Vulnerabilities > Apache > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-07-15 CVE-2023-41916 Files or Directories Accessible to External Parties vulnerability in Apache Linkis
In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading.
network
low complexity
apache CWE-552
6.5
2024-07-08 CVE-2024-37389 Cross-site Scripting vulnerability in Apache Nifi
Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting.
network
low complexity
apache CWE-79
5.4
2024-02-29 CVE-2024-23946 Unrestricted Upload of File with Dangerous Type vulnerability in Apache Ofbiz
Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.
network
low complexity
apache CWE-434
5.3
2024-02-19 CVE-2024-25710 Infinite Loop vulnerability in Apache Commons Compress
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.
local
low complexity
apache CWE-835
5.5
2024-02-19 CVE-2024-26308 Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress
Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.
local
low complexity
apache CWE-770
5.5
2024-02-07 CVE-2023-39196 Improper Authentication vulnerability in Apache Ozone 1.2.0/1.2.1/1.3.0
Improper Authentication vulnerability in Apache Ozone. The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability. The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone. This issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0. Users are recommended to upgrade to version 1.4.0, which fixes the issue.
network
low complexity
apache CWE-287
5.3
2024-01-24 CVE-2023-50944 Missing Authorization vulnerability in Apache Airflow
Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it.
network
low complexity
apache CWE-862
6.5
2024-01-24 CVE-2023-51702 Cleartext Storage of Sensitive Information vulnerability in Apache Airflow and Airflow Cncf Kubernetes
Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption.
network
low complexity
apache CWE-312
6.5
2024-01-23 CVE-2023-49657 Cross-site Scripting vulnerability in Apache Superset
A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. For 2.X versions, users should change their config to include: TALISMAN_CONFIG = {     "content_security_policy": {         "base-uri": ["'self'"],         "default-src": ["'self'"],         "img-src": ["'self'", "blob:", "data:"],         "worker-src": ["'self'", "blob:"],         "connect-src": [             "'self'",             " https://api.mapbox.com" https://api.mapbox.com" ;,             " https://events.mapbox.com" https://events.mapbox.com" ;,         ],         "object-src": "'none'",         "style-src": [             "'self'",             "'unsafe-inline'",         ],         "script-src": ["'self'", "'strict-dynamic'"],     },     "content_security_policy_nonce_in": ["script-src"],     "force_https": False,     "session_cookie_secure": False, }
network
low complexity
apache CWE-79
5.4
2024-01-19 CVE-2024-21733 Information Exposure Through an Error Message vulnerability in Apache Tomcat
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
network
low complexity
apache CWE-209
5.3