2024-47 Java Security Weekly News - Canonical, Jenkins, GitHub
2024 » Published on December 6, 2024
 | Ubuntu Security Notices |
 | Jenkins Security Advisories |
 | Github Security Advisories |
| [GHSA-6q3q-6v5j-h6vg] Querydsl vulnerable to HQL injection trough orderBy io.github.openfeign.querydsl:querydsl-jpa - impacts versions: <= 6.8.0 fixed in: io.github.openfeign.querydsl:querydsl-apt - impacts versions: <= 6.8.0 fixed in: com.querydsl:querydsl-jpa - impacts versions: <= 5.1.0 fixed in: com.querydsl:querydsl-apt - impacts versions: <= 5.1.0 fixed in: [GHSA-q4xm-6fjc-5f6w] sigstore-java has vulnerability with bundle verification dev.sigstore:sigstore-java - impacts versions: = 1.0.0 fixed in: 1.1.0 [GHSA-93ww-43rr-79v3] Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination org.keycloak:keycloak-core - impacts versions: < 24.0.9 fixed in: org.keycloak:keycloak-core - impacts versions: >= 25.0.0, < 26.0.6 fixed in: 26.0.6 [GHSA-jgwc-jh89-rpgq] Keycloak proxy header handling Denial-of-Service (DoS) vulnerability org.keycloak:keycloak-quarkus-server - impacts versions: < 24.0.9 fixed in: org.keycloak:keycloak-quarkus-server - impacts versions: >= 25.0.0, < 26.0.6 fixed in: 26.0.6 [GHSA-v7gv-xpgf-6395] Keycloak Build Process Exposes Sensitive Data org.keycloak:keycloak-quarkus-server - impacts versions: < 24.0.9 fixed in: 24.0.9 org.keycloak:keycloak-quarkus-server - impacts versions: >= 25.0.0, < 26.0.6 fixed in: 26.0.6 [GHSA-5545-r4hg-rj4m] Keycloak Path Traversal Vulnerability Due to External Control of File Name or Path org.keycloak:keycloak-quarkus-server - impacts versions: < 24.0.9 fixed in: 26.0.6 org.keycloak:keycloak-quarkus-server - impacts versions: >= 25.0.0, < 26.0.6 fixed in: 26.0.6 [GHSA-wq8x-cg39-8mrr] org.keycloak:keycloak-services has Inefficient Regular Expression Complexity org.keycloak:keycloak-services - impacts versions: < 24.0.9 fixed in: 24.0.9 org.keycloak:keycloak-services - impacts versions: >= 25.0.0, < 26.0.6 fixed in: 26.0.6 |
 | org.verapdf:verapdf.library |
| LOW | CVE-2024-52800 veraPDF is an open source PDF/A validation library. Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust. This issue has not yet been patched. Users are advised to be cautious of XSLT code until a patch is available. Published Friday, November 29, 2024 |
| | org.asynchttpclient:async-http-client |
| CRIT | CVE-2024-53990 The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie being used for another user's requests. Published Monday, December 2, 2024 |
| | dev.sigstore:sigstore-java |
| LOW | CVE-2024-54140 sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify(). Currently checkpoints are only used to ensure the root hash of an inclusion proof was provided by the log in question. Failing to validate that means a bundle may provide an inclusion proof that doesn't actually correspond to the log in question. This may eventually lead a monitor/witness being unable to detect when a compromised logs are providing different views of themselves to different clients. There are other mechanisms right now that mitigate this, such as the signed entry timestamp. Sigstore-java currently requires a valid signed entry timestamp. By correctly verifying the signed entry timestamp we can make certain assertions about the log signing the log entry (like the log was aware of the artifact signing event and signed it). Therefore the impact on clients that are not monitors/witnesses is very low. This vulnerability is fixed in 1.2.0. Published Thursday, December 5, 2024 |
| | Additional Java CVEs |
| N/A | CVE-2024-10905 IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allows HTTP access to static content in the IdentityIQ application directory that should be protected. Published Monday, December 2, 2024 |
| N/A | CVE-2024-54153 In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter Published Wednesday, December 4, 2024 |
| N/A | CVE-2024-54154 In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox Published Wednesday, December 4, 2024 |
| N/A | CVE-2024-54155 In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication Published Wednesday, December 4, 2024 |
| N/A | CVE-2024-54156 In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack Published Wednesday, December 4, 2024 |
| N/A | CVE-2024-54158 In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding Published Wednesday, December 4, 2024 |
| N/A | CVE-2024-45106 Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: * ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is false. * The user configured in ozone.s3g.kerberos.principal is also configured in ozone.s3.administrators or ozone.administrators. Users are recommended to upgrade to Apache Ozone version 1.4.1 which disables the affected endpoint. Published Tuesday, December 3, 2024 |
| N/A | CVE-2024-54002 Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than performing the same action with a username that is not known by the system. The observable difference in request duration can be leveraged by actors to enumerate valid names of managed users. LDAP and OpenID Connect users are not affected. The issue has been fixed in Dependency-Track 4.12.2. Published Wednesday, December 4, 2024 |
| N/A | CVE-2024-53477 JFinal CMS 5.1.0 is vulnerable to Command Execution via unauthorized execution of deserialization in the file ApiForm.java Published Monday, December 2, 2024 |
| N/A | CVE-2024-12235 A vulnerability was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 1.0.0. It has been declared as critical. Affected by this vulnerability is the function doFilter of the file \agile-bpm-basic-master\ab-auth\ab-auth-spring-security-oauth2\src\main\java\com\dstz\auth\filter\AuthorizationTokenCheckFilter.java. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Published Thursday, December 5, 2024 |
| N/A | CVE-2024-53490 Favorites-web 1.3.0 favorites-web has a directory traversal vulnerability in SecurityFilter.java. Published Thursday, December 5, 2024 |
| N/A | CVE-2024-51615 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Owen Cutajar & Hyder Jaffari WordPress Auction Plugin allows SQL Injection.This issue affects WordPress Auction Plugin: from n/a through 3.7. Published Friday, December 6, 2024 |
| N/A | CVE-2024-54207 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Owen Cutajar & Hyder Jaffari WordPress Auction Plugin allows Stored XSS.This issue affects WordPress Auction Plugin: from n/a through 3.7. Published Friday, December 6, 2024 |