Com. fasterxml. jackson. core: jackson databind has a denial of service vulnerability
Denial of Service
Com. fasterxml. jackson. core: jackson databind is a library that contains Jackson Data Processor's general data binding function and tree model. When JDK serialization is used to serialize and deserialize JsonNode values, the affected version of this package is vulnerable to a denial of service (DoS) attack.
VMware Tanzu Spring Framework security vulnerability
Both VMware Spring Framework and VMware Tanzu are products of the US based VMware. The Spring Framework is an open source Java and Java EE application framework. This framework can help developers build high-quality applications. VMware Tanzu is a suite of application development and solutions. This software combines virtual machines and Kubernetes to manage virtual machines, containers and physical machines in a unified way. It can manage applications across physical machines, virtual machines, internal data centers and multiple clouds, thus providing a unified support for workloads. The Spring Framework has a security vulnerability due to the bypass of the jsessionid path parameter. The following products and versions are affected: 5.2.0 - 5.2.8, 5.1.0 to 5.1.17, 5.0.0 to 5.0.18, 4.3.0 to 4.3.28, and earlier unsupported versions.
Spring Framework Permission and Access Control Vulnerability
Improper privilege management
In the Spring Framework, WebFlux applications in versions before 5.2. x 5.2.15 and 5.3.7 before 5.3.7 are vulnerable to privilege escalation: by (re) creating temporary storage directories, local authenticated malicious users can read or modify files uploaded to WebFlux applications, or overwrite arbitrary files with multiple request data.
VMware Spring Framework security feature issue vulnerability
Improper case sensitivity
The VMware Spring Framework is a set of open source Java and Java EE application frameworks developed by Vmware. The disallowedFields mode of the VMware Spring Framework is case sensitive, which means that unless the field lists the first character of the field in lower case at the same time, including the upper case and lower case of the first character of all nested fields in the attribute path, remote attackers can bypass the implemented security restrictions by exploiting this vulnerability.
Org. freemarker: Freemarker has a code injection vulnerability
Code injection
Org. freemarker: freemarker is a "template engine"; A generic tool for generating text output (anything from HTML to automatically generated source code) based on templates. The affected version of this package is vulnerable to server-side template injection (SSTI) attacks. By allowing the user to enter java. security ProtectionDomain.getClassLoader, The template will have access to the java class loader. This can be further used for file system access and code execution. Low privileged users are sufficient to exploit this vulnerability.
Google protobuf security vulnerability
Incorrect behavior order
Google protobuf is a data exchange format of Google in the United States. There is a security vulnerability in protobuf java, which allows a small malicious load to occupy the parser for several minutes by creating a large number of short-term objects that cause frequent and repeated pauses.
Oracle MySQL Connectors Input Verification Error Vulnerability
Inappropriate authorization mechanism
Oracle MySQL is an open source relational database management system of Oracle. MySQL Connectors is one of the drivers to connect applications that use MySQL. There is an input validation error vulnerability in Oracle MySQL Connectors (component: Connector/J) 8.0.27 and earlier. Attackers can use this vulnerability to access the network through multiple protocols, thus destroying Oracle MySQL Connectors, resulting in the takeover of Oracle MySQL Connectors.
Spring beans remote code execution vulnerability (Spring4Shell)
Expression injection
Spring beans are responsible for implementing IOC module of Spring framework. There was a problem in CVE-2010-1622 caused by the parameter automatic binding mechanism, and the vulnerability was fixed through the blacklist. However, the JDK9 introduced the Module, which allows the getModule to bypass the blacklist restrictions of the former, leading to remote code execution. Org. springframework: spring beans 5.3.0 to 5.3.17, 5.2.0. RELEASE to 5.2.19.RELEASE versions are affected.
MyBatis Code Problem Vulnerability
Deserialization
MyBatis is an excellent persistence framework of the Apache Software Foundation. It supports user-defined SQL, stored procedures, and advanced mapping, which eliminates almost all JDBC codes, parameter setting, and result set obtaining. You can configure and map original types, interfaces, and Java POJOs (Plain Old Java Objects) as records in the database through simple XML or annotations. MyBatis before 3.5.6 has a code problem vulnerability, which is due to improper design or implementation during code development of network systems or products.
MySQL JDBC XXE vulnerability
XXE
Oracle MySQL is an open source relational database management system of Oracle. XXE vulnerability exists in MySQL Connectors of Oracle MySQL. The main reason for the vulnerability is that the getSource method does not verify the incoming XML data. The attacker can construct malicious XML data and introduce it into external entities, resulting in an XXE attack. An attacker may use this vulnerability to read arbitrary files.
Unknown vulnerability in VMware Spring Framework
Improper input validation
The VMware Spring Framework is a set of open source Java and Java EE application frameworks developed by Vmware. This framework can help developers build high-quality applications. There is a security vulnerability in the VMware Spring Framework. An attacker can use this vulnerability to bypass the access restrictions of the Spring Framework through log injection to modify data.
VMware Spring Framework injection vulnerability
Improper input validation
The VMware Spring Framework is a set of open source Java and Java EE application frameworks developed by Vmware. This framework can help developers build high-quality applications. There is an injection vulnerability in the Spring Framework. The vulnerability originates from bypassing the access restrictions of the Spring Framework through log injection to change data.
No more
Loading failed, please refresh the page