2022-42 Java Security Weekly News - Oracle, Red Hat, Jenkins, GitHub
2022 » Published on October 28, 2022
 | Oracle Security Alerts |
 | Red Hat Security Advisory |
 | Jenkins Security Advisories |
 | Github Security Advisories |
 | Java CVEs |
| 5.5 | CVE-2022-39259 jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. versions prior to 1.4.5 are subject to a Denial of Service when opening zip files with HTML sequences. This issue has been patched in version 1.4.5. There are no known workarounds. Published Friday, October 21, 2022 |
| N/A | CVE-2022-39312 Dataease is an open source data visualization analysis tool. Dataease prior to 1.15.2 has a deserialization vulnerability. In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected. In `backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java`, the `MysqlConfiguration` class does not filter any parameters. If an attacker adds some parameters to a JDBC url and connects to a malicious mysql server, the attacker can trigger the mysql jdbc deserialization vulnerability. Through the deserialization vulnerability, the attacker can execute system commands and obtain server privileges. Version 1.15.2 contains a patch for this issue. Published Tuesday, October 25, 2022 |
| N/A | CVE-2022-41704 A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16. Published Tuesday, October 25, 2022 |
| N/A | CVE-2022-42890 A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16. Published Tuesday, October 25, 2022 |
| N/A | CVE-2022-42468 Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol. Published Wednesday, October 26, 2022 |
| N/A | CVE-2022-43766 Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it. Published Wednesday, October 26, 2022 |