2023-24 Java Security Weekly News - GitHub

2023 » Published on June 23, 2023

Github Security Advisories

[GHSA-qcwq-55hx-v3vh] snappy-java's unchecked chunk length leads to DoS

[GHSA-fjpj-2g6w-x25r] snappy-java's Integer Overflow vulnerability in compress leads to DoS

[GHSA-pqr6-cmr2-h8hf] snappy-java's Integer Overflow vulnerability in shuffle leads to DoS

Java CVEs

N/A	CVE-2023-26436 Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known. Published Tuesday, June 20, 2023
N/A	CVE-2023-35166 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. This has been patched in XWiki 15.1-rc-1 and 14.10.5. Published Tuesday, June 20, 2023
N/A	CVE-2023-34981 A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak. Published Wednesday, June 21, 2023
N/A	CVE-2023-25499 When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure. Published Thursday, June 22, 2023
N/A	CVE-2023-25500 Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests. Published Thursday, June 22, 2023