5 matches found
CVE-2023-46302
CVE-2023-46302 affects Apache Submarine (0.7.0–0.8.0 pre-upgrade) where YAML deserialization in the YamlUtils.yaml processing path (SnakeYAML-based) can lead to remote code execution. The issue arises during unmarshalling of YAML requests via JAXRS endpoints using application/yaml content-type; t...
CVE-2024-36265
Apache Submarine Server Core (versions from 0.8.0) is affected by an Incorrect Authorization vulnerability caused by invalid authorization checks. The issue is present in a retired project and there is no planned fix. In practice, this could allow network-based exploitation without user interacti...
CVE-2024-36264
CVE-2024-36264 concerns Apache Submarine Commons Utils with an improper authentication flaw. The issue arises if submarine.auth.default.secret is not set, as a default secret is used, potentially enabling unauthorized access. Affected version: 0.8.0 and later; note the project is retired and no f...
CVE-2024-36263
Apache Submarine Server Core (all versions) is affected by an SQL Injection vulnerability due to improper neutralization of special elements in SQL commands. The project is retired, and there is no planned fix. CVSS‑3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (base score 8.1). Attack value is...
CVE-2023-37924
Apache Submarine (subsystem: server) has an SQL injection vulnerability that allows login-time exploitation, affecting versions 0.7.0–0.8.0. The issue could enable unauthorized logins. A fix is available in version 0.8.0, which also adds oidc support and removes unauthenticated login paths. If up...