Request a Demo
Rewterz
Multiple GitHub Enterprise Server Vulnerabilities
July 25, 2024
Rewterz
Leidos Holdings Confirms Data Breach via Third-Party Vendor
July 25, 2024

Multiple Apache Products Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2024-41178 CVSS:6.5

Apache Arrow Rust Object Store could allow a remote authenticated attacker to obtain sensitive information, caused by the exposure of temporary credentials in logs. By gaining access to the log files, an attacker could exploit this vulnerability to obtain AWS WebIdentityToken information, and use this information to launch further attacks against the affected system.

CVE-2024-23321 CVSS:5.9

Apache RocketMQ could allow a remote attacker to obtain sensitive information. By using specific interfaces, an attacker with access to the broker IP address list could exploit this vulnerability to obtain the administrator's account and password.

CVE-2024-34457 CVSS:5.3

Apache StreamPark could allow a remote attacker to obtain sensitive information, caused by an insecure direct object references (IDOR) vulnerability. By sending a specially crafted request using the authorization token, an attacker could exploit this vulnerability to view everyone's user flink information, including executeSQL and config.

CVE-2024-38503 CVSS:6.1

Apache Syncope is vulnerable to HTML injection. A remote attacker could inject malicious HTML code in the Console or Enduser text fields, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site and lead to potential exploits.

CVE-2024-29070 CVSS:5.3

Apache StreamPark could allow a remote attacker to bypass security restrictions, caused by the failure to validate a session after logout. The "Authorization" returned by the Backend service can still be used to initiate requests. An attacker could exploit this vulnerability to access data even after logout.

Impact

  • Information Disclosure
  • Gain Access
  • Security Bypass

Indicators of Compromise

CVE

  • CVE-2024-41178
  • CVE-2024-23321
  • CVE-2024-34457
  • CVE-2024-38503
  • CVE-2024-29070

Affected Vendors

Apache

Affected Products

  • Apache StreamPark 1.0.0
  • Apache StreamPark 2.0.0
  • Apache StreamPark 2.1.3
  • Apache Arrow Rust Object Store 0.10.1
  • Apache RocketMQ 4.5.2
  • Apache RocketMQ 5.2.0
  • Apache Syncope 2.1.5
  • Apache Syncope 2.1.6
  • Apache Syncope 3.0
  • Apache Syncope 3.0.7
  • Apache Syncope 2.1
  • Apache Syncope 2.1.14

Remediation

Upgrade to the latest version of Apache, available from the Apache Website.

CVE-2024-41178

CVE-2024-23321

CVE-2024-34457

CVE-2024-38503

CVE-2024-29070