2023-11 Java Security Weekly News - Adobe, Canonical
2023 » Published on March 24, 2023
| National Cyber Awareness System |
 | Adobe Security Bulletins and Advisories |
 | Ubuntu Security Notices |
 | Java CVEs |
| 7.5 | CVE-2021-46877 jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. Published Saturday, March 18, 2023 |
| N/A | CVE-2023-28118 kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds. Published Monday, March 20, 2023 |
| N/A | CVE-2023-28725 General Bytes Crypto Application Server (CAS) 20230120, as distributed with General Bytes BATM devices, allows remote attackers to execute arbitrary Java code by uploading a Java application to the /batm/app/admin/standalone/deployments directory, aka BATM-4780, as exploited in the wild in March 2023. This is fixed in 20221118.48 and 20230120.44. Published Wednesday, March 22, 2023 |
| N/A | CVE-2023-1370 [Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a [ or { character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software. Published Wednesday, March 22, 2023 |
| N/A | CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Published Wednesday, March 22, 2023 |
| N/A | CVE-2023-24367 Temenos T24 Release 20 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the routineName parameter at genrequest.jsp. Published Thursday, March 23, 2023 |
| N/A | CVE-2023-1606 A vulnerability was found in novel-plus 3.6.2 and classified as critical. Affected by this issue is some unknown functionality of the file DictController.java. The manipulation of the argument orderby leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223736. Published Thursday, March 23, 2023 |
| N/A | CVE-2023-1608 A vulnerability was found in Zhong Bang CRMEB Java up to 1.3.4. It has been declared as critical. This vulnerability affects the function getAdminList of the file /api/admin/store/product/list. The manipulation of the argument cateId leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-223738 is the identifier assigned to this vulnerability. Published Thursday, March 23, 2023 |
| N/A | CVE-2023-1609 A vulnerability was found in Zhong Bang CRMEB Java up to 1.3.4. It has been rated as problematic. This issue affects the function save of the file /api/admin/store/product/save. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223739. Published Thursday, March 23, 2023 |
| 9.8 | CVE-2023-26359 Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Published Thursday, March 23, 2023 |
| 8.6 | CVE-2023-26360 Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Published Thursday, March 23, 2023 |
| 4.9 | CVE-2023-26361 Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. Exploitation of this issue does not require user interaction, but does require administrator privileges. Published Thursday, March 23, 2023 |
| N/A | CVE-2023-28818 An issue was discovered in Veritas NetBackup IT Analytics 11 before 11.2.0. The application upgrade process included unsigned files that could be exploited and result in a customer installing unauthentic components. A malicious actor could install rogue Collector executable files (aptare.jar or upgrademanager.zip) on the Portal server, which might then be downloaded and installed on collectors. Published Friday, March 24, 2023 |