Vulnerabilities > Apache > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-12 | CVE-2023-28936 | Unspecified vulnerability in Apache Openmeetings Attacker can access arbitrary recording/room Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0 | 5.3 |
| 2023-05-08 | CVE-2023-29247 | Unspecified vulnerability in Apache Airflow Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0. | 5.4 |
| 2023-05-02 | CVE-2023-26268 | Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list * filter * filter views (using view functions as filters) * rewrite * update This doesn't affect map/reduce or search (Dreyfus) index functions. Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3). Workaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment. | 5.3 |
| 2023-05-01 | CVE-2022-45801 | Unspecified vulnerability in Apache Streampark Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. | 5.4 |
| 2023-04-25 | CVE-2023-22665 | Expression Language Injection vulnerability in Apache Jena There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. | 5.4 |
| 2023-04-24 | CVE-2023-30776 | Unspecified vulnerability in Apache Superset An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1. | 6.5 |
| 2023-04-20 | CVE-2023-25601 | Unspecified vulnerability in Apache Dolphinscheduler On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. | 4.3 |
| 2023-04-17 | CVE-2023-25504 | Server-Side Request Forgery (SSRF) vulnerability in Apache Superset A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. | 6.5 |
| 2023-04-17 | CVE-2023-27525 | Unspecified vulnerability in Apache Superset An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1 | 4.3 |
| 2023-04-11 | CVE-2023-30465 | Unspecified vulnerability in Apache Inlong 1.4.0/1.5.0 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.5.0. By manipulating the "orderType" parameter and the ordering of the returned content using an SQL injection attack, an attacker can extract the username of the user with ID 1 from the "user" table, one character at a time. Users are advised to upgrade to Apache InLong's 1.6.0 or cherry-pick [1] to solve it. https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [1] https://github.com/apache/inlong/issues/7529 https://github.com/apache/inlong/issues/7529 | 5.3 |