Low
CVSS: 1.0
Observable Timing Discrepancy vulnerability in Apache Shiro.
This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.
Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.
Prior to Shiro 2.0.7, code paths…
Medium
CVSS: 6.5
Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to.
Users are advised to upgra…
Medium
CVSS: 6.5
Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access.
Users are recommended to upgra…
Medium
CVSS: 5.3
Authentication Bypass by Alternate Name vulnerability in Apache Shiro.
This issue affects Apache Shiro: before 2.0.7.
Users are recommended to upgrade to version 2.0.7, which fixes the issue.
The issue only effects static files. If stati…
High
CVSS: 7.5
Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer.
This issue affects Apache Answer: through 1.7.1.
An unauthenticated API endpoint incorrectly exposes full revision history for deleted conte…
Medium
CVSS: 4.9
Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console.
An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE…
Medium
CVSS: 6.8
Reflected XSS in Apache Syncope's Enduser Login page.
An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.
This issue affects Apache Syncope: from 3…
Critical
CVSS: 9.9
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum.
This issue affects Apache Continuum: all versions.
Attackers with access to the install…
Low
CVSS: 3.7
Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter.
The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypass…
High
CVSS: 7.3
Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client.
This issue affects Apache Hadoop: from 3.2.0 before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue.
High
CVSS: 7.1
The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "all…
High
CVSS: 8.2
Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components. O…
Medium
CVSS: 6.5
A vulnerability.
When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contain…
High
CVSS: 7.5
A vulnerability in Apache Linkis.
Problem Description
When using the JDBC engine and da
When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding…
High
CVSS: 7.5
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore…
High
CVSS: 7.5
In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of th…
Critical
CVSS: 9.8
Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command.
Root Cause: The bRPC heap profiler built-in service (/pprof/heap)…
Medium
CVSS: 5.3
Cypher Injection vulnerability in Apache Camel camel-neo4j component.
This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0
Users are recommended to upgrade to version 4.10.8 for…
High
CVSS: 8.1
Missing XML Validation vulnerability in Apache Struts, Apache Struts.
This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.
Users are recommended to upgrade to version 6.1.1, which fixes the i…
High
CVSS: 8.1
Authentication Bypass by Spoofing vulnerability in Apache NimBLE.
Receiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor.
This issue affects Apache NimBLE: through 1.8.0.
Users are re…