Apache Tomcat Conditional Competition Code Execution Vulnerability (CVE-2024-50379)
December 19, 2024
Overview Recently, NSFOCUS CERT detected that Apache issued a security announcement, fixing the Apache Tomcat conditional competition code execution vulnerability (CVE-2024-50379). Due to the inconsistency between Windows file system and Tomcat in case-distinguishing processing of paths, when the write function of default servlet is enabled (set readonly=false and allow PUT method), unauthenticated attackers can construct […]
Apache ActiveMQ Remote Code Execution Vulnerability Notification
October 25, 2023
Overview Recently, NSFOCUS CERT found that the open source message middleware ActiveMQ developed by the Apache Software Foundation had an XML external entity injection vulnerability. Since the port 61616 was opened by default after the installation of ActiveMQ was started, and the TcpTransport function did not perform necessary checks on the data, an attacker could […]
Multiple Apache HTTP Server Security Vulnerabilities
March 10, 2023
Overview Recently, NSFOCUS CERT found that Apache has issued an official security notice to fix multiple Apache HTTP Server vulnerabilities. Affected users should take protective measures as soon as possible. Apache HTTP Server Request Smuggling Vulnerability (CVE-2023-25690): When mod_ When proxy is enabled with some form of RewriteRule or ProxyPassMatch, a non-specific pattern will match […]
Apache Airflow Remote Code Execution Vulnerability (CVE-2022-40127)
November 22, 2022
Overview On November 21, NSFOCUS CERT discovered on Internet a PoC of a remote code execution vulnerability (CVE-2022-40127) in Apache Airflow. Due to the flaw in Example Dags in Apache Airflow, an attacker with UI access rights can use this vulnerability to trigger Dags, and then by manually providing the run_id parameter, attacker can execute […]
Apache log4j Deserialization and SQL Injection Vulnerability (CVE-2022-23302/CVE-2022-23305/CVE-2022-23307) Alert
January 26, 2022
Overview On January 19, NSFOCUS CERT detected that Apache released a security bulletin that disclosed three Log4j vulnerabilities, all of which affected the Apache Log4j 1.x version, and the official support and maintenance are no longer available. Please take measures as soon as possible to protect the relevant users. Apache log4j JMSSink Deserialization Code Execution […]
Apache Solr ConfigSet API Upload Function Vulnerability (CVE-2020-13957) Threat Alert
November 3, 2020
Overview
Recently, Apache Solr fixed a vulnerability (CVE-2020-13957) in the Configsets API upload function. Attackers could perform unauthorized operations by using a combination of UPLOAD/CREATE actions, which might eventually lead to command execution.
Apache Solr is an enterprise search server that is based on Lucene.
(more…)Apache DolphinScheduler High-Risk Vulnerabilities (CVE-2020-11974, CVE-2020-13922) Threat Alert
September 23, 2020
1. Vulnerability Description
On September 11, 2020, NSFOCUS detected that the Apache Software Foundation released security advisories fixing Apache DolphinScheduler permission overwrite vulnerability (CVE-2020-13922) and Apache DolphinScheduler remote code execution vulnerability (CVE-2020-11974). CVE-2020-11974 is related to mysql connectorj remote code execution vulnerability. When choosing mysql as database, an attacker could execute code remotely on the DolphinScheduler server by inputting {“detectCustomCollations”:true, “autoDeserialize”:true} through jdbc connect parameters. CVE-2020-13922 allows an ordinary user to overwrite other users’ passwords in the DolphinScheduler system through api interface /dolphinscheduler/users/update. Affected users are advised to upgrade without delay.
(more…)Apache Dubbo Remote Code Execution Vulnerability (CVE-2020-1948) Patch Bypass Threat Alert
July 6, 2020
Overview
On June 23, NSFOCUS reported that Apache Dubbo contained a remote code execution vulnerability (CVE-2020-1948) resulting from deserialization.
Apache Dubbo is a high-performance Java RPC framework. The vulnerability exists in Hessian, a default deserialization tool used by Apache Dubbo. An attacker may exploit it by sending malicious RPC requests which usually contain unidentifiable service or method names and some malicious parameter loads. When malicious parameters are deserialized, the vulnerability is triggered, allowing the attackers to remotely execute code.
(more…)Apache Tomcat Session Deserialization Code Execution Vulnerability (CVE-2020-9484) Threat Alert
June 5, 2020
Overview Recently, Apache Tomcat released a security advisory, announcing the fix of a remote code execution vulnerability (CVE-2020-9484) due to persistent session. An attacker can exploit this vulnerability only when the following conditions are met: The attacker can take control of the contents and name of a file on the server. The server is configured […]
Apache Dubbo Deserialization Vulnerability (CVE-2019-17564) Threat Alert
February 25, 2020
Overview
Recently, researchers from the Chekmarx team discovered and released a deserialization vulnerability (CVE-2019-17564) existing in Apache Dubbo.
Apache Dubbo is a high-performance Java RPC framework. This vulnerability exists in Dubbo application which has the HTTP protocol enabled for communication. An attacker could exploit this vulnerability by submitting a POST request with a Java object, thereby completely compromising a Provider instance of Apache Dubbo. (more…)
