Apache: Security Vulnerabilities
An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.
CVSS Score
5.4
EPSS Score
0.004
Published
2020-07-17
IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04
CVSS Score
5.3
EPSS Score
0.025
Published
2020-07-15
XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
CVSS Score
6.1
EPSS Score
0.938
Published
2020-07-15
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
CVSS Score
7.5
EPSS Score
0.239
Published
2020-07-14
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
CVSS Score
7.5
EPSS Score
0.922
Published
2020-07-14
This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.
CVSS Score
9.8
EPSS Score
0.636
Published
2020-07-14
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0.
CVSS Score
9.8
EPSS Score
0.847
Published
2020-07-14
Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0.
CVSS Score
9.8
EPSS Score
0.031
Published
2020-07-14
Server-Side Template Injection and arbitrary file disclosure on Camel templating components
CVSS Score
7.5
EPSS Score
0.015
Published
2020-07-08
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed with the privileges of therunning guacd process.
CVSS Score
6.7
EPSS Score
0.001
Published
2020-07-02