Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-24 | CVE-2023-25693 | Unspecified vulnerability in Apache Apache-Airflow-Providers-Apache-Sqoop Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1. | 9.8 |
| 2023-02-24 | CVE-2023-25696 | Improper Input Validation vulnerability in Apache Apache-Airflow-Providers-Apache-Hive Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3. | 9.8 |
| 2023-02-24 | CVE-2023-25956 | Unspecified vulnerability in Apache Apache-Airflow-Providers-Amazon Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1. | 7.5 |
| 2023-02-23 | CVE-2023-25621 | Unspecified vulnerability in Apache Sling I18N Privilege Escalation vulnerability in Apache Software Foundation Apache Sling. Any content author is able to create i18n dictionaries in the repository in a location the author has write access to. | 6.5 |
| 2023-02-20 | CVE-2023-24998 | Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. | 7.5 |
| 2023-02-20 | CVE-2023-25613 | Unspecified vulnerability in Apache Identity Backend An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3. | 9.8 |
| 2023-02-15 | CVE-2022-42735 | Improper Privilege Management vulnerability in Apache Shenyu 2.5.0 Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. This issue affects Apache ShenYu: 2.5.0. Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 . | 8.8 |
| 2023-02-14 | CVE-2023-25141 | Unspecified vulnerability in Apache Sling JCR Base Apache Sling JCR Base < 3.1.12 has a critical injection vulnerability when running on old JDK versions (JDK 1.8.191 or earlier) through utility functions in RepositoryAccessor. | 7.5 |
| 2023-02-10 | CVE-2023-22832 | XXE vulnerability in Apache Nifi The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. | 7.5 |
| 2023-02-07 | CVE-2023-25194 | Unspecified vulnerability in Apache Kafka Connect A possible security vulnerability has been identified in Apache Kafka Connect API. This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka Connect 2.3.0. When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties. This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath. Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box configurations. | 8.8 |