2024-50 Java Security Weekly News - GitHub

2024 » Published on December 27, 2024

CISA Adds Two Known Exploited Vulnerabilities to Catalog

[GHSA-6pfc-w86r-54q6] Welcome and About GeoServer pages communicate version and revision information

org.geoserver.web:gs-web-app - impacts versions: >= 2.0.0, < 2.25.1 fixed in: 2.25.1

org.geoserver.web:gs-web-core - impacts versions: >= 2.0.0, < 2.25.1 fixed in: 2.25.1

com.amazon.redshift:redshift-jdbc42

HIGH

CVE-2024-12744
A SQL injection in the Amazon Redshift JDBC Driver in v2.1.0.31 allows a user to gain escalated privileges via the getSchemas, getTables, or getColumns Metadata APIs. Users should upgrade to the driver version 2.1.0.32 or revert to driver version 2.1.0.30.

 
com.amazon.redshift:redshift-jdbc42
     impacts versions: = 2.1.0.31 fixed in: 2.1.0.32

Published Tuesday, December 24, 2024

Additional Java CVEs

N/A	CVE-2024-56337 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can. Published Friday, December 20, 2024
N/A	CVE-2024-23945 Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hives service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following: * org.apache.hive:hive-service * org.apache.spark:spark-hive-thriftserver_2.11 * org.apache.spark:spark-hive-thriftserver_2.12 Published Monday, December 23, 2024
N/A	CVE-2024-56348 In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents Published Friday, December 20, 2024
N/A	CVE-2024-56349 In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs Published Friday, December 20, 2024
N/A	CVE-2024-56350 In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects Published Friday, December 20, 2024
N/A	CVE-2024-56351 In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles Published Friday, December 20, 2024
N/A	CVE-2024-56352 In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page Published Friday, December 20, 2024
N/A	CVE-2024-56353 In JetBrains TeamCity before 2024.12 backup file exposed user credentials and session cookies Published Friday, December 20, 2024
N/A	CVE-2024-56354 In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission Published Friday, December 20, 2024
N/A	CVE-2024-56355 In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS Published Friday, December 20, 2024
N/A	CVE-2024-56356 In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack Published Friday, December 20, 2024
7.4	CVE-2024-53961 ColdFusion versions 2023.11, 2021.17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application. This could lead to the disclosure of sensitive information or the manipulation of system data. Published Monday, December 23, 2024
N/A	CVE-2024-52046 The ObjectSerializationDecoder in Apache MINA uses Javas native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks. This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4. It's also important to note that an application using MINA core library will only be affected if the IoBuffer#getObject() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the ObjectSerializationCodecFactory class in the filter chain. If your application is specifically using those classes, you have to upgrade to the latest version of MINA core library. Upgrading will not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods: /** * Accept class names where the supplied ClassNameMatcher matches for * deserialization, unless they are otherwise rejected. * * @param classNameMatcher the matcher to use / public void accept(ClassNameMatcher classNameMatcher) /* * Accept class names that match the supplied pattern for * deserialization, unless they are otherwise rejected. * * @param pattern standard Java regexp / public void accept(Pattern pattern) /* * Accept the wildcard specified classes for deserialization, * unless they are otherwise rejected. * * @param patterns Wildcard file name patterns as defined by * {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch} / public void accept(String... patterns) By default, the decoder will reject all* classes that will be present in the incoming data. Note: The FtpServer, SSHd and Vysper sub-project are not affected by this issue. Published Wednesday, December 25, 2024
N/A	CVE-2024-43441 Authentication Bypass by Assumed-Immutable Data vulnerability in Apache HugeGraph-Server. This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue. Published Tuesday, December 24, 2024
N/A	CVE-2024-12652 A Improper Control of Generation of Code ('Code Injection') vulnerability in groovy script function in SmartRobot's Conversational AI Platform before v7.2.0 allows remote authenticated users to perform arbitrary system commands via Groovy code. Published Thursday, December 26, 2024