Severity
High
Analysis Summary
CVE-2022-41137 CVSS:8.8
Apache Hive could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the SerializationUtilities#deserializeObjectWithTypeInformation method. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-55633 CVSS:6.5
Apache Superset could allow a remote authenticated attacker to bypass security restrictions, caused by improper authorization validation. By sending a specially crafted SQL DML statement, an attacker could exploit this vulnerability to gain unauthorized write access.
CVE-2024-53677 CVSS:9
Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by flawed file upload logic, which, if manipulated, can lead to unauthorized path traversal. By uploading a specially crafted archive file containing directory traversal sequences, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-53948 CVSS:4.3
Apache Superset could allow a remote authenticated attacker to obtain sensitive information, caused by the generation of error message containing analytics metadata information. An attacker could exploit this vulnerability to obtain sensitive information.
Impact
- Security Bypass
- Code Execution
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2022-41137
- CVE-2024-55633
- CVE-2024-53677
- CVE-2024-53948
Affected Vendors
Affected Products
- Apache Hive - 4.0.0-alpha-1
- Apache Superset - 4.0.0
- Apache Struts - 2.0.0
- Apache Struts - 2.3.37
- Apache Struts - 2.5.0
- Apache Struts - 2.5.33
- Apache Superset 4.0.2
Remediation
Upgrade to the latest version of Apache, available from the Apache Website.