Security
Headlines
HeadlinesLatestCVEs

Tag

#maven

GHSA-gvc7-gjrw-hj65: Improper Verification of Cryptographic Signature in aws-encryption-sdk-java

AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures.

ghsa
#vulnerability#amazon#git#java#aws#maven
GHSA-8525-52vg-jv6v: Qualys Jenkins Plugin for Policy Compliance XML External Entity vulnerability

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data

GHSA-5gwh-r76w-934h: Qualys Jenkins Plugin for WAS XML External Entity vulnerability

Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data

GHSA-rwf9-8fqr-p44m: Qualys Jenkins Plugin for Policy Compliance Cross-site Scripting vulnerability

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access and access to configure or edit jobs to utilize the plugin to configure a potential rouge endpoint via which it was possible to control response for certain request which could be injected with XSS payloads leading to XSS while processing the response data.

GHSA-8959-rfxh-r4j4: XWiki vulnerable to Denial of Service attack through attachments

### Impact A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. ### Patches This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1. ### Workarounds The workaround is to download [commons-compress 1.24](https://search.maven.org/remotecontent?filepath=org/apache/commons/commons-compress/1.24.0/commons-compress-1.24.0.jar) and replace the one located in XWiki `WEB-INF/lib/` folder. ### References https://jira.xwiki.org/browse/XCOMMONS-2796 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

GHSA-xh35-w7wg-95v3: XWiki has no right protection on rollback action

### Impact The rollback action is missing a right protection: it means that a user can rollback to a previous version of the page to gain rights they don't have anymore. This vulnerability impacts all version of XWiki since rollback action is available. ### Patches The problem has been patched in XWiki 14.10.16, 15.5.3 and 15.8-rc-1 by ensuring that the rights are checked before performing the rollback. ### Workarounds There's no workaround for this vulnerability, except paying attention to delete old versions of documents that could allow users to gain more rights. ### References * JIRA ticket: https://jira.xwiki.org/browse/XWIKI-21257 * Commit: [4de72875ca49602796165412741033bfdbf1e680](https://github.com/xwiki/xwiki-platform/commit/4de72875ca49602796165412741033bfdbf1e680) ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@x...

GHSA-hr2c-p8rh-238h: Apache Axis Improper Input Validation vulnerability

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF. This issue affects Apache Axis through 1.3. As Axis 1 has been EOL, we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.

GHSA-mpwq-j3xf-7m5w: The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted

An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but essentially causes a desynchronization in how Keycloak and browsers interpret URLs. Keycloak, for example, receives "[www%2ekeycloak%2eorg%2fapp%2f:[email protected]](https://www%2ekeycloak%2eorg%2fapp%2f:[email protected]/)" and thinks the authority to be keycloak.org when it is actually example.com. This happens because the validation logic is performed on a URL decoded version, which no longer represents the original input. ### Acknowledgements Karel Knibbe

GHSA-83q5-whqp-r8jr: Apache Pulsar WebSocket Proxy contains an Improper Authentication vulnerability

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0. The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature. 2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5. 2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2. 3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1. 3.1 Pulsar WebSocket Proxy users are unaffected. Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.

GHSA-p5f8-qf24-24cj: Velocity execution without script right through tree macro

### Impact It's possible to execute a Velocity script without script right through the document tree. To reproduce: * As a user without script right, create a document, e.g., named Nasty Title * Set the document's title to `$request.requestURI` * Click "Save & View" * Reload the page in the browser The navigation panel displays a document named with the current URL, showing that the Velocity code has been executed even though the user doesn't have script right. ### Patches This has been patched in XWiki 14.10.7 and 15.2RC1. ### Workarounds A possible workaround is to: * modify the page XWiki.DocumentTreeMacros * search for the code `#set ($discard = $translatedDocument.setTitle($translatedDocument.title))` * modify it into `#set ($discard = $translatedDocument.setcomment(''))` ### References * https://jira.xwiki.org/browse/XWIKI-20625 * https://github.com/xwiki/xwiki-platform/commit/41d7dca2d30084966ca6a7ee537f39ee8354a7e3 ### For more information If you have any questions ...