Vulnerabilities > Apache > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-10-14 CVE-2023-45348 Unspecified vulnerability in Apache Airflow 2.7.0/2.7.1
Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the "expose_config" option is set to "non-sensitive-only".
network
low complexity
apache
4.3
2023-10-10 CVE-2023-45648 Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers.
network
low complexity
apache debian
5.3
2023-10-10 CVE-2023-42794 Unspecified vulnerability in Apache Tomcat
Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream.
network
high complexity
apache
5.9
2023-10-10 CVE-2023-42795 Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
network
low complexity
apache debian
5.3
2023-09-19 CVE-2023-41834 Injection vulnerability in Apache Flink Stateful Functions 3.1.0/3.1.1/3.2.0
Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted HTTP requests. Attackers could potentially inject malicious content into the HTTP response that is sent to the user's browser.
network
low complexity
apache CWE-74
6.1
2023-09-14 CVE-2023-42503 Unspecified vulnerability in Apache Commons Compress 1.22/1.23.0
Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0. Users are recommended to upgrade to version 1.24.0, which fixes the issue. A third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption. In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 [1]).
local
low complexity
apache
5.5
2023-09-12 CVE-2023-40611 Incorrect Authorization vulnerability in Apache Airflow
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes.
network
low complexity
apache CWE-863
4.3
2023-09-12 CVE-2023-40712 Unspecified vulnerability in Apache Airflow
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.
network
low complexity
apache
6.5
2023-09-06 CVE-2023-32672 Unspecified vulnerability in Apache Superset
An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0.
network
low complexity
apache
4.3
2023-09-06 CVE-2023-37941 Unspecified vulnerability in Apache Superset
If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only accessible directly by the system administrator and the superset process itself.
network
high complexity
apache
6.6