#java

Red Hat OpenShift Container Platform release 4.9.56 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7692: PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enou...

Red Hat OpenShift Container Platform release 4.9.56 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3064: A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.

### Impact If users expose the apollo-configservice to the internet (which is not recommended), there are potential security issues since there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice . ### Patches Login authentication for eureka was added in https://github.com/apolloconfig/apollo/pull/4663 and was released in [v2.1.0](https://github.com/apolloconfig/apollo/releases/tag/v2.1.0). ### Workarounds To fix the potential issue without upgrading, simply follow the advice that does not expose apollo-configservice to the internet. ### References [Apollo Security Guidence](https://www.apolloconfig.com/#/en/usage/apollo-user-guide?id=_71-security-related) ### For more information If you have any questions or comments about this advisory: * Open an issue in [issue](https://github.com/apolloconfig/apollo/issues) * Email us at [[email protected]](mailto:apo...

### Impact A low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. ### Patches Cookie SameSite strategy was set to Lax in #4664 and was released in [v2.1.0](https://github.com/apolloconfig/apollo/releases/tag/v2.1.0). ### Workarounds To fix the potential issue without upgrading, simply follow the advice that does not visit unknown source pages. ### References [Apollo Security Guidence](https://www.apolloconfig.com/#/en/usage/apollo-user-guide?id=_71-security-related) ### For more information If you have any questions or comments about this advisory: * Open an issue in [issue](https://github.com/apolloconfig/apollo/issues) * Email us at [[email protected]](mailto:[email protected])

A Path Traversal in setup.php in OpenEMR < 7.0.0 allows remote unauthenticated users to read arbitrary files by controlling a connection to an attacker-controlled MySQL server.

Open source software dependencies are affecting the software security of different industries in different ways, with mature industries becoming more selective in their open source usage.

Misskey is an open source, decentralized social media platform. In versions prior to 13.3.2 the URL preview function is subject to a cross site scripting vulnerability due to insufficient URL validation. Arbitrary JavaScript is executed when a malicious URL is loaded in the `View in Player` or `View in Window` preview. This has been fixed in version 13.3.2. Users are advised to upgrade. Users unable to upgrade should avoid usage of the `View in Player` or `View in Window` functions.

Misskey is an open source, decentralized social media platform. Due to insufficient validation of the redirect URL during `miauth` authentication in Misskey, arbitrary JavaScript can be executed when a user allows the link. All versions below 13.3.1 (including 12.x) are affected. This has been fixed in version 13.3.1. Users are advised to upgrade. Users unable to upgrade should not allow authentication of untrusted apps.

### Impact GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations: 1. ``PropertyIsLike`` filter * Requires PostGIS DataStore with "encode functions" enabled * Or any JDBCDataStore (all relational databases) with String field (no mitigation) 3. ``strEndsWith`` function * Requires PostGIS DataStore with "encode functions" enabled 5. ``strStartsWith`` function * Requires PostGIS DataStore with "encode functions" enabled 6. ``FeatureId`` filter * Requires JDBCDataStore (all relational databases) with prepared statements disabled and table with String primary key (Oracle not affected, SQL Server and MySQL have no settings to enabled prepared statements, PostGIS does) 7. ``jsonArrayContains`` function * Requires PostGIS and Oracle DataStore with String or JSON field 8. ``DWithin`` filter * Happe...

### Impact GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. SQL Injection Vulnerabilities have been found with: * ``PropertyIsLike`` filter, when used with a String field and any database DataStore, or with a PostGIS DataStore with encode functions enabled * ``strEndsWith`` function, when used with a PostGIS DataStore with encode functions enabled * ``strStartsWith`` function, when used with a PostGIS DataStore with encode functions enabled * ``FeatureId`` filter, when used with any database table having a String primary key column and when prepared statements are disabled * ``jsonArrayContains`` function, when used with a String or JSON field and with a PostGIS or Oracle DataStore (GeoServer 2.22.0+ only) * ``DWithin`` filter, when used with an Oracle D...