Apache: Security Vulnerabilities
In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.
CVSS Score
8.8
EPSS Score
0.006
Published
2021-11-19
In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.
CVSS Score
5.3
EPSS Score
0.013
Published
2021-11-19
In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.
CVSS Score
9.8
EPSS Score
0.006
Published
2021-11-19
Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs.
CVSS Score
6.5
EPSS Score
0.007
Published
2021-11-17
A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0
CVSS Score
9.8
EPSS Score
0.94
Published
2021-11-16
Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
CVSS Score
6.5
EPSS Score
0.003
Published
2021-11-12
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
CVSS Score
9.8
EPSS Score
0.013
Published
2021-11-11
Deserialization of Untrusted Data vulnerability of Apache ShardingSphere-UI allows an attacker to inject outer link resources. This issue affects Apache ShardingSphere-UI Apache ShardingSphere-UI version 4.1.1 and later versions; Apache ShardingSphere-UI versions prior to 5.0.0.
CVSS Score
7.5
EPSS Score
0.02
Published
2021-11-11
Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1.
CVSS Score
7.5
EPSS Score
0.006
Published
2021-11-03
Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.
CVSS Score
7.5
EPSS Score
0.006
Published
2021-11-03