GHSA-H63R-9XXF-F2C7 Apache Airflow Cross-site Scripting vulnerability

In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the origin query argument...

PT-2022-27055 · Apache · Apache Airflow

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions prior to 2.4.2 Description: The issue is related to an open redirect in the webserver's "/confirm" endpoint. Recommendations: For versions prior to 2.4.2, update to version 2.4.2 or later to resolve the issue...

Apache CouchDB Erlang Remote Code Execution Exploit

In Apache CouchDB versions prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

GHSA-FP35-XRRR-3GPH Apache DolphinScheduler vulnerable to Path Traversal

When users add resources to the resource center with a relation path, this vulnerability will cause path traversal issues for logged-in users. Users should upgrade to version 3.0.0 to avoid this issue...

CVE-2022-34662 Apache DolphinScheduler prior to 3.0.0 allows path traversal

When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher...

CVE-2022-42252

CVE-2022-42252 affects multiple Tomcat series (8.5.0–8.5.82, 9.0.0-M1–9.0.67, 10.0.0-M1–10.0.26, 10.1.0-M1–10.1.0). The issue: if rejectIllegalHeader is false (default on 8.5.x), Tomcat may fail to reject a request with an invalid Content-Length header, enabling a request-smuggling scenario when ...

[slackware-security] php80/php81

New php80/php81 packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: extra/php80/php80-8.0.25-i586-1slack15.0.txz: Upgraded. This update fixes security issues: GD: OOB read due to insufficient input validation in...

CVE-2022-26884

CVE-2022-26884 affects Apache DolphinScheduler prior to version 2.0.6, introducing a path traversal vulnerability where a log server request could allow reading arbitrary files. The root cause is inadequate filtering of resources/files in path handling. Impact is limited to confidentiality (high)...

Apache IoTDB subject to ReDOS with Java 8

Apache IoTDB versions 0.12.2 through 0.12.6, and 0.13.0 through 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. This issue is patched in 0.13.3. Users should upgrade or use a later version of Java to avoid it...

CVE-2022-43766

Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it...

CVE-2022-43766

CVE-2022-43766 affects Apache IoTDB versions 0.12.2–0.12.6 and 0.13.0–0.13.2. The issue is a Denial of Service caused by accepting untrusted REGEXP query patterns when running with Java 8, as described across multiple sources. The fixed release is 0.13.3 or newer, and using a later Java version a...

GHSA-R29W-R9PH-VM76 Apache XML Graphics Batik vulnerable to code execution via SVG.

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16...

Why Log4Text is not another Log4Shell

The Apache Software Foundation has acknowledged a vulnerability in Apache Commons Text, a library focused on algorithms for string manipulation. The vulnerability has been assigned CVE-2022- 42889, but security researchers have dubbed it Log4Text. The name provides an immediate association with...

PT-2022-26449 · Apache · Apache Isis

Name of the Vulnerable Software and Affected Versions: Apache Isis versions prior to 2.0.0-M8 Description: The h2 webconsole module is automatically made available when running in prototype mode, allowing direct queries to the database. To improve security, the capability to access the webconsole...

CVE-2022-42889

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "$prefix:name", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation...

Important: libapreq2

Issue Overview: A flaw in Apache libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack. CVE-2022-22728 Affected Packages: libapreq2...

Debian dla-3127 : libhttp-daemon-perl - security update

The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3127 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3127-1 [email protected] https://www.debian.org/lts/security/...

Joomla MyMuse 4.3.0 SQL Injection

┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An...

CVE-2021-43980

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing but extremely hard to trigger concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 tha...

CVE-2021-43980

CVE-2021-43980 affects Apache Tomcat 8.5.0–8.5.77, 9.0.0-M1–9.0.60, 10.0.0-M1–10.0.18, and 10.1.0–10.1.0-M12. The issue arises from a simplified blocking I/O path that shares an Http11Processor between clients, potentially causing responses or partial responses to be delivered to the wrong client...