Vulnerabilities > Apache > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-02-19 CVE-2024-26308 Unspecified vulnerability in Apache Commons Compress
Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.
local
low complexity
apache
5.5
2024-02-14 CVE-2024-23952 Unspecified vulnerability in Apache Superset
This is a duplicate for CVE-2023-46104.
network
low complexity
apache
6.5
2024-02-07 CVE-2023-39196 Unspecified vulnerability in Apache Ozone 1.2.0/1.2.1/1.3.0
Improper Authentication vulnerability in Apache Ozone. The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability. The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone. This issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0. Users are recommended to upgrade to version 1.4.0, which fixes the issue.
network
low complexity
apache
5.3
2024-01-24 CVE-2023-50944 Unspecified vulnerability in Apache Airflow
Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it.
network
low complexity
apache
6.5
2024-01-24 CVE-2023-51702 Unspecified vulnerability in Apache Airflow and Airflow Cncf Kubernetes
Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption.
network
low complexity
apache
6.5
2024-01-23 CVE-2023-49657 Unspecified vulnerability in Apache Superset
A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. For 2.X versions, users should change their config to include: TALISMAN_CONFIG = {     "content_security_policy": {         "base-uri": ["'self'"],         "default-src": ["'self'"],         "img-src": ["'self'", "blob:", "data:"],         "worker-src": ["'self'", "blob:"],         "connect-src": [             "'self'",             " https://api.mapbox.com" https://api.mapbox.com" ;,             " https://events.mapbox.com" https://events.mapbox.com" ;,         ],         "object-src": "'none'",         "style-src": [             "'self'",             "'unsafe-inline'",         ],         "script-src": ["'self'", "'strict-dynamic'"],     },     "content_security_policy_nonce_in": ["script-src"],     "force_https": False,     "session_cookie_secure": False, }
network
low complexity
apache
5.4
2024-01-19 CVE-2024-21733 Unspecified vulnerability in Apache Tomcat
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
network
low complexity
apache
5.3
2024-01-15 CVE-2023-46749 Unspecified vulnerability in Apache Shiro
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
network
low complexity
apache
6.5
2024-01-15 CVE-2023-50290 Unspecified vulnerability in Apache Solr
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance.
network
low complexity
apache
6.5
2023-12-21 CVE-2023-47265 Unspecified vulnerability in Apache Airflow
Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the client side of any of the user who looks at the tasks in the browser sandbox.
network
low complexity
apache
5.4