CVE-2022-45402: Apache Airflow: Open redirect during login

Description: In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. Credit: The Apache Airflow PMC would like to thank Bugra Eskici for reporting this issue. References: https://github.com/apache/airflow/pull/27576

[ANN] Apache Tomcat 9.0.69 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.69. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.69 is a bugfix and

[ANN] Apache Tomcat 10.1.2 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.2. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

CVE-2022-45136: JDBC Deserialisation in Apache Jena SDB

Severity: low Description: ** UNSUPPORTED WHEN ASSIGNED ** Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in

[ANN] Apache Syncope 3.0.0

The Apache Syncope team is pleased to announce the release of Syncope 3.0.0 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning,

[ANNOUNCEMENT] HttpComponents Core 5.1.5 GA released

The Apache HttpComponents project is pleased to announce 5.1.5 GA release of HttpComponents Core. This is a maintenance release that corrects several minor defects discovered since release 5.1.4. This is likely to be the last release in the 5.1 release series. Users of HttpCore 5.1 are advised

CVE-2022-45378: Apache SOAP allows unauthenticated users to potentially invoke arbitrary code

Severity: moderate Description: ** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes

[ANNOUNCE] Apache Airflow 2.4.3 Released

Dear community, I'm happy to announce that Airflow 2.4.3 was just released. The released sources and packages can be downloaded via https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-sources.html Other installation methods are described in

CVE-2022-27949: Apache Airflow: sensitive values in rendered template

Severity: low Description: A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache

CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example

Severity: low Description: A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0. Mitigation: