Apache: Security Vulnerabilities
In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types.
We recommend users upgrade the version of Linkis to version 1.3.2.
For versions
<=1.3.1, we suggest turning on the file path check switch in linkis.properties
`wds.linkis.workspace.filesystem.owner.check=true`
`wds.linkis.workspace.filesystem.path.check=true`
CVSS Score
9.8
EPSS Score
0.005
Published
2023-04-10
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 6.0.0.
CVSS Score
9.8
EPSS Score
0.015
Published
2023-04-07
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2.
CVSS Score
7.5
EPSS Score
0.004
Published
2023-04-07
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider.This issue affects Apache Airflow Spark Provider: before 4.0.1.
CVSS Score
7.5
EPSS Score
0.004
Published
2023-04-07
Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a
malicious local user.
Administrators are advised to disable JMX, or set up a JMX password.
Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.
CVSS Score
7.8
EPSS Score
0.013
Published
2023-04-03
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache UIMA DUCC.
When using the "Distributed UIMA Cluster Computing" (DUCC) module of Apache UIMA, an authenticated user that has the permissions to modify core entities can cause command execution as the system user that runs the web process.
As the "Distributed UIMA Cluster Computing" module for UIMA is retired, we do not plan to release a fix for this issue.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Score
8.8
EPSS Score
0.005
Published
2023-03-30
Privilege escalation via stored XSS using the file upload service to upload malicious content.
The issue can be exploited only by authenticated users which can create directory name to inject some XSS content and gain some privileges such admin user.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-03-29
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0
Description: Attacker can elevate their privileges in any room
CVSS Score
9.8
EPSS Score
0.002
Published
2023-03-28
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract.
Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.
This issue affects Apache Fineract: from 1.4 through 1.8.3.
CVSS Score
8.1
EPSS Score
0.001
Published
2023-03-28
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract.
Authorized users may be able to change or add data in certain components.
This issue affects Apache Fineract: from 1.4 through 1.8.2.
CVSS Score
4.3
EPSS Score
0.005
Published
2023-03-28