2024-30 Java Security Weekly News - Canonical, GitHub

2024 » Published on August 9, 2024

Ubuntu Security Notices

USN-6943-1: Tomcat vulnerabilities

USN-6936-1: Apache Commons Collections vulnerability

USN-6932-1: OpenJDK 21 vulnerabilities

USN-6931-1: OpenJDK 17 vulnerabilities

USN-6930-1: OpenJDK 11 vulnerabilities

USN-6929-1: OpenJDK 8 vulnerabilities

Github Security Advisories

[GHSA-frvj-cfq4-3228] Path traversal in Reposilite javadoc file expansion (arbitrary file creation/overwrite) (`GHSL-2024-073`)

[GHSA-9w8w-34vr-65j2] Reposilite artifacts vulnerable to Stored Cross-site Scripting

[GHSA-5hcj-rwm6-xmw4] biscuit-java vulnerable to public key confusion in third party block

Java CVEs

N/A	CVE-2024-7314 anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java on the victim server. Published Friday, August 2, 2024
N/A	CVE-2024-41995 Initialization of a resource with an insecure default vulnerability exists in JavaTM Platform Ver.12.89 and earlier. If this vulnerability is exploited, the product may be affected by some known TLS1.0 and TLS1.1 vulnerabilities. As for the specific products/models/versions of MFPs and printers that contain JavaTM Platform, see the information provided by the vendor. Published Tuesday, August 6, 2024
8.8	CVE-2024-7552 A vulnerability was found in DataGear up to 5.0.0. It has been declared as critical. Affected by this vulnerability is the function evaluateVariableExpression of the file ConversionSqlParamValueMapper.java of the component Data Schema Page. The manipulation leads to improper neutralization of special elements used in an expression language statement. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273697 was assigned to this vulnerability. Published Tuesday, August 6, 2024