455 matches found
CVE-2022-47185 Apache Traffic Server: Invalid Range header causes a crash
Improper input validation vulnerability on the range header in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1...
GHSA-269X-PG5C-5XGM Apache Airflow Execution with Unnecessary Privileges
Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the...
CVE-2023-39508
The CVE-2023-39508 issue affects Apache Airflow prior to 2.6.0, where the Run Task feature could be exploited by an authenticated user to execute code in the webserver context and bypass DAG access restrictions, exposing sensitive information and potentially impacting confidentiality, integrity, ...
CVE-2023-34434
Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong's 1.8....
CVE-2023-34434 Apache InLong: JDBC URL bypassing by allowLoadLocalInfileInPath param
Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong's 1.8....
CVE-2023-34434
CVE-2023-34434 affects Apache InLong (versions 1.4.0–1.7.0). It is a deserialization of untrusted data vulnerability that could bypass logic and read arbitrary files. The remediation is to upgrade to InLong 1.8.0 or apply the patch from PR 8130. Connected sources corroborate the affected versions...
CVE-2023-34189 Apache InLong: General user can delete and update process
Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could use general users to delete and update the process, which only the admin can operate occurrences. Users are advised to...
CVE-2023-34189
CVE-2023-34189 affects Apache InLong versions 1.4.0–1.7.0. The issue is a permission-check flaw that allows a general user to delete or update processes, which should be admin-only. Remediation is to upgrade to InLong 1.8.0 or apply the patch from PR #8109 (linked in sources). Connected sources c...
Apache Airflow Apache Hive Provider Improper Input Validation vulnerability
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider. Patching on top of CVE-2023-35797 Before 6.1.2 the proxyuser option can also inject semicolon. This issue affects Apache Airflow Apache Hive Provider: before 6.1.2. It is recommended updatin...
CVE-2023-37415
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider. Patching on top of CVE-2023-35797 Before 6.1.2 the proxyuser option can also inject semicolon. This issue affects Apache Airflow Apache Hive Provider: before 6.1.2. It is recommended updatin...
CVE-2023-37415 Apache Airflow Apache Hive Provider: Improper Input Validation in Hive Provider with proxy_user
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider. Patching on top of CVE-2023-35797 Before 6.1.2 the proxyuser option can also inject semicolon. This issue affects Apache Airflow Apache Hive Provider: before 6.1.2. It is recommended updatin...
CVE-2023-37415
CVE-2023-37415 is an Improper Input Validation vulnerability affecting the Apache Airflow Hive Provider (versions before 6.1.2). The issue arises from input validation around the proxy_user option, which can permit semicolon injection, enabling an attacker to impact confidentiality, integrity, an...
GHSA-G9CV-V3V4-3H8R Apache Pulsar Incorrect Authorization vulnerability
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar...
Apache Pulsar Broker's Rest Producer vulnerable to Incorrect Authorization
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role. This issue affects Apache Pulsar Brokers: from 2.9.0 through 2.9.5, from...
Apache Pulsar Broker Improper Authentication vulnerability
Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a...
CVE-2023-30428 Apache Pulsar Broker: Incorrect Authorization Validation for Rest Producer
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role. This issue affects Apache Pulsar Brokers: from 2.9.0 through 2.9.5, from...
CVE-2023-30428 Apache Pulsar Broker: Incorrect Authorization Validation for Rest Producer
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role. This issue affects Apache Pulsar Brokers: from 2.9.0 through 2.9.5, from...
CVE-2023-30428
CVE-2023-30428: Apache Pulsar Broker Rest Producer improper authorization allows an authenticated user with a custom HTTP header to produce messages to any topic using the broker’s admin role. Affected: Pulsar Brokers 2.9.0–2.9.5; 2.10.0–2.10.3; 2.11.0. Exploitation requires direct broker access ...
CVE-2023-30429
CVE-2023-30429 - Apache Pulsar Incorrect Authorization : Affects Pulsar Function Worker when connecting through a Pulsar Proxy with mTLS; the worker uses the Proxy’s role for authorization instead of the client’s, enabling privilege escalation. Affected: Pulsar Function Worker versions before 2.1...
CVE-2023-31007 Apache Pulsar: Broker does not always disconnect client when authentication data expires
Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a...