April 25, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Zoho ManageEngine Products Vulnerabilities
July 22, 2024Multiple Oracle Products Vulnerabilities
July 22, 2024Multiple Zoho ManageEngine Products Vulnerabilities
July 22, 2024Multiple Oracle Products Vulnerabilities
July 22, 2024
Severity
Medium
Analysis Summary
CVE-2024-29178 CVSS:6.3
Apache StreamPark could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a a template injection flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-29736 CVSS:6.5
Apache CXF is vulnerable to server-side request forgery, caused by improper validation of WADL stylesheet parameter. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CVE-2024-40725 CVSS:5.9
Apache HTTP Server allow a remote attacker to obtain sensitive information, caused by an incomplete fix for CVE-2024-39884 related to ignoring some use of the legacy content-type based configuration of handlers. By using AddType, an attacker could exploit this vulnerability, resulting in source code disclosure of local content.
CVE-2024-40898 CVSS:5.9
Apache HTTP Server is vulnerable to server-side request forgery, caused by an error on Windows with mod_rewrite in server/vhost context. By sending a specially crafted request, an attacker could exploit this vulnerability to leak NTLM hashes to a malicious server.
CVE-2023-52291 CVSS:4.7
Apache StreamPark could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by improper input parameter validation. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2024-29120 CVSS:6.5
Apache StreamPark could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the Backend service. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive users information, and use this information to launch further attacks against the affected system.
CVE-2024-29737 CVSS:4.7
Apache StreamPark could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by improper input parameter validation. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2024-30471 CVSS:6.5
Apache StreamPipes could allow a remote attacker to bypass security restrictions, caused by a race condition in user self-registration. By sending a specially crafted request, an attacker could exploit this vulnerability to create multiple accounts with the same email address and corrupting StreamPipe's user management.
CVE-2024-39887 CVSS:4.3
Apache Superset is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVE-2024-31979 CVSS:5.3
Apache StreamPipes is vulnerable to server-side request forgery, caused by a flaw during installation process of pipeline elements. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to send an HTTP GET request to an arbitrary address.
CVE-2024-39863 CVSS:6.4
Apache Airflow is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when installing a provider. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2023-52290 CVSS:6.5
Apache StreamPark is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements using the sort filed, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVE-2024-37389 CVSS:5.4
Apache NiFi is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the description field in the Parameter Context configuration. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Impact
- Gain Access
- Security Bypass
- Data Manipulation
- Cross-Site Scripting
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-29178
- CVE-2024-29736
- CVE-2024-40725
- CVE-2024-40898
- CVE-2023-52291
- CVE-2024-29120
- CVE-2024-29737
- CVE-2024-30471
- CVE-2024-39887
- CVE-2024-31979
- CVE-2024-39863
- CVE-2023-52290
- CVE-2024-37389
Affected Vendors
Apache
Affected Products
- Apache HTTP Server 2.4.0
- Apache StreamPark 1.0.0
- Apache StreamPipes 0.93.0
- Apache HTTP Server 2.4.59
- Apache HTTP Server 2.4.60
- Apache NiFi 1.10.0
- Apache NiFi 2.0.0-M1
- Apache NiFi 2.0.0-M3
- Apache NiFi 1.26.0
- Apache CXF 3.5.8
- Apache CXF 3.6.3
- Apache CXF 4.0.4
- Apache Airflow 2.9.2
- Apache StreamPark 2.0.0
- Apache StreamPark 2.1.3
- Apache HTTP Server 2.4.61
- Apache Superset 4.0.1
Remediation
Upgrade to the latest version of Apache, available from the Apache Website.
