Data Management and Analytics

In Apache Airflow versions 2.10.0 a low severity vulnerability CVE-2024-45498 was detected. This vulnerability allows attackers to create a fake login page and deceive users into authenticating with attacker-controlled credentials due to the absence of a unique token in the authentication POST request. To fix this problem, users should upgrade to version 2.10.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-45498.

In Apache Airflow versions before 2.10.1 a high severity vulnerability CVE-2024-45034 was detected. This vulnerability allows DAG authors to add local settings to the DAG folder, which can be executed by the scheduler, bypassing its intended restrictions. To fix this problem, users should upgrade to version 2.10.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-45034.

In Lightdash version 0.1024.6 a high severity vulnerability CVE-2024-6586 has been detected. This vulnerability allows users with the necessary permissions to create and share dashboards containing HTML elements that can point to a threat actor-controlled source, which may trigger an SSRF request when exported via a POST request to /api/v1/dashboards//export. To fix this issue, users should upgrade to Lightdash version 0.1027.2. For more details, please visit the https://nvd.nist.gov/vuln/detail/CVE-2024-6586.

In Lightdash version 0.1024.6 a high severity vulnerability (CVE-2024-6585) was detected. This vulnerability allows attackers to inject malicious code into a website, potentially stealing user data or performing harmful actions in their browsers. To fix this problem, users should upgrade Lightdash to version 0.1042.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-6585.

In Grafana versions 1.1.37 to 1.5.1 a critical severity vulnerability CVE-2024-5526 was detected. This vulnerability involves unsanitized inputs in the webhook functionality that can be exploited, allowing attackers to perform a Server Side Request Forgery attack. To fix this problem, users should upgrade Grafana OnCall to version 1.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-5526.

In Apache Airflow Providers FAB versions 1.2.1 (when used with Apache Airflow 2.9.3), FAB 1.2.0 for all Airflow versions a critical severity vulnerability CVE-2024-42447 was detected. This vulnerability allows attackers to maintain access to the application even after the user attempts to log out by exploiting session persistence. To fix this issue, users who run Apache Airflow 2.9.3 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42447.

In JupyterLab versions before 3.6.7 and from 4.0.0 to 4.2.4 a high severity vulnerability CVE-2024-43805 was detected. This vulnerability allows attackers to gain access to any data the victim can access and execute arbitrary requests as if they were the victim by exploiting a vulnerability in JupyterLab through malicious notebooks or Markdown files. To fix this problem, users should upgrade JupyterLab to versions 3.6.8 and 4.2.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43805.

In MongoDB Server versions 5.0 prior to 5.0.14 and 6.0 prior to 6.0.3 a medium severity vulnerability CVE-2024-8207 was detected. This vulnerability allows attackers with access to the server to take control of the MongoDB process by loading malicious files when it starts. To fix this problem, users should upgrade MongoDB Server to versions 6.1.1, 5.0.14, and 6.0.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8207.

In OpenSearch versions 2.16.0, 1.3.19 and earlier a medium severity vulnerability CVE-2024-43794 was detected. The Dashboards Security Plugin adds a user interface for managing security features. Improper validation of the nextUrl parameter may cause an external redirect during login if certain parameters are manipulated. To fix this problem, users should upgrade to version 1.3.19 or 2.16.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43794.