CVE-2022-46421

Improper Neutralization of Special Elements used in a Command 'Command Injection' vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0...

Command injection

Improper Neutralization of Special Elements used in a Command 'Command Injection' vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0...

Apache Helix UI vulnerable to Open Redirect

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Apache Software Foundation Apache Helix UI component.This issue affects Apache Helix all releases from 0.8.0 to and including 1.0.4. Solution: removed the the forward component since it was improper designed for UI embedding. User...

CVE-2022-47500

CVE-2022-47500 affects the Apache Helix UI component. The issue is an Open Redirect caused by an improperly designed forward component used for UI embedding, impacting all Apache Helix UI releases from 0.8.0 through 1.0.4. The documented remediation is to upgrade to version 1.1.0, which addresses...

PT-2022-27839 · Apache · Apache Cxf

Name of the Vulnerable Software and Affected Versions: Apache CXF versions prior to 3.4.10 Apache CXF versions prior to 3.5.5 Description: A vulnerability in Apache CXF allows an attacker to perform a remote directory listing or code exfiltration. This issue arises when the CXFServlet is configur...

Fixed in Apache Tomcat 8.5.84

Low: Apache Tomcat JsonErrorReportValve injection CVE-2022-45143 The JsonErrorReportValve did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or...

CVE-2022-45378

In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary...

MGASA-2022-0228 Updated apache packages fix security vulnerability

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in modproxyajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions...

ae.teletronics.ejabberd:EjabberdXMLRPCClient (>=1.0.2 <=1.1.0), br.eti.kinoshita:testlink-java-api (>=1.9.0-1 <=1.9.20-1) +281 more potentially affected by CVE-2016-5004 via org.apache.xmlrpc:xmlrpc-common (>=3.0 <=3.1.3)

org.apache.xmlrpc:xmlrpc-common MAVEN version =3.0, =1.0.2, =1.9.0-1, =0.0.1, =0.0.1, =2.6.1.19, =8.1.0.286, =8.1.0.286, =8.1.0.286, =1.0.0.RELEASE, =0.5, =0.5, =0.7, =0.9 and more Source cves: CVE-2016-5004 Source advisory: OSV:GHSA-R2PG-W96P-PCPJ...

GHSA-7V5V-9V8R-W864 Inadequate Encryption Strength in Apache CXF

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic...

Apache POI 资源管理错误漏洞

Apache POI is the United States Apache Apache Foundation of an open source library, which provides APIs to Java programs can read and write Microsoft Office format files. A resource management error vulnerability exists in Apache POI that stems from the product's failure to effectively determine...

The Log4j Vulnerability Puts Pressure on the Security World

It’s not my intention to be alarmist about the Log4j vulnerability CVE-2021-44228, known as Log4Shell, but this one is pretty bad. First of all, Log4j is a ubiquitous logging library that is very widely used by millions of computers. Second, the director of the U.S. Cybersecurity & Infrastructure...

Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries

A study of 16 different Uniform Resource Locator URL parsing libraries has unearthed inconsistencies and confusions that could be exploited to bypass validations and open the door to a wide range of attack vectors. In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Snyk,...

New Apache Log4j Update Released to Patch Newly Discovered Vulnerability

The Apache Software Foundation ASF on Tuesday rolled out fresh patches to contain an arbitrary code execution flaw in Log4j that could be abused by threat actors to run malicious code on affected systems, making it the fifth security shortcoming to be discovered in the tool in the span of a month...

China suspends deal with Alibaba for not sharing Log4j 0-day first with the government

China's internet regulator, the Ministry of Industry and Information Technology MIIT, has temporarily suspended a partnership with Alibaba Cloud, the cloud computing subsidiary of e-commerce giant Alibaba Group, for six months on account of the fact that it failed to promptly inform the governmen...

Apache James Server Remote Command Execution Vulnerability

Apache James Server is an open source SMTP and POP3 mail server and NNTP news server developed in pure Java by the Apache Software Foundation.Apache James Server is vulnerable to remote command execution. An attacker could exploit the vulnerability to execute arbitrary code in the browser context...

Hackers Exploit Log4j Vulnerability to Infect Computers with Khonsari Ransomware

Romanian cybersecurity technology company Bitdefender on Monday revealed that attempts are being made to target Windows machines with a novel ransomware family called Khonsari as well as a remote access Trojan named Orcus by exploiting the recently disclosed critical Log4j vulnerability. The atta...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

Workaround for CVE-2021-44228 Log4j RCE exploit as a buildpa...

graylog -- remote code execution in log4j from user-controlled log input

Apache Software Foundation reports: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map MDC input data when the logging configuration uses a non-default...

MGASA-2021-0470 Updated apache packages fix security vulnerability

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...