[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2024-24683: Apache Hop Engine: ID isn't escaped when generating HTML
From: Hans Van Akelyen <hansva () apache ! org>
Date: 2024-03-18 20:02:00
Message-ID: 10544beb-6e33-1f1d-ab77-0c6e221fd2ac () apache ! org
[Download RAW message or body]
Severity: low
Affected versions:
- Apache Hop Engine before 2.8.0
Description:
Improper Input Validation vulnerability in Apache Hop Engine.This issue affects Apache Hop \
Engine: before 2.8.0.
Users are recommended to upgrade to version 2.8.0, which fixes the issue.
When Hop Server writes links to the PrepareExecutionPipelineServlet page one of the parameters \
provided to the user was not properly escaped. The variable not properly escaped is the "id", \
which is not directly accessible by users creating pipelines making the risk of exploiting this \
low.
This issue only affects users using the Hop Server component and does not directly affect the \
client.
Credit:
Jonathan Leitschuh (finder)
References:
https://hop.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-24683
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic