2022-20 Java Security Weekly News - Oracle, Red Hat, Jenkins
2022 » Published on May 27, 2022
 | Oracle Security Alerts |
 | Red Hat Security Advisory |
 | Jenkins Security Advisories |
 | Java CVEs |
| N/A | CVE-2022-29599 In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. Published Monday, May 23, 2022 |
| N/A | CVE-2022-29237 Opencast is a free and open source solution for automated video capture and distribution at scale. Prior to Opencast 10.14 and 11.7, users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassing organizational barriers. Attackers must have full access to Opencast's ingest REST interface, and also know internal links to resources in another organization of the same Opencast cluster. Users who do not run a multi-tenant cluster are not affected by this issue. This issue is fixed in Opencast 10.14 and 11.7. Published Tuesday, May 24, 2022 |
| N/A | CVE-2022-29567 The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side. Published Tuesday, May 24, 2022 |
| N/A | CVE-2022-29249 JavaEZ is a library that adds new functions to make Java easier. A weakness in JavaEZ 1.6 allows force decryption of locked text by unauthorized actors. The issue is NOT critical for non-secure applications, however may be critical in a situation where the highest levels of security are required. This issue ONLY affects v1.6 and does not affect anything pre-1.6. The vulnerability has been patched in release 1.7. Currently, there is no way to fix the issue without upgrading. Published Tuesday, May 24, 2022 |
| N/A | CVE-2021-3597 A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final. Published Tuesday, May 24, 2022 |
| N/A | CVE-2021-3629 A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final. Published Tuesday, May 24, 2022 |
| N/A | CVE-2022-29349 kkFileView v4.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java. Published Wednesday, May 25, 2022 |