CVE-2024-26307

CVE-2024-26307 describes a race condition in Apache Doris involving code that uses chmod(), which could allow a local attacker to rename a file under a user and chmod the wrong file. Affected versions are before 1.2.8 and before 2.0.4. Impact is described as minimal in the sources. The recommende...

CVE-2022-23942

CVE-2022-23942 affects Apache Doris versions prior to 1.0.0, where the LDAP password cipher uses a hardcoded key and IV, enabling information disclosure. The issue is exploitable over the network with low attack complexity and no authentication required, compromising confidentiality (per CVSS met...

CVE-2024-27438

CVE-2024-27438 affects Apache Doris. The vulnerability arises from downloading and loading arbitrary JDBC driver jars used by the JDBC catalog, enabling remote command execution when a catalog is initialized with unchecked code snippets. Affected versions are Doris 1.2.0 through 2.0.4; upgrade to...

CVE-2024-48019

CVE-2024-48019 : Apache Doris is affected by a path-traversal vulnerability exploitable via the REST API, allowing admins to read arbitrary files on the server. Connected sources specify affected versions are prior to 2.1.8 and prior to 3.0.3, with upgrades to 2.1.8+ or 3.0.3+ recommended as the ...

CVE-2023-41313

CVE-2023-41313 — Apache Doris : The authentication method in Apache Doris versions before 2.0.0 is vulnerable to timing attacks. Upgrading fixes the issue, with recommended versions being 2.0.0+ or 1.2.8. This vulnerability is described across multiple sources in the connected documents, includin...

CVE-2023-41314

CVE-2023-41314 affects Apache Doris; the vulnerability arises from unauthenticated access to /api/snapshot and /api/get_log_file, potentially enabling DoS and retrieval of arbitrary files from FE nodes. Worldwide references indicate affected product is Doris and advise upgrading to version 2.0.3 ...