2024-38 Java Security Weekly News - Canonical
2024 » Published on October 4, 2024
 | Ubuntu Security Notices |
 | Java CVEs |
| 8.0 | CVE-2024-45772 Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.lucene.replicator.nrt package is not affected. Users are recommended to upgrade to version 9.12.0, which fixes the issue. Java serialization filters (such as -Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality. Published Monday, September 30, 2024 |
| N/A | CVE-2024-47524 LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. User with Admin role can create a Device Groups, the application did not properly sanitize the user input in the Device Groups name, when user see the detail of the Device Group, if java script code is inside the name of the Device Groups, its will be trigger. This vulnerability is fixed in 24.9.0. Published Tuesday, October 1, 2024 |
| N/A | CVE-2024-47561 Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue. Published Thursday, October 3, 2024 |
| N/A | CVE-2024-47554 Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue. Published Thursday, October 3, 2024 |
| N/A | CVE-2024-47855 util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalanced comment string. Published Friday, October 4, 2024 |