Data Management and Analytics

In Apache Airflow Providers FAB versions 1.2.1 (when used with Apache Airflow 2.9.3), FAB 1.2.0 for all Airflow versions a critical severity vulnerability CVE-2024-42447 was detected. This vulnerability allows attackers to maintain access to the application even after the user attempts to log out by exploiting session persistence. To fix this issue, users who run Apache Airflow 2.9.3 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42447.

In JupyterLab versions before 3.6.7 and from 4.0.0 to 4.2.4 a high severity vulnerability CVE-2024-43805 was detected. This vulnerability allows attackers to gain access to any data the victim can access and execute arbitrary requests as if they were the victim by exploiting a vulnerability in JupyterLab through malicious notebooks or Markdown files. To fix this problem, users should upgrade JupyterLab to versions 3.6.8 and 4.2.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43805.

In MongoDB Server versions 5.0 prior to 5.0.14 and 6.0 prior to 6.0.3 a medium severity vulnerability CVE-2024-8207 was detected. This vulnerability allows attackers with access to the server to take control of the MongoDB process by loading malicious files when it starts. To fix this problem, users should upgrade MongoDB Server to versions 6.1.1, 5.0.14, and 6.0.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8207.

In OpenSearch versions 2.16.0, 1.3.19 and earlier a medium severity vulnerability CVE-2024-43794 was detected. The Dashboards Security Plugin adds a user interface for managing security features. Improper validation of the nextUrl parameter may cause an external redirect during login if certain parameters are manipulated. To fix this problem, users should upgrade to version 1.3.19 or 2.16.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43794.

In CKAN versions 2.7.0 and before 2.10.5 a high severity vulnerability CVE-2024-41675 was detected. This vulnerability allows attackers to inject malicious scripts into the data displayed on a webpage, leading to potential theft of user data, session hijacking, or redirection to harmful sites. To fix this issue, users must update CKAN to versions 2.10.5 or 2.11.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-41675.

In Apache Airflow versions before 2.10.0 a medium severity vulnerability CVE-2024-41937 was detected. This vulnerability allows attackers to potentially run harmful scripts on a user’s browser when they click on a provider link in Apache Airflow, potentially leading to data theft. To fix this problem, users should upgrade Apache Airflow to version 2.10.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-41937.

In CKAN versions before 2.0.0 and 2.10.5 a medium severity vulnerability CVE-2024-41674 was detected. This vulnerability allows potential exposure of sensitive information, like internal Solr URLs and credentials, in error messages when there are connection issues between CKAN and the Solr server. To fix this issue, users must upgrade CKAN to versions 2.10.5 and 2.11.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-41674.

In CKAN versions 2.10.5 and earlier a medium severity vulnerability CVE-2024-43371 was detected. CKAN plugins that download content from resource URLs lack restrictions on what URLs can be accessed, making them vulnerable to Server Side Request Forgery (SSRF) attacks. To fix this problem, users should upgrade to version 2.10.5 or 2.11.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43371.

In Grafana versions 11.1.0, 11.1.2 a medium severity vulnerability CVE-2024-27186 was detected. This vulnerability allows attackers to bypass access control for plugin data sources protected by the ReqActions json field in the plugin.json file. To fix the issue, users must upgrade Grafana to versions 11.1.1 or 11.1.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-6322.