2023-17 Java Security Weekly News - Red Hat

2023 » Published on May 5, 2023

Red Hat Security Advisory

(RHSA-2023:1903) Important: OpenJDK 8u372 Security Update for Portable Linux Builds

(RHSA-2023:1912) Important: OpenJDK 8u372 Windows Security Update

(RHSA-2023:1907) Important: java-1.8.0-openjdk security update

(RHSA-2023:1910) Important: java-1.8.0-openjdk security and bug fix update

(RHSA-2023:1908) Important: java-1.8.0-openjdk security update

(RHSA-2023:1909) Important: java-1.8.0-openjdk security and bug fix update

(RHSA-2023:1906) Important: java-1.8.0-openjdk security update

(RHSA-2023:1905) Important: java-1.8.0-openjdk security update

(RHSA-2023:1911) Important: java-1.8.0-openjdk security update

(RHSA-2023:1904) Important: java-1.8.0-openjdk security and bug fix update

Java CVEs

8.8	CVE-2023-29213 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of `org.xwiki.platform:xwiki-platform-logging-ui` it is possible to trick a user with programming rights into visiting a constructed url where e.g., by embedding an image with this URL in a document that is viewed by a user with programming rights which will evaluate an expression in the constructed url and execute it. This issue has been addressed in versions 13.10.11, 14.4.7, and 14.10. Users are advised to upgrade. There are no known workarounds for this vulnerability. Published Monday, April 17, 2023
N/A	CVE-2023-26813 SQL injection vulnerability in com.xnx3.wangmarket.plugin.dataDictionary.controller.DataDictionaryPluginController.java in wangmarket CMS 4.10 allows remote attackers to run arbitrary SQL commands via the TableName parameter to /plugin/dataDictionary/tableView.do. Published Friday, April 28, 2023
N/A	CVE-2023-30441 IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components could expose sensitive information using a combination of flaws and configurations. IBM X-Force ID: 253188. Published Saturday, April 29, 2023
N/A	CVE-2022-45802 Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later Published Monday, May 1, 2023
N/A	CVE-2023-29637 Cross Site Scripting (XSS) vulnerability in Qbian61 forum-java, allows attackers to inject arbitrary web script or HTML via editing the article content in the "article editor" page. Published Monday, May 1, 2023
N/A	CVE-2023-2473 A vulnerability was found in Dreamer CMS up to 4.1.3. It has been declared as problematic. This vulnerability affects the function updatePwd of the file UserController.java of the component Password Hash Calculation. The manipulation leads to inefficient algorithmic complexity. The attack can be initiated remotely. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-227860. Published Tuesday, May 2, 2023