2025-17 Java Security Weekly News - Canonical, GitHub
2025 » Published on May 9, 2025
 | Ubuntu Security Notices |
 | Github Security Advisories |
| [GHSA-mvgm-3rw2-7j4r] org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type org.xwiki.platform:xwiki-platform-security-requiredrights-default - impacts versions: >= 15.9-rc-1, < 15.10.8 fixed in: 15.10.8 org.xwiki.platform:xwiki-platform-security-requiredrights-default - impacts versions: >= 16.0.0-rc-1, < 16.2.0 fixed in: 16.2.0 [GHSA-x7wv-5qg4-vmr6] org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right org.xwiki.platform:xwiki-platform-component-wiki - impacts versions: >= 15.9-rc-1, < 15.10.12 fixed in: 15.10.12 org.xwiki.platform:xwiki-platform-component-wiki - impacts versions: >= 16.0.0-rc-1, < 16.4.3 fixed in: 16.4.3 org.xwiki.platform:xwiki-platform-component-wiki - impacts versions: >= 16.5.0-rc-1, < 16.8.0-rc-1 fixed in: 16.8.0-rc-1 [GHSA-rp38-24m3-rx87] The lesscss script service allows cache clearing without programming right org.xwiki.platform:xwiki-platform-lesscss-script - impacts versions: >= 6.1-milestone-1, < 15.10.12 fixed in: 15.10.12 org.xwiki.platform:xwiki-platform-lesscss-script - impacts versions: >= 16.0.0-rc-1, < 16.4.3 fixed in: 16.4.3 org.xwiki.platform:xwiki-platform-lesscss-script - impacts versions: >= 16.5.0-rc-1, < 16.8.0-rc-1 fixed in: 16.8.0-rc-1 [GHSA-987p-r3jc-8c8v] Solr script service doesn't take dropped programming right into account org.xwiki.platform:xwiki-platform-search-solr-api - impacts versions: >= 4.5.1, < 15.10.13 fixed in: 15.10.13 org.xwiki.platform:xwiki-platform-search-solr-api - impacts versions: >= 16.0.0-rc-1, < 16.4.4 fixed in: 16.4.4 org.xwiki.platform:xwiki-platform-search-solr-api - impacts versions: >= 16.5.0-rc-1, < 16.8.0-rc-1 fixed in: 16.8.0-rc-1 [GHSA-pjhg-9wr9-rj96] org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability org.xwiki.platform:xwiki-platform-wysiwyg-api - impacts versions: >= 13.5-rc-1, < 15.10.13 fixed in: 15.10.13 org.xwiki.platform:xwiki-platform-wysiwyg-api - impacts versions: >= 16.0.0-rc-1, < 16.4.4 fixed in: 16.4.4 org.xwiki.platform:xwiki-platform-wysiwyg-api - impacts versions: >= 16.5.0-rc-1, < 16.8.0 fixed in: 16.8.0 |
 | Java CVEs |
| 10.0 | CVE-2025-34028 The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38. Published Tuesday, April 22, 2025 |
| 6.3 | CVE-2025-4258 A vulnerability, which was classified as critical, was found in zhangyanbo2007 youkefu up to 4.2.0. Affected is the function Upload of the file \youkefu-master\src\main\java\com\ukefu\webim\web\handler\resource\MediaController.java. The manipulation of the argument imgFile leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Published Monday, May 5, 2025 |
| 6.3 | CVE-2025-4259 A vulnerability has been found in newbee-mall 1.0 and classified as critical. Affected by this vulnerability is the function Upload of the file ltd/newbee/mall/controller/common/UploadController.java. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Published Monday, May 5, 2025 |
| 4.3 | CVE-2025-4260 A vulnerability was found in zhangyanbo2007 youkefu up to 4.2.0 and classified as problematic. Affected by this issue is the function impsave of the file m\web\handler\admin\system\TemplateController.java. The manipulation of the argument dataFile leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Published Monday, May 5, 2025 |
| N/A | CVE-2025-2905 An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. This vulnerability can be exploited by an unauthenticated remote attacker to read files from the servers filesystem or perform denial-of-service (DoS) attacks. * On systems running JDK 7 or early JDK 8, full file contents may be exposed. * On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior. * DoS attacks such as "Billion Laughs" payloads can cause service disruption. Published Monday, May 5, 2025 |
| N/A | CVE-2025-45610 Incorrect access control in the component /scheduleLog/info/1 of PassJava-Platform v3.0.0 allows attackers to access sensitive information via a crafted payload. Published Monday, May 5, 2025 |
| 3.5 | CVE-2025-4328 A vulnerability was found in fp2952 spring-cloud-base up to 7f050dc6db9afab82c5ce1d41cd74ed255ec9bfa. It has been declared as problematic. Affected by this vulnerability is the function sendBack of the file /spring-cloud-base-master/auth-center/auth-center-provider/src/main/java/com/peng/auth/provider/config/web/MvcController.java of the component HTTP Header Handler. The manipulation of the argument Referer leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. Published Tuesday, May 6, 2025 |
| 6.3 | CVE-2025-4333 A vulnerability was found in feng_ha_ha/megagao ssm-erp and production_ssm up to 0.0.1. It has been classified as critical. This affects the function uploadFile of the file src/main/java/com/megagao/production/ssm/service/impl/FileServiceImpl.java. The manipulation of the argument uploadFile leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is distributed under two entirely different names. Published Tuesday, May 6, 2025 |
| N/A | CVE-2025-47605 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AppJetty WP jQuery DataTable allows Stored XSS. This issue affects WP jQuery DataTable: from n/a through 4.1.0. Published Wednesday, May 7, 2025 |
| N/A | CVE-2025-47607 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AppJetty Show All Comments allows Stored XSS. This issue affects Show All Comments: from n/a through 7.0.1. Published Wednesday, May 7, 2025 |
| N/A | CVE-2025-30147 Besu Native contains scripts and tooling that is used to build and package the native libraries used by the Ethereum client Hyperledger Besu. Besu 24.7.1 through 25.2.2, corresponding to besu-native versions 0.9.0 through 1.2.1, have a potential consensus bug for the precompiles ALTBN128_ADD (0x06), ALTBN128_MUL (0x07), and ALTBN128_PAIRING (0x08). These precompiles were reimplemented in besu-native using gnark-crypto's bn254 implementation, as the former implementation used a library which was no longer maintained and not sufficiently performant. The new gnark implementation was initially added in version 0.9.0 of besu-native but was not utilized by Besu until version 0.9.2 in Besu 24.7.1. The issue is that there are EC points which may be crafted which are in the correct subgroup but are not on the curve and the besu-native gnark implementation was relying on subgroup checks to perform point-on-curve checks as well. The version of gnark-crypto used at the time did not do this check when performing subgroup checks. The result is that it was possible for Besu to give an incorrect result and fall out of consensus when executing one of these precompiles against a specially crafted input point. Additionally, homogenous Besu-only networks can potentially enshrine invalid state which would be incorrect and difficult to process with patched versions of besu which handle these calls correctly. The underlying defect has been patched in besu-native release 1.3.0. The fixed version of Besu is version 25.3.0. As a workaround for versions of Besu with the problem, the native precompile for altbn128 may be disabled in favor of the pure-java implementation. The pure java implementation is significantly slower, but does not have this consensus issue. Published Wednesday, May 7, 2025 |
| N/A | CVE-2025-1948 In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting. Published Thursday, May 8, 2025 |
| N/A | CVE-2024-13009 In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests. Published Thursday, May 8, 2025 |
| N/A | CVE-2025-46392 Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x. There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenario's where you only load trusted configurations. Users that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration. Published Friday, May 9, 2025 |