![]() Enabling "validate-serializable-objects" may impact performance.Īpache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. ![]() Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Reference: CVE-2022-26306 - LibreOfficeĪpache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. This issue affects: Apache OpenOffice versions prior to 4.1.13. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. The stored passwords are encrypted with a single master key provided by the user. Reference: CVE-2022-26307 - LibreOfficeĪpache OpenOffice supports the storage of passwords for web connections in the user's configuration database. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects Apache ShenYu 2.4.2 and 2.4.3.Īpache OpenOffice supports the storage of passwords for web connections in the user's configuration database. In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.Īpache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `-daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. Users should upgrade to version 0.13.1 which addresses this issue.Īpache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host. Users should upgrade to version 0.13.1 which addresses this issue.Īpache IoTDB version 0.13.0 is vulnerable by session id attack. From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.Īpache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, which makes them vulnerable to a potential XML External Entity (XXE) attack.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |