Severity
Medium
Analysis Summary
CVE-2024-54677 CVSS:5.3
Apache Tomcat is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the examples web application. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-53947 CVSS:4.3
Apache Superset is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVE-2024-53949 CVSS:8.1
Apache Superset could allow a remote authenticated attacker to gain elevated privileges on the system, caused by an improper authorization vulnerability when FAB_ADD_SECURITY_API is enabled (disabled by default). An attacker could exploit this vulnerability to allow lower privilege users to use this API.
Impact
- Denial of Service
- Data Manipulation
- Privilege Escalation
Indicators of Compromise
CVE
- CVE-2024-54677
- CVE-2024-53947
- CVE-2024-53949
Affected Vendors
Affected Products
- Apache Tomcat - 10.1.0-M1
- Apache Tomcat - 9.0.0.M1
- Apache Tomcat - 9.0.97
- Apache Tomcat - 10.1.33
- Apache Superset 4.0.2
Remediation
Upgrade to the latest version of Apache, available from the Apache Website.