Vulnerabilities > Apache > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-11-07 CVE-2023-46851 Unspecified vulnerability in Apache Allura
Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments.
network
low complexity
apache
4.9
2023-10-23 CVE-2023-46288 Unspecified vulnerability in Apache Airflow
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0. Sensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST API for configuration even when the expose_config option is set to non-sensitive-only.
network
low complexity
apache
4.3
2023-10-23 CVE-2023-45802 Improper Resource Shutdown or Release vulnerability in multiple products
When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately.
network
high complexity
apache fedoraproject debian CWE-404
5.9
2023-10-20 CVE-2023-44483 Unspecified vulnerability in Apache Santuario XML Security for Java
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
network
low complexity
apache
6.5
2023-10-19 CVE-2023-25753 Server-Side Request Forgery (SSRF) vulnerability in Apache Shenyu 2.5.1
There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint.
network
low complexity
apache CWE-918
6.5
2023-10-16 CVE-2023-43666 Unspecified vulnerability in Apache Inlong
Insufficient Verification of Data Authenticity vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,  General user can view all user data like Admin account. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1]  https://github.com/apache/inlong/pull/8623
network
low complexity
apache
6.5
2023-10-16 CVE-2023-45757 Unspecified vulnerability in Apache Brpc
Security vulnerability in Apache bRPC <=1.6.0 on all platforms allows attackers to inject XSS code to the builtin rpcz page. An attacker that can send http request to bRPC server with rpcz enabled can inject arbitrary XSS code to the builtin rpcz page. Solution (choose one of three): 1.
network
low complexity
apache
6.1
2023-10-14 CVE-2023-42663 Unspecified vulnerability in Apache Airflow
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.
network
low complexity
apache
6.5
2023-10-14 CVE-2023-42780 Unspecified vulnerability in Apache Airflow
Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs.
network
low complexity
apache
6.5
2023-10-14 CVE-2023-42792 Exposure of Resource to Wrong Sphere vulnerability in Apache Airflow
Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. Users of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.
network
low complexity
apache CWE-668
6.5