Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-25 | CVE-2023-34434 | Unspecified vulnerability in Apache Inlong Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could bypass the current logic and achieve arbitrary file reading. | 7.5 |
| 2023-07-25 | CVE-2023-35088 | Unspecified vulnerability in Apache Inlong Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query statement, which may lead to SQL injection attacks. Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8198 | 9.8 |
| 2023-07-24 | CVE-2023-34478 | Unspecified vulnerability in Apache Shiro Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+ | 9.8 |
| 2023-07-19 | CVE-2023-28754 | Deserialization of Untrusted Data vulnerability in Apache Shardingsphere Deserialization of Untrusted Data vulnerability in Apache ShardingSphere-Agent, which allows attackers to execute arbitrary code by constructing a special YAML configuration file. The attacker needs to have permission to modify the ShardingSphere Agent YAML configuration file on the target machine, and the target machine can access the URL with the arbitrary code JAR. An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. | 8.8 |
| 2023-07-17 | CVE-2023-26512 | Unspecified vulnerability in Apache Eventmesh 1.7.0/1.8.0 CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. | 9.8 |
| 2023-07-13 | CVE-2023-37415 | Unspecified vulnerability in Apache Apache-Airflow-Providers-Apache-Hive Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider. Patching on top of CVE-2023-35797 Before 6.1.2 the proxy_user option can also inject semicolon. This issue affects Apache Airflow Apache Hive Provider: before 6.1.2. It is recommended updating provider version to 6.1.2 in order to avoid this vulnerability. | 8.8 |
| 2023-07-12 | CVE-2022-42009 | Unspecified vulnerability in Apache Ambari SpringEL injection in the server agent in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. | 8.8 |
| 2023-07-12 | CVE-2022-45855 | Unspecified vulnerability in Apache Ambari SpringEL injection in the metrics source in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7. | 8.8 |
| 2023-07-12 | CVE-2022-46651 | Unspecified vulnerability in Apache Airflow Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. | 6.5 |
| 2023-07-12 | CVE-2023-22887 | Unspecified vulnerability in Apache Airflow Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. | 6.5 |