Vulnerabilities > Apache > High

DATE CVE VULNERABILITY TITLE RISK
2023-11-24 CVE-2023-48796 Unspecified vulnerability in Apache Dolphinscheduler 3.0.0/3.0.1
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file ``` management:   endpoints:     web:       exposure:         include: health,metrics,prometheus ``` This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue.
network
low complexity
apache
7.5
2023-11-16 CVE-2023-26031 Untrusted Search Path vulnerability in Apache Hadoop 3.3.1/3.3.2/3.3.4
Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges.
network
high complexity
apache CWE-426
7.5
2023-11-08 CVE-2023-39913 Deserialization of Untrusted Data vulnerability in Apache Uimaj
Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0. Users are recommended to upgrade to version 3.5.0, which fixes the issue. There are several locations in the code where serialized Java objects are deserialized without verifying the data.
network
low complexity
apache CWE-502
8.8
2023-10-28 CVE-2023-46215 Unspecified vulnerability in Apache Airflow and Airflow Celery Provider
Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vulnerability is about the information exposed in the logs not about accessing the logs. This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3. Users are recommended to upgrade Airflow Celery provider to version 3.4.1 and Apache Airlfow to version 2.7.0 which fixes the issue.
network
low complexity
apache
7.5
2023-10-23 CVE-2023-31122 Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.
network
low complexity
apache fedoraproject
7.5
2023-10-23 CVE-2023-43622 Unspecified vulnerability in Apache Http Server 2.4.55/2.4.56/2.4.57
An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server.
network
low complexity
apache
7.5
2023-10-19 CVE-2023-46227 Unspecified vulnerability in Apache Inlong
Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong. This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can use \t to bypass. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8814
network
low complexity
apache
7.5
2023-10-17 CVE-2023-39456 Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 9.2.3, which fixes the issue.
network
low complexity
apache fedoraproject
7.5
2023-10-17 CVE-2023-41752 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue.
network
low complexity
apache fedoraproject
7.5
2023-10-16 CVE-2023-43667 Unspecified vulnerability in Apache Inlong
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can create misleading or false log records, making it harder to audit and trace malicious activities. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8628
network
low complexity
apache
7.5