Topic

Apache

A collection of 60 issues

CVE-2022-2070 In Grandstream GSD3710, it's possible to overflow the stack because it doesn't check param length before using sscanf.

The affected versions are: v1.0.11.13 (r9748) and before. As a recommendation, update the software as soon as possible and don't run daemons on the vulnerable version. Also, upgrade the services that need to connect to the internet, like mail, DNS, etc. In addition to that, change the

CVE-2022-33683 Brokers and Proxies create an internal Pulsar Admin Client that doesn't verify peer TLS certificates even with tlsAllowInsecureConnection disabled.

This issue affects Apache Pulsar Broker and Proxy versions 2.8.4 and later; 2.10.0 and later; 2.11.0 and later; 2.12.0 and later; 2.13.0 and later; 3.0.0 and later; 3.1.0 and later; 3.2.0 and later; 3.

CVE-2022-24280 The Proxy component of Apache Pulsar is vulnerable to TCP/IP connection attempts that originated from the Proxy's IP address.

Update to version 2.10.0 has been released to fix this issue. Incorrect Input Validation Vulnerability in Apache Pulsar Proxy with Remote Code Execution Vulnerability In Apache Pulsar Proxy component, the input validation of the username and password fields is performed in the URLDecode() function. An attacker could exploit

CVE-2022-33682

The Apache Pulsar Broker, Proxy, and WebSocket Proxy clients communicate with each other over a secured connection using the pulsar+ssl protocol. The SSL/TLS protocol provides hostname verification, which is the process of verifying that the server with which the client is communicating is the server that the client

CVE-2022-40604 Airflow url had formatting issue, allowing for information extraction.

The following flow was not escaping all text within it, allowing for cross site scripting (XSS) attacks. a href="%= request.getPathName() %>"> This issue was fixed in Apache Airflow 2.3.5. Impact In some cases, users may be able to inject arbitrary JavaScript into their Airflow deployments, leading to potential

CVE-2022-39220 SFTPGo is an SFTP server written in Go. Versions prior to 2.3.5 are vulnerable to Cross-site scripting (XSS) attacks due to a WebClient bug. An update is available.

SFTPGo is susceptible to Cross-site scripting (XSS) vulnerabilities in the WebClient component. According to the vendor, these vulnerabilities have been fixed in version 2.3.5. No known workarounds exist. SFTPGo is susceptible to Cross-site scripting (XSS) vulnerabilities in the WebClient component. According to the vendor, these vulnerabilities have been

CVE-2022-40439 An memory leak issue was found in Bento4 AP4_StdcFileByteStream::Create, which can be used to cause a denial of service.

A memory leak was discovered in AP4_File::Write in mp42ts in Bento4 v1.6.0-639, allows attackers to cause a denial of service via a crafted file. A memory leak was discovered in AP4_File::Close in mp42ts in Bento4 v1.6.0-639, allows attackers to cause a denial

CVE-2022-39144 V33.1-V33.1.262 has a vulnerability. V34.0-V34.1.242 has a vulnerability. V35.0 has no vulnerabilities.

A vulnerability has been identified in Parasolid V33.1 (All versions V33.1.262), Parasolid V33.1 (All versions >= V33.1.262 V33.1.263), Parasolid V34.0 (All versions V34.0.252), Parasolid V34.1 (All versions V34.1.242), Parasolid V35.0 (All versions V35.0.161), Parasolid

CVE-2022-39135 Exists Node, Extract XML, XML Transform, and Extract Value don't have protections against XXE, which could lead to XXE attacks.

To fix this vulnerability, we strongly recommend users upgrade to Apache Calcite 1.32.0 or a newer version. In case you are currently using a previous version, then you should disable any of the operators mentioned above (which are enabled by default) in your application configuration. If you have

CVE-2022-38258 D-Link DIR 819 v1.06 has an LFI that can cause DoS or access sensitive server info.

An attacker can exploit this vulnerability by sending a malicious request to the targeted server. An attacker can then send this malicious request to the targeted server. If the server accepts the connection and process the malicious request, the targeted server will receive the request and attempt to process it.