnerability in Apache Sshd Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks. This issue affects Apache MINA: from 1.0 before 2.10. | 4.3 |
| 2023-07-07 | CVE-2023-33008 | Deserialization of Untrusted Data vulnerability in Apache Johnzon Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). | 5.3 |
| 2023-07-05 | CVE-2023-34150 | Improper Input Validation vulnerability in Apache Any23 ** UNSUPPORTED WHEN ASSIGNED ** Use of TikaEncodingDetector in Apache Any23 can cause excessive memory usage. | 5.3 |
| 2023-07-03 | CVE-2023-35797 | Improper Input Validation vulnerability in Apache Apache-Airflow-Providers-Apache-Hive Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider. This issue affects Apache Airflow Apache Hive Provider: before 6.1.1. Before version 6.1.1 it was possible to bypass the security check to RCE via principal parameter. | 9.8 |
| 2023-06-29 | CVE-2023-22886 | Improper Input Validation vulnerability in Apache Apache-Airflow-Providers-Jdbc Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s [Connection URL] parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain airflow server permission. This issue affects Apache Airflow JDBC Provider: before 4.0.0. | 8.8 |
| 2023-06-27 | CVE-2023-34395 | Argument Injection or Modification vulnerability in Apache Apache-Airflow-Providers-Odbc Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution. Starting version 4.0.0 driver can be set only from the hook constructor. This issue affects Apache Airflow ODBC Provider: before 4.0.0. | 7.8 |
| 2023-06-27 | CVE-2023-35798 | Improper Input Validation vulnerability in Apache products Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it. This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1. It is recommended to upgrade to a version that is not affected | 4.3 |