‼ CVE-2023-30429 ‼
📖 Read
via "National Vulnerability Database".
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar.This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role.The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.3.0 Pulsar Function Worker users are unaffected.Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46651 ‼
📖 Read
via "National Vulnerability Database".
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22887 ‼
📖 Read
via "National Vulnerability Database".
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37579 ‼
📖 Read
via "National Vulnerability Database".
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.3.0 Pulsar Function Worker users are unaffected.Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42009 ‼
📖 Read
via "National Vulnerability Database".
SpringEL injection in the server agent in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22888 ‼
📖 Read
via "National Vulnerability Database".
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected📖 Read
via "National Vulnerability Database".
‼ CVE-2023-35908 ‼
📖 Read
via "National Vulnerability Database".
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45855 ‼
📖 Read
via "National Vulnerability Database".
SpringEL injection in the metrics source in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37582 ‼
📖 Read
via "National Vulnerability Database".
The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.📖 Read
via "National Vulnerability Database".
❤1
‼ CVE-2023-31007 ‼
📖 Read
via "National Vulnerability Database".
Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.This issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.2.9 Pulsar Broker users should upgrade to at least 2.9.5.2.10 Pulsar Broker users should upgrade to at least 2.10.4.2.11 Pulsar Broker users should upgrade to at least 2.11.1.3.0 Pulsar Broker users are unaffected.Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30428 ‼
📖 Read
via "National Vulnerability Database".
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role.This issue affects Apache Pulsar Brokers: from 2.9.0 through 2.9.5, from 2.10.0 before 2.10.4, 2.11.0.The vulnerability is exploitable when an attacker can connect directly to the Pulsar Broker. If an attacker is connecting through the Pulsar Proxy, there is no known way to exploit this authorization vulnerability.There are two known risks for affected users. First, an attacker could produce garbage messages to any topic in the cluster. Second, an attacker could produce messages to the topic level policies topic for other tenants and influence topic settings that could lead to exfiltration and/or deletion of messages for other tenants.2.8 Pulsar Broker users and earlier are unaffected.2.9 Pulsar Broker users should upgrade to one of the patched versions.2.10 Pulsar Broker users should upgrade to at least 2.10.4.2.11 Pulsar Broker users should upgrade to at least 2.11.1.3.0 Pulsar Broker users are unaffected.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43758 ‼
📖 Read
via "National Vulnerability Database".
Adobe Media Encoder versions 22.0, 15.4.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious MP4 file.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-33668 ‼
📖 Read
via "National Vulnerability Database".
DigiExam up to v14.0.2 lacks integrity checks for native modules, allowing attackers to access PII and takeover accounts on shared computers.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-38065 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains TeamCity before 2023.05.1 stored XSS while viewing the build log was possible📖 Read
via "National Vulnerability Database".
‼ CVE-2023-38068 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms📖 Read
via "National Vulnerability Database".
‼ CVE-2023-38061 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains TeamCity before 2023.05.1 stored XSS when using a custom theme was possible📖 Read
via "National Vulnerability Database".
‼ CVE-2020-20021 ‼
📖 Read
via "National Vulnerability Database".
An issue discovered in MikroTik Router v6.46.3 and earlier allows attacker to cause denial of service via misconfiguration in the SSH daemon.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-38067 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains TeamCity before 2023.05.1 build parameters of the "password" type could be written to the agent log📖 Read
via "National Vulnerability Database".
‼ CVE-2021-44696 ‼
📖 Read
via "National Vulnerability Database".
Adobe Prelude version 22.1.1 (and earlier) is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious JPEG file.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-38064 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains TeamCity before 2023.05.1 build chain parameters of the "password" type could be written to the agent log📖 Read
via "National Vulnerability Database".
‼ CVE-2023-38063 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains TeamCity before 2023.05.1 stored XSS while running custom builds was possible📖 Read
via "National Vulnerability Database".