Apache Groovy Code Injection Vulnerability
injection
Apache Groovy is an object-oriented programming language based on the Java platform of the Apache Software Foundation, which combines many powerful features of Python, Ruby and Smalltalk. There is a security vulnerability in the MethodClosure class in the runtime/MethodClosure.java file of Apache Groovy from 1.7.0 to 2.4.3. Remote attackers can use this vulnerability to execute arbitrary code or cause a denial of service via a specially crafted serialized object.
Deserialization vulnerability of untrusted data in Google Guava
Unrestricted or regulated resource allocation
Google Guava is a Java core library of Google, which includes graphic library, function type, I/O and string processing. In Google Guava 11.0 to 24. x, because the AtomicDoubleArray class (when Java serialization is used) and the CompoundOrdering class (when GWT serialization is used) use the immediate allocation method, the content sent by the client and the data size are not checked for rationality. A remote attacker can use this vulnerability to conduct a denial of service attack on the server that relies on this library, and deserialize the data provided by the attacker.
Netty has HTTP request smuggling vulnerability
HTTP request smuggling
Netty is a non blocking I/O client server framework, which is mainly used to develop Java network applications, such as protocol servers and clients. The affected version of Netty is vulnerable to HTTP request smuggling attacks because Netty incorrectly handles the space before the colon in the HTTP header, such as Transfer Encoding: chunked. Attackers can use this vulnerability to carry out HTTP request smuggling attacks, bypass security controls, and access sensitive data without authorization.
Netty<=4.1.43. Final has an HTTP request smuggling vulnerability
HTTP request smuggling
Netty is an asynchronous event driven network application framework for rapid development of maintainable high-performance protocol servers and clients. Due to the incomplete repair of CVE-2019-16869, HTTP request smuggling exists in Netty versions before 4.1.43.Final, because Netty incorrectly handles whitespace in Transfer Encoding, such as ([space] Transfer Encoding: Chunked) and Content Length headers. Attackers can maliciously construct request headers to conduct HTTP request smuggling attacks when ELB (Elastic load balancer) sends malicious requests to Netty, so as to obtain sensitive information transmitted in Netty.
Netty<4.1.44. Final has an HTTP request smuggling vulnerability
HTTP request smuggling
Netty is an asynchronous event driven network application framework for rapid development of maintainable high-performance protocol servers and clients. The HttpObjectDecoder.java class in Netty before 4.1.44. Final lacks the monitoring of the colon in the HTTP header. As a result, the HTTP header without a colon will be interpreted as a separate header or invalid fold (invalid fold) with incorrect syntax. Attackers can use this vulnerability to carry out HTTP request smuggling attacks by sending maliciously constructed http requests to obtain sensitive information transmitted in Netty.
Netty<4.1.44. Final has an HTTP request smuggling vulnerability
HTTP request smuggling
Netty is a network application framework for rapid development of maintainable high-performance protocol servers and clients. Due to the incomplete repair of CVE-2019-16869, the HttpObjectDecoder.java class in Netty before 4.1.44.Final has an HTTP request smuggling vulnerability due to improper authentication of HTTP/1.1 request headers. Because Netty allows the Content Length header to be accompanied by a second Content Length header or Transfer Encoding header, an attacker can conduct HTTP request smuggling attacks by sending HTTP/1.1 containing maliciously constructed headers, thereby obtaining sensitive file information transmitted by Netty services.
Google Guava Access Control Error Vulnerability
Improper allocation of key resource permissions
Google Guava is a Java core library of Google, which includes graphic library, function type, I/O and string processing. There is an access control error vulnerability in Guava before 30.0. The vulnerability originates from a temporary directory creation vulnerability in Guava, which allows attackers accessing machines to potentially access data in the temporary directory created by Guava com. google. common. io. Files. createTempDir(). An attacker can use this vulnerability to access the temporary file directory.
Apache Groovy Temporary Directory Information Disclosure Vulnerability
Incorrect default permissions
Apache Groovy is an object-oriented programming language based on the Java platform. The affected version of Apache Groovy will create a temporary directory shared by all users on the system in the temporary directory of the operating system. This vulnerability only affects Unix like systems and very old versions of Mac OSX and Windows. An attacker can obtain sensitive information in the temporary directory through this vulnerability.
Guava<32.0.0 has a competitive condition vulnerability
Create a temporary file with insecure permissions
Guava is an open source Java code library developed by Google, which provides commonly used Java tools and data structures. The FileBackedOutputStream class in Guava 1.0 to 31.1 uses Java's default temporary directory to create files. Because the created file name is easy to guess by attackers, in Unix and Android Ice Cream Sandwich systems, attackers with access to the default Java temporary directory are allowed to create malicious files with the same name, causing file conflicts, If an application relies on malicious files created by an attacker, the attacker can manipulate the application's behavior. Version 32.0.0 fixes this vulnerability but is incompatible with the Windows system. It is recommended to upgrade the Windows system to version 32.0.1.
No more
Loading failed, please refresh the page