Vulnerabilities > Apache > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-24 | CVE-2023-30776 | Insufficiently Protected Credentials vulnerability in Apache Superset An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1. | 6.5 |
| 2023-04-20 | CVE-2023-25601 | Improper Authentication vulnerability in Apache Dolphinscheduler On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. | 4.3 |
| 2023-04-17 | CVE-2023-25504 | Server-Side Request Forgery (SSRF) vulnerability in Apache Superset A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. | 6.5 |
| 2023-04-17 | CVE-2023-27525 | Incorrect Authorization vulnerability in Apache Superset An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1 | 4.3 |
| 2023-04-11 | CVE-2023-30465 | SQL Injection vulnerability in Apache Inlong 1.4.0/1.5.0 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.5.0. By manipulating the "orderType" parameter and the ordering of the returned content using an SQL injection attack, an attacker can extract the username of the user with ID 1 from the "user" table, one character at a time. Users are advised to upgrade to Apache InLong's 1.6.0 or cherry-pick [1] to solve it. https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [1] https://github.com/apache/inlong/issues/7529 https://github.com/apache/inlong/issues/7529 | 5.3 |
| 2023-03-29 | CVE-2023-28158 | Cross-site Scripting vulnerability in Apache Archiva Privilege escalation via stored XSS using the file upload service to upload malicious content. The issue can be exploited only by authenticated users which can create directory name to inject some XSS content and gain some privileges such admin user. | 5.4 |
| 2023-03-28 | CVE-2023-25196 | SQL Injection vulnerability in Apache Fineract Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized users may be able to change or add data in certain components. | 4.3 |
| 2023-03-28 | CVE-2023-25197 | SQL Injection vulnerability in Apache Fineract Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Authorized users may be able to exploit this for limited impact on components. | 6.3 |
| 2023-03-22 | CVE-2023-28708 | Unprotected Transport of Credentials vulnerability in Apache Tomcat When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. | 4.3 |
| 2023-03-15 | CVE-2023-25695 | Information Exposure Through an Error Message vulnerability in Apache Airflow Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. | 5.3 |