![]() This issue affects Apache Allura from 1.0.1 through 1.15.0. Exposing internal files then can lead to other exploits, like session hijacking, or remote code execution. ![]() Project administrators can run these imports, which could cause Allura to read local files and expose them. Users should upgrade to version 2.7.3 or later which has removed the vulnerability.Īllura Discussion and Allura Forum importing does not restrict URL values specified in attachments. This could have them alter details such as configuration parameters, start date, etc. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. PyPI packages are already available, and we hope that conda-forge packages will be available soon. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. It is recommended that users of PyArrow upgrade to 14.0.1. This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |