UNSUPPORTED WHEN ASSIGNED Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora.
An endpoint exposing internals to unauthenticated users can be used as a “padding oracle” allowing an anonymous attacker to construct a valid authentication cookie. Potentially this could be combined with vulnerabilities in other components to achieve remote code execution.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
[
{
"vendor": "Apache Software Foundation",
"product": "Apache Aurora",
"versions": [
{
"status": "affected",
"version": "0.5.0",
"versionType": "semver",
"lessThanOrEqual": "*"
}
],
"defaultStatus": "unaffected"
}
]
[
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_aurora:*:*:*:*:*:*:*:*"
],
"vendor": "apache_software_foundation",
"product": "apache_aurora",
"versions": [
{
"status": "affected",
"version": "0.5.0",
"versionType": "semver",
"lessThanOrEqual": "*"
}
],
"defaultStatus": "unknown"
}
]