Vulnerabilities > Apache > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-10-29 | CVE-2024-45477 | Cross-site Scripting vulnerability in Apache Nifi Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. | 4.6 |
| 2024-10-16 | CVE-2024-45461 | Missing Authorization vulnerability in Apache Cloudstack The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. | 6.3 |
| 2024-09-17 | CVE-2024-45384 | Unspecified vulnerability in Apache Druid Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability. While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution. | 5.3 |
| 2024-09-17 | CVE-2024-45537 | Unspecified vulnerability in Apache Druid Apache Druid allows users with certain permissions to read data from other database systems using JDBC. | 6.5 |
| 2024-08-26 | CVE-2023-49582 | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Portable Runtime Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. | 5.5 |
| 2024-08-21 | CVE-2024-41937 | Cross-site Scripting vulnerability in Apache Airflow Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. | 6.1 |
| 2024-08-12 | CVE-2024-41909 | Improper Validation of Integrity Check Value vulnerability in Apache Mina Sshd Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. | 5.9 |
| 2024-08-12 | CVE-2024-41888 | Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. The password reset link remains valid within its expiration period even after it has been used. | 5.3 |
| 2024-08-12 | CVE-2024-41890 | Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. User sends multiple password reset emails, each containing a valid link. | 5.3 |
| 2024-08-07 | CVE-2024-42222 | Unspecified vulnerability in Apache Cloudstack 4.19.1.0 In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. | 4.3 |