Apache: Security Vulnerabilities
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CVSS Score
9.8
EPSS Score
0.485
Published
2019-12-20
LibreOffice and OpenOffice automatically open embedded content
CVSS Score
6.5
EPSS Score
0.006
Published
2019-12-20
cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet. The OpenLDAP crash is ultimately caused by an off-by-one error in _sasl_add_string in common.c in cyrus-sasl.
CVSS Score
7.5
EPSS Score
0.004
Published
2019-12-19
The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.
CVSS Score
8.1
EPSS Score
0.042
Published
2019-12-18
In Apache Incubator Superset before 0.31 user could query database metadata information from a database he has no access to, by using a specially crafted complex query.
CVSS Score
5.3
EPSS Score
0.007
Published
2019-12-16
In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab
CVSS Score
5.3
EPSS Score
0.001
Published
2019-12-16
qpid-cpp: ACL policies only loaded if the acl-file option specified enabling DoS by consuming all available file descriptors
CVSS Score
7.5
EPSS Score
0.046
Published
2019-12-13
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVSS Score
7.5
EPSS Score
0.137
Published
2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.
CVSS Score
6.7
EPSS Score
0.0
Published
2019-12-12
SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.
CVSS Score
7.5
EPSS Score
0.006
Published
2019-12-09