[ANNOUNCE] Apache Kyuubi Shaded released 0.4.0

Hi all, The Apache Kyuubi community is pleased to announce that Apache Kyuubi Shaded 0.4.0 has been released! The full release notes are available at: Release Notes: https://kyuubi.apache.org/shaded-release/0.4.0.html To learn more about Apache Kyuubi, please see https://kyuubi.apache.org/

[ANNOUNCE] Apache Groovy 4.0.21 released

Dear community, The Apache Groovy team is pleased to announce version 4.0.21 of Apache Groovy which includes support for running Groovy on JDK 23. Apache Groovy is a multi-faceted programming language for the JVM. Further details can be found at the https://groovy.apache.org website. This

[ANNOUNCE] Apache Jackrabbit Oak 1.62.0 released

The Apache Jackrabbit community is pleased to announce the release of Apache Jackrabbit Oak 1.62.0. The release is available for download at: http://jackrabbit.apache.org/downloads.html See the full release notes below for details about this release: Release Notes -- Apache Jackrabbit

CVE-2024-31863: Apache Zeppelin: Replacing other users notebook, bypassing any permissions

Severity: moderate Affected versions: - Apache Zeppelin 0.10.1 before 0.11.0 Description: Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to

CVE-2024-31862: Apache Zeppelin: Denial of service with invalid notebook name

Severity: moderate Affected versions: - Apache Zeppelin 0.10.1 before 0.11.0 Description: Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to

CVE-2022-47894: Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE

Severity: moderate Affected versions: - Apache Zeppelin SAP 0.8.0 before 0.11.0 Description: Improper Input Validation vulnerability in Apache Zeppelin SAP.This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0. As this project is retired, we do not plan to release a version that

[ANNOUNCE] Apache Groovy 5.0.0-alpha-8 released

Dear community, The Apache Groovy team is pleased to announce version 5.0.0-alpha-8 of Apache Groovy which includes support for running Groovy on JDK 23. Apache Groovy is a multi-faceted programming language for the JVM. Further details can be found at the https://groovy.apache.org website.

CVE-2021-28656: Apache Zeppelin: CSRF vulnerability in the Credentials page

Severity: low Affected versions: - Apache Zeppelin through 0.9.0 Description: Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior

CVE-2024-31860: Apache Zeppelin: Path traversal vulnerability

Severity: low Affected versions: - Apache Zeppelin 0.9.0 before 0.11.0 Description: Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access.  This

[ANNOUNCE] Apache Commons IO 2.16.1

The Apache Commons team is pleased to announce Apache Commons IO 2.16.1. The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more. Java 8 is required. Fixed Bugs -- o

CVE-2024-31865: Apache Zeppelin: Cron arbitrary user impersonation with improper privileges

Severity: moderate Affected versions: - Apache Zeppelin 0.8.2 before 0.11.1 Description: Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue

CVE-2024-31864: Apache Zeppelin: Remote code execution by adding malicious JDBC connection string

Severity: moderate Affected versions: - Apache Zeppelin before 0.11.1 Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver.

CVE-2024-31867: Apache Zeppelin: LDAP search filter query Injection Vulnerability

Severity: moderate Affected versions: - Apache Zeppelin 0.8.2 before 0.11.1 Description: Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter. This issue affects Apache

DotPulsar version 3.2.0

The Apache Pulsar team is proud to announce DotPulsar version 3.2.0. Pulsar is a highly scalable, low-latency messaging platform running on commodity hardware. It provides simple pub-sub semantics over topics, guaranteed at least once delivery of messages, automatic cursor management= for

CVE-2024-31866: Apache Zeppelin: Interpreter download command does not escape malicious code injection

Severity: moderate Affected versions: - Apache Zeppelin 0.8.2 before 0.11.1 Description: Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.

CVE-2024-31868: Apache Zeppelin: XSS vulnerability in the helium module

Severity: moderate Affected versions: - Apache Zeppelin 0.8.2 before 0.11.1 Description: Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to normal users. This issue affects Apache Zeppelin: from 0.8.2