Security
Headlines
HeadlinesLatestCVEs

Tag

#apache

RHSA-2023:0005: Red Hat Security Advisory: bcel security update

An update for bcel is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42920: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing

Red Hat Security Data
Open in Source
#vulnerability#web#linux#red_hat#apache#nodejs#js#java#kubernetes#aws#ibm
CVE-2022-37787: GitHub - WeBankPartners/wecube-platform: WeCube Platform

An issue was discovered in WeCube platform 3.2.2. A DOM XSS vulnerability has been found on the plugin database execution page.

GHSA-f5q9-j9r2-34gq: Apache Kylin vulnerable to Command injection by Useless configuration

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the `kylin.engine.spark-cmd` parameter of `conf`.

GHSA-w9rv-xmf7-x3gh: Apache Kylin vulnerable to Command injection by Diagnosis Controller

Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.

CVE-2022-4855: webray.com.cn/leadmanasql.md at main · joinia/webray.com.cn

A vulnerability, which was classified as critical, was found in SourceCodester Lead Management System 1.0. Affected is an unknown function of the file login.php. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-217020.

Stupid security 2022 – this year’s infosec fails

Epic web security fails and salutary lessons from another inevitably eventful year in infosec

CVE-2022-23553: Alpine/WhitelistUrlFilter.java at alpine-parent-1.10.2 · stevespringett/Alpine

Alpine is a scaffolding library in Java. Alpine prior to version 1.10.4 allows URL access filter bypass. This issue has been fixed in version 1.10.4. There are no known workarounds.

CVE-2022-4772: [SECURITY] Fix Zip Slip Vulnerability by JLLeitschuh · Pull Request #551 · dgarijo/Widoco

A vulnerability was found in Widoco and classified as critical. Affected by this issue is the function unZipIt of the file src/main/java/widoco/WidocoUtils.java. The manipulation leads to path traversal. It is possible to launch the attack on the local host. The name of the patch is f2279b76827f32190adfa9bd5229b7d5a147fa92. It is recommended to apply a patch to fix this issue. VDB-216914 is the identifier assigned to this vulnerability.

CVE-2022-26969: Cross-Origin Resource Sharing (CORS) - HTTP | MDN

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.