Azure Apache Oozie Spoofing Vulnerability

...

Azure Apache Hive Spoofing Vulnerability

...

2022's most routinely exploited vulnerabilities—history repeats

The Cybersecurity and Infrastructure Security Agency CISA, National Security Agency NSA, Federal Bureau of Investigation FBI, and international partners have released a joint Cybersecurity Advisory CSA called the 2022 Top Routinely Exploited Vulnerabilities. We went over the list and it felt like...

Medium: tomcat

Issue Overview: The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be...

NULL Pointer Dereference

libapache2-mod-auth-openidc is vulnerable NULL Pointer Dereference. This occurs when OIDCStripCookies is set and a creafted cookie is supplied resulting in a segmentation fault, causing to denial of service conditions...

Apache httpd URL normalization inconsistency

A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes '/', directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing wi...

Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2023-2487)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS Virtualization 3.0.6.0 : httpd (EulerOS-SA-2023-2502)

According to the versions of the httpd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Some modproxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack...

Apache Helix Deserialization Vulnerability

Apache Helix is a general-purpose cluster management framework from the Apache USA Foundation for automating the management of partitioning, replication, and distributed resources hosted on clusters of nodes. Apache Helix suffers from a deserialization vulnerability that stems from the ability to...

Apache Jackrabbit Code Execution Vulnerability

Apache Jackrabbit is a content repository from Apache USA. A code execution vulnerability exists in Apache Jackrabbit Webapp/Standalone, which stems from the component commons-beanutils failing to properly filter special elements of constructed snippets. An attacker could exploit the vulnerabilit...

Apache InLong Deserialization Vulnerability (CNVD-2023-70280)

Apache InLong is the U.S. Apache Apache Foundation's one-stop massive data integration framework. Provides automated, secure and reliable data transfer capabilities. A deserialization vulnerability exists in Apache InLong versions 1.4.0 to 1.7.0. The vulnerability stems from insecure...

EulerOS Virtualization 2.10.1 : httpd (EulerOS-SA-2023-2462)

According to the versions of the httpd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Some modproxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack...

CVE-2023-38435 Apache Felix Healthcheck Webconsole Plugin: XSS in healthcheck webconsole plugin

An improper neutralization of input during web page generation 'Cross-site Scripting' CWE-79 vulnerability in Apache Felix Healthcheck Webconsole Plugin version 2.0.2 and prior may allow an attacker to perform a reflected cross-site scripting XSS attack. Upgrade to Apache Felix Healthcheck...

CVE-2023-37895

Summary: CVE-2023-37895 affects Apache Jackrabbit Webapp/Standalone via an unsafe deserialization in the commons-beanutils component, enabling remote code execution over RMI. Affected RMIs include versions up to 2.20.10 (stable) and 2.21.17 (unstable). Impact: potential remote code execution with...

CVE-2023-35088

CVE-2023-35088 affects Apache InLong versions 1.4.0–1.7.0. The root cause is in the toAuditCkSql method, where groupId, streamId, auditId, and dt are directly concatenated into the SQL query, enabling SQL injection. The vulnerability can impact confidentiality, integrity, and availability (CVSS v...

CVE-2023-34189

CVE-2023-34189 affects Apache InLong versions 1.4.0–1.7.0. The issue is a permission-check flaw that allows a general user to delete or update processes, which should be admin-only. Remediation is to upgrade to InLong 1.8.0 or apply the patch from PR #8109 (linked in sources). Connected sources c...

PT-2023-24727 · Apache · Apache Inlong

Name of the Vulnerable Software and Affected Versions: Apache InLong versions 1.4.0 through 1.7.0 Description: The issue allows an attacker to use general users to delete and update processes that should only be operable by admins. Recommendations: For versions 1.4.0 through 1.7.0, upgrade to...

CVE-2023-34478

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha...

PimpMyLog 1.7.14 Improper Access Control

Exploit Title: PimpMyLog v1.7.14 - Improper access control Date: 2023-07-10 Exploit Author: thoughtfault Vendor Homepage: https://www.pimpmylog.com/ Software Link: https://github.com/potsky/PimpMyLog Version: 1.5.2-1.7.14 Tested on: Ubuntu 22.04 CVE : N/A Description: PimpMyLog suffers from...

Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 40 Multiple Vulnerabilities

According to its self-reported version number, Zimbra Collaboration Server is affected by multiple vulnerabilities including: - Vulnerability in the sfdcpreauth.jsp component. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code. CVE-2023-29382 - HTTP reques...