In Nginx versions from 1.25.0 to before 1.26.1 a medium severity vulnerability CVE-2024-35200 was detected. This issue affects NGINX Plus and NGINX OSS when using the HTTP/3 module. Attackers can cause a denial-of-service (DoS) by stopping NGINX worker processes. Only the data plane is affected, not the control plane. Affected organizations should fix this problem immediately to reduce the risk. For additional details, visit https://avd.aquasec.com/nvd/2024/cve-2024-35200.
Read more Application Development
In Apache Airflow FTP Provider versions before 3.7.0 a high severity vulnerability CVE-2024-29733 was detected. This problem involves incomplete checks on certificates during secure FTP connections, which could be exploited. To fix this, proper certificate validation should be implemented by updating to version 3.7.0. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-29733/.
Read more Data Analytics
In Apache Airflow version 2.9.0 a critical security vulnerability CVE-2024-32077 was detected. This vulnerability allows attackers to inject data into the task instance logs. To address this issue, users are advised to upgrade to version 2.9.1. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-32077/.
In Fluent Bit versions 2.0.7 to 3.0.3 a critical security vulnerability CVE-2024-4323 was detected. This vulnerability allows attackers to parse trace requests and may result in remote code execution. There is no actual solution for this vulnerability. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-4323/.
In Ghost versions from the beginning up to 1.4.0 a high severity vulnerability CVE-2024-34559 was detected. To protect sensitive information, it’s essential to adjust log settings properly before releasing a product. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-34559/.
Read more CMS
In GitLab versions before 16.10.6, 16.11.3, and 17.0.1 a high severity vulnerability CVE-2024-4835 was detected. Attackers can create a harmful webpage and steal sensitive user data. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-4835/.
Read more Developer Tools
In WordPress a high severity vulnerability CVE-2024-31210 was detected. Administrative users in WordPress may unintentionally upload harmful files when adding new plugins, potentially leading to unauthorized execution of code. However, this mainly affects high-level administrators and multi-site setups, with lower-level users and sites with specific security configurations being unaffected. This vulnerability is resolved in WordPress version 6.4.3 and backported to versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-31210/.
Read more CMS
In Airflow versions 2.7.0 through 2.8.4 a medium severity vulnerability CVE-2024-31869 was detected. A security flaw exposes sensitive provider configurations to authenticated users via the ‘configuration’ UI page when certain settings are configured, affecting mainly the Celery provider. Consider upgrading to Airflow version 2.9 or adjusting your expose_config setting to False as a temporary solution. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-31869/.
Read more Data Analytics
In Node.js versions up to 21.7.2 a command inject vulnerability CVE-2024-3566 was detected. It lets a hacker run commands on Windows apps that indirectly depend on the CreateProcess function when the specific conditions are satisfied. There’s no fix available for this issue at the moment. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-3566/.
Read more Application Development