Vulnerabilities > Apache
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-27 | CVE-2023-49145 | Cross-site Scripting vulnerability in Apache Nifi Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. | 5.4 |
| 2023-11-27 | CVE-2023-40610 | Incorrect Authorization vulnerability in Apache Superset Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. | 8.8 |
| 2023-11-27 | CVE-2023-42501 | Incorrect Default Permissions vulnerability in Apache Superset Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources. | 4.3 |
| 2023-11-27 | CVE-2023-43701 | Cross-site Scripting vulnerability in Apache Superset Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2. Users are recommended to upgrade to version 2.1.2, which fixes this issue. | 5.4 |
| 2023-11-27 | CVE-2023-49068 | Unspecified vulnerability in Apache Dolphinscheduler Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. | 7.5 |
| 2023-11-24 | CVE-2023-48796 | Unspecified vulnerability in Apache Dolphinscheduler 3.0.0/3.0.1 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue. | 7.5 |
| 2023-11-23 | CVE-2023-43123 | Unspecified vulnerability in Apache Storm On unix-like systems, the temporary directory is shared between all user. | 5.5 |
| 2023-11-22 | CVE-2023-37924 | SQL Injection vulnerability in Apache Submarine 0.7.0 Apache Software Foundation Apache Submarine has an SQL injection vulnerability when a user logs in. | 9.8 |
| 2023-11-20 | CVE-2022-46337 | Injection vulnerability in Apache Derby A cleverly devised username might bypass LDAP authentication checks. | 9.8 |
| 2023-11-20 | CVE-2023-46302 | Deserialization of Untrusted Data vulnerability in Apache Submarine 0.7.0 Apache Software Foundation Apache Submarine has a bug when serializing against yaml. | 9.8 |