CVE-2023-31007

The CVE-2023-31007 issue is an Improper Authentication vulnerability in Apache Pulsar Broker. The root cause is that the broker may fail to disconnect a client after authentication data expires when the client connects via Pulsar Proxy with authenticateOriginalAuthData=false or when a direct conn...

CVE-2023-31007 Apache Pulsar: Broker does not always disconnect client when authentication data expires

Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a...

CVE-2023-37579

This CVE affects Apache Pulsar Function Worker. An incorrect authorization flaw allows any authenticated user to retrieve a source or sink configuration, potentially exposing credentials stored in those configurations. Affected products/versions: Pulsar Function Worker before 2.10.4 and before 2....

CVE-2023-34442 Apache Camel JIRA: Temporary file information disclosure in Camel-Jira

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Camel.This issue affects Apache Camel: from 3.X through =3.14.8, from 3.18.X through =3.18.7, from 3.20.X through = 3.20.5, from 4.X through = 4.0.0-M3. Users should upgrade to 3.14.9,...

CVE-2023-35887

CVE-2023-35887 affects Apache MINA SSHD when using RootedFileSystem in SFTP servers. The root cause is path traversal outside the rooted tree via paths with '..' or symlinks, allowing logged-in users to discover existence/non-existence of items outside the rooted directory. Affected: Apache MINA ...

CVE-2023-35887

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the root...

CVE-2023-33008

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. A malicious attacker can craft up some JSON input that uses large numbers numbers such as 1e20000000 that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result ...

CVE-2023-33008

CVE-2023-33008 describes a deserialization flaw in Apache Johnzon that can cause a slow-deserialization/Denial-of-Service when processing untrusted JSON numbers like 1e20000000, due to converting to BigDecimal. Affected Johnzon versions prior to 1.2.21 are vulnerable; Johnzon 1.2.21 mitigates thi...

GHSA-7MHC-76HF-3JP9 Apache InLong Exposure of Resource to Wrong Sphere vulnerability

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers can change the immutable name and type of cluster of InLong. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick...

GHSA-F475-JGG3-3JWC Apache InLong Exposure of Resource to Wrong Sphere vulnerability

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong. This issue affects Apache InLong from 1.4.0 through 1.6.0. Attackers can change the immutable name and type of nodes of InLong. Users are advised to upgrade to Apache InLong 1.7.0 or cherry-pick...

Apache InLong Deserialization of Untrusted Data Vulnerability

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers would bypass the autoDeserialize option filtering by adding blanks. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pic...

Apache InLong Exposure of Resource to Wrong Sphere vulnerability

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong. This issue affects Apache InLong from 1.4.0 through 1.6.0. Attackers can change the immutable name and type of nodes of InLong. Users are advised to upgrade to Apache InLong 1.7.0 or cherry-pick...

GHSA-V93H-RWJ8-78QH Apache OpenMeetings insufficient authorization vulnerability

Attacker can access arbitrary recording/room Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0...

GHSA-CQR6-3X3F-9WR3 Apache InLong SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.5.0. By manipulating the "orderType" parameter and the ordering of the returned content using an SQL...

Input validation

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider. This issue affects Apache Airflow Apache Hive Provider: before 6.1.1. Before version 6.1.1 it was possible to bypass the security check to RCE via principal parameter. For this to be exploited it...

CVE-2023-35797

CVE-2023-35797 affects Apache Airflow Hive Provider prior to 6.1.1 and is an Improper Input Validation vulnerability that can enable remote code execution via the principal parameter when connection details are modifiable. The issue is mitigated by upgrading the provider to version 6.1.1 or later...

CVE-2023-35797 Apache Airflow Hive Provider Beeline RCE with Principal

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider. This issue affects Apache Airflow Apache Hive Provider: before 6.1.1. Before version 6.1.1 it was possible to bypass the security check to RCE via principal parameter. For this to be exploited it...

Apache Airflow JDBC Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s Connection URL parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain airflow server permission...

CVE-2023-22886

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s Connection URL parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain airflow server permission...

CVE-2023-22886 Apache Airflow JDBC Provider: RCE Vulnerability

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s Connection URL parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain airflow server permission...