Apache Atlas versions 0.6.0 (incubating), 0.7.0 (incubating), and 0.7.1 (incubating) allow access to the webapp directory contents by pointing to URIs like /js and /img.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-8752
https://lists.apache.or…
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Reflected XSS in the search functionality.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-3153
https://lists.apache.org/thread.html/4a4fef91e067fd0d9da569e30867…
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to DOM XSS in the edit-tag functionality.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-3152
https://lists.apache.org/thread.html/4a4fef91e067fd0d9da569e30867c1fa…
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to cross frame scripting.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-3155
https://lists.apache.org/thread.html/4a4fef91e067fd0d9da569e30867c1fa65e2a0520acde71d…
Error responses from Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating included stack trace, exposing excessive information.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-3154
https://lists.apache.org/thread.html/4a4fef91e067fd0d9da56…
Scrapy 1.4 allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to…
The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to “compromise internal state of an application” via unspecified vectors. In Struts 2.3.20.1 a better set of exlude patterns was defined.
References
https://nv…
When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user’s concurrentl…
mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-15612
https://github.com/lepture…
The Java WebSocket client nv-websocket-client does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL/TLS s…
