{"vulnerability": "cve-2024-3967", "sightings": [{"uuid": "f5d5268d-f743-4c3d-b0c9-5bccc3f77545", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39676", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/7612", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-39676\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot.\n\nThis issue affects Apache Pinot: from 0.1 before 1.0.0.\n\nUsers are recommended to upgrade to version 1.0.0\u00a0and configure RBAC, which fixes the issue.\n\nDetails:\u00a0\n\nWhen using a request to path \u201c/appconfigs\u201d to the controller, it can lead to the disclosure of sensitive information such as system information (e.g. arch, os version), environment information (e.g. maxHeapSize) and Pinot configurations (e.g. zookeeper path). This issue was addressed by the  Role-based Access Control https://docs.pinot.apache.org/operators/tutorials/authentication/basic-auth-access-control , so that /appConfigs` and all other APIs can be access controlled. Only authorized users have access to it. Note the user needs to add the admin role accordingly to the RBAC guide to control access to this endpoint, and in the future version of Pinot, a default admin role is planned to be added.\n\n\n\ud83d\udccf Published: 2024-07-24T07:41:09.856Z\n\ud83d\udccf Modified: 2025-03-14T17:19:59.450Z\n\ud83d\udd17 References:\n1. https://lists.apache.org/thread/hsm0b2w8qr0sqy4rj1mfnnw286tslpzc", "creation_timestamp": "2025-03-14T17:49:00.000000Z"}, {"uuid": "2dc17a8a-9568-4075-88c7-cf1add3cfe1f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39672", "type": "seen", "source": "https://t.me/cvedetector/1626", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39672 - Cisco Memory Module Information Disclosure\", \n  \"Content\": \"CVE ID : CVE-2024-39672 \nPublished : July 25, 2024, 12:15 p.m. | 41\u00a0minutes ago \nDescription : Memory request logic vulnerability in the memory module.  \nImpact: Successful exploitation of this vulnerability will affect integrity and availability. \nSeverity: 8.4 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"25 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-25T15:14:33.000000Z"}, {"uuid": "190531f8-ec74-462d-af2d-885ba042b9e7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39673", "type": "seen", "source": "https://t.me/cvedetector/1625", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39673 - iAware WebService Serialisation Mismatch Information Disclosure Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-39673 \nPublished : July 25, 2024, 12:15 p.m. | 41\u00a0minutes ago \nDescription : Vulnerability of serialisation/deserialisation mismatch in the iAware module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. \nSeverity: 6.8 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"25 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-25T15:14:32.000000Z"}, {"uuid": "bf2cc0a1-d640-464b-8e2c-70ba35950bf7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39674", "type": "seen", "source": "https://t.me/cvedetector/1624", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39674 - Oracle WebLogic Gallery Unauthorized Information Disclosure\", \n  \"Content\": \"CVE ID : CVE-2024-39674 \nPublished : July 25, 2024, 12:15 p.m. | 41\u00a0minutes ago \nDescription : Plaintext vulnerability in the Gallery search module.  \nImpact: Successful exploitation of this vulnerability will affect availability. \nSeverity: 6.2 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"25 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-25T15:14:31.000000Z"}, {"uuid": "5f050c27-8620-4393-b2c6-95e7dfb8b29b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39670", "type": "seen", "source": "https://t.me/cvedetector/1628", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39670 - Apache Account Synchronisation Privilege Escalation Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-39670 \nPublished : July 25, 2024, 12:15 p.m. | 41\u00a0minutes ago \nDescription : Privilege escalation vulnerability in the account synchronisation module.  \nImpact: Successful exploitation of this vulnerability will affect availability. \nSeverity: 6.2 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"25 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-25T15:14:35.000000Z"}, {"uuid": "5946eda6-a6bb-49f2-8017-881cd64637e9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39671", "type": "seen", "source": "https://t.me/cvedetector/1627", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39671 - Cisco Security Verification Module Authentication Bypass\", \n  \"Content\": \"CVE ID : CVE-2024-39671 \nPublished : July 25, 2024, 12:15 p.m. | 41\u00a0minutes ago \nDescription : Access control vulnerability in the security verification module.  \nImpact: Successful exploitation of this vulnerability may affect service confidentiality. \nSeverity: 9.3 | CRITICAL \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"25 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-25T15:14:34.000000Z"}, {"uuid": "76224e4d-a21f-406c-a04d-6e73e2a05478", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39676", "type": "seen", "source": "https://t.me/cvedetector/1554", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39676 - Apache Pinot Sensitive Information Disclosure\", \n  \"Content\": \"CVE ID : CVE-2024-39676 \nPublished : July 24, 2024, 8:15 a.m. | 27\u00a0minutes ago \nDescription : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot.  \n  \nThis issue affects Apache Pinot: from 0.1 before 1.0.0.  \n  \nUsers are recommended to upgrade to version 1.0.0\u00a0and configure RBAC, which fixes the issue.  \n  \nDetails:\u00a0  \n  \nWhen using a request to path \u201c/appconfigs\u201d to the controller, it can lead to the disclosure of sensitive information such as system information (e.g. arch, os version), environment information (e.g. maxHeapSize) and Pinot configurations (e.g. zookeeper path). This issue was addressed by the  Role-based Access Control  , so that /appConfigs` and all other APIs can be access controlled. Only authorized users have access to it. Note the user needs to add the admin role accordingly to the RBAC guide to control access to this endpoint, and in the future version of Pinot, a default admin role is planned to be added. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"24 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-24T10:47:53.000000Z"}, {"uuid": "197774a5-604b-4ad5-97f9-d74ef462e0e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39678", "type": "seen", "source": "https://t.me/cvedetector/1134", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39678 - Cooked WordPress CSRF Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-39678 \nPublished : July 18, 2024, 1:15 a.m. | 42\u00a0minutes ago \nDescription : Cooked is a recipe plugin for WordPress. The Cooked plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. \nSeverity: 4.3 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"18 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-18T04:15:38.000000Z"}, {"uuid": "1a8f7ff2-ffd5-4a6d-8898-104c306d5e92", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39675", "type": "seen", "source": "https://t.me/cvedetector/337", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39675 - A vulnerability has been identified in RUGGEDCOM R\", \n  \"Content\": \"CVE ID : CVE-2024-39675 \nPublished : July 9, 2024, 12:15 p.m. | 26\u00a0minutes ago \nDescription : A vulnerability has been identified in RUGGEDCOM RMC30 (All versions Severity: 8.8 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"09 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-09T14:46:32.000000Z"}, {"uuid": "5345aa31-da9f-4944-b3df-55b088847ae0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39676", "type": "seen", "source": "https://t.me/CyberBulletin/172", "content": "\u26a1CVE-2024-39676: Apache Pinot Flaw Exposes Sensitive Data, Urgent Upgrade Needed.\n\n#CyberBulletin", "creation_timestamp": "2024-07-28T11:20:35.000000Z"}, {"uuid": "a7a91b5c-90a5-43bd-a6fe-d7cbe3bf72ac", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39679", "type": "seen", "source": "https://t.me/cvedetector/1133", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39679 - Cooked WordPress CSRF Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-39679 \nPublished : July 18, 2024, 1:15 a.m. | 42\u00a0minutes ago \nDescription : Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. \nSeverity: 4.3 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"18 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-18T04:15:34.000000Z"}, {"uuid": "b2231483-cbcc-4aa6-b116-a453cf26a842", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39679", "type": "seen", "source": "Telegram/R8CO20LZYOfYDjCGxCt-x9n5vEC8GskEFUzUOVv7uWDb9ooY", "content": "", "creation_timestamp": "2025-02-14T09:47:00.000000Z"}, {"uuid": "6e68cff8-9e4d-4d23-92d7-6299901c03f7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39677", "type": "seen", "source": "https://t.me/cvedetector/183", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39677 - NHibernate is an object-relational mapper for the\", \n  \"Content\": \"CVE ID : CVE-2024-39677 \nPublished : July 8, 2024, 3:15 p.m. | 32\u00a0minutes ago \nDescription : NHibernate is an object-relational mapper for the .NET framework. A SQL injection vulnerability exists in some types implementing ILiteralType.ObjectToSQLString. Callers of these methods are exposed to the vulnerability, which includes mappings using inheritance with discriminator values; HQL queries referencing a static field of the application; users of the SqlInsertBuilder and SqlUpdateBuilder utilities, calling their AddColumn overload taking a literal value; and any direct use of the ObjectToSQLString methods for building SQL queries on the user side. This vulnerability is fixed in 5.4.9 and 5.5.2. \nSeverity: 5.9 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"08 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-08T17:50:19.000000Z"}, {"uuid": "438c50d6-d276-4bb1-978f-07a059ff9d22", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39676", "type": "published-proof-of-concept", "source": "https://t.me/HackingInsights/7613", "content": "\u200aCVE-2024-39676: Apache Pinot Flaw Exposes Sensitive Data, Urgent Upgrade Needed\n\nhttps://securityonline.info/cve-2024-39676-apache-pinot-flaw-exposes-sensitive-data-urgent-upgrade-needed/", "creation_timestamp": "2024-07-27T14:17:25.000000Z"}, {"uuid": "f7110542-416a-432d-8d6f-3b274ee264ed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39678", "type": "seen", "source": "Telegram/X-iiMcmbKZEdTOtLK9-DS5EMdqyQU0S4m4A2CR5zBlWLC_Ak", "content": "", "creation_timestamp": "2025-02-14T09:47:00.000000Z"}, {"uuid": "1050e968-7f71-4fbc-8a29-2cfdc98093da", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39676", "type": "seen", "source": "https://t.me/dilagrafie/3515", "content": "\u26a1CVE-2024-39676: Apache Pinot Flaw Exposes Sensitive Data, Urgent Upgrade Needed.\n\n#CyberBulletin", "creation_timestamp": "2024-07-27T11:15:04.000000Z"}, {"uuid": "bed59ff9-10f1-496c-a66f-5d9921037ae1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39676", "type": "seen", "source": "https://t.me/GrayHatsHack/7039", "content": "\u26a1CVE-2024-39676: Apache Pinot Flaw Exposes Sensitive Data, Urgent Upgrade Needed.\n\n#CyberBulletin", "creation_timestamp": "2024-07-27T11:18:27.000000Z"}, {"uuid": "acc7659f-feb6-40ca-9d1e-513478e95d04", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39676", "type": "seen", "source": "https://t.me/GrayHatsHack/8346", "content": "\u26a1CVE-2024-39676: Apache Pinot Flaw Exposes Sensitive Data, Urgent Upgrade Needed.\n\n#CyberBulletin", "creation_timestamp": "2024-07-27T11:18:27.000000Z"}]}