Vulnerabilities > Apache > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-18 | CVE-2023-41314 | Incorrect Authorization vulnerability in Apache Doris The api /api/snapshot and /api/get_log_file would allow unauthenticated access. It could allow a DoS attack or get arbitrary files from FE node. Please upgrade to 2.0.3 to fix these issues. | 8.2 |
| 2023-12-15 | CVE-2023-49898 | Command Injection vulnerability in Apache Streampark 2.0.0/2.1.0/2.1.1 In streampark, there is a project module that integrates Maven's compilation capability. | 7.2 |
| 2023-12-05 | CVE-2023-41835 | Incomplete Cleanup vulnerability in Apache Struts When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue. | 7.5 |
| 2023-11-30 | CVE-2023-49735 | Path Traversal vulnerability in Apache Tiles 2.0 ** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. | 7.5 |
| 2023-11-28 | CVE-2022-41678 | Improper Authentication vulnerability in Apache Activemq Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. | 8.8 |
| 2023-11-28 | CVE-2023-46589 | HTTP Request Smuggling vulnerability in Apache Tomcat Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. | 7.5 |
| 2023-11-27 | CVE-2023-40610 | Incorrect Authorization vulnerability in Apache Superset Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. | 8.8 |
| 2023-11-27 | CVE-2023-49068 | Unspecified vulnerability in Apache Dolphinscheduler Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. | 7.5 |
| 2023-11-24 | CVE-2023-48796 | Unspecified vulnerability in Apache Dolphinscheduler 3.0.0/3.0.1 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue. | 7.5 |
| 2023-11-16 | CVE-2023-26031 | Untrusted Search Path vulnerability in Apache Hadoop 3.3.1/3.3.2/3.3.4 Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. | 7.5 |