2025-6 Java Security Weekly News - GitHub
2025 » Published on February 21, 2025
 | Github Security Advisories |
| [GHSA-mrqp-q7vx-v2cx] Instaclustr Cassandra-Lucene-Index allows bypass of Cassandra RBAC com.instaclustr:cassandra-lucene-index-plugin - impacts versions: >= 4.0-rc1-1.0.0, < 4.0.17-1.0.0 fixed in: 4.0.17-1.0.0 com.instaclustr:cassandra-lucene-index-plugin - impacts versions: >= 4.1.0-1.0.0, < 4.1.8-1.0.1 fixed in: 4.1.8-1.0.1 [GHSA-52rf-25hq-5m33] GeoNetwork search end-point information disclosure in response headers org.geonetwork-opensource:gn-services - impacts versions: >= 4.4.0, < 4.4.5 fixed in: 4.4.5 org.geonetwork-opensource:gn-services - impacts versions: < 4.2.10 fixed in: 4.2.10 [GHSA-389x-839f-4rhx] Denial of Service attack on windows app using Netty io.netty:netty-common - impacts versions: < 4.1.118.Final fixed in: 4.1.118.Final [GHSA-4g8c-wm8x-jfhw] SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine io.netty:netty-handler - impacts versions: >= 4.1.91.Final, <= 4.1.117.Final fixed in: 4.1.118.Final |
 | org.geonetwork-opensource:gn-services |
| MED | CVE-2024-32037 GeoNetwork is a catalog application to manage spatially referenced resources. In versions prior to 4.2.10 and 4.4.5, the search end-point response headers contain information about Elasticsearch software in use. This information is valuable from a security point of view because it allows software used by the server to be easily identified. GeoNetwork 4.4.5 and 4.2.10 fix this issue. No known workarounds are available. Published Tuesday, February 11, 2025 |
| | io.netty:netty-handler |
| HIGH | CVE-2025-24970 Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually. Published Monday, February 10, 2025 |
| | io.netty:netty-common |
| MED | CVE-2025-25193 Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix. Published Monday, February 10, 2025 |
| | com.instaclustr:cassandra-lucene-index-plugin |
| HIGH | CVE-2025-26511 Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC and escalate their privileges. Published Thursday, February 13, 2025 |
| | Additional Java CVEs |
| N/A | CVE-2024-56973 Insecure Permissions vulnerability in Alvaria, Inc Unified IP Unified Director before v.7.2SP2 allows a remote attacker to execute arbitrary code via the source and filename parameters to the ProcessUploadFromURL.jsp component. Published Friday, February 14, 2025 |
| N/A | CVE-2024-57971 DataSourceResource.java in the SpagoBI API support in Knowage Server in KNOWAGE before 8.1.30 does not ensure that java:comp/env/jdbc/ occurs at the beginning of a JNDI Name. Published Sunday, February 16, 2025 |
| 4.3 | CVE-2025-1359 A vulnerability, which was classified as problematic, has been found in SIAM Industria de Automação e Monitoramento SIAM 2.0. This issue affects some unknown processing of the file /qrcode.jsp. The manipulation of the argument url leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Sunday, February 16, 2025 |
| N/A | CVE-2024-5706 The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99) Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not restrict JNDI identifiers during the creation of Community Dashboards, allowing control of system-level data sources. An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users. Published Wednesday, February 19, 2025 |
| N/A | CVE-2025-20059 Relative Path Traversal vulnerability in Ping Identity PingAM Java Policy Agent allows Parameter Injection.This issue affects PingAM Java Policy Agent: through 5.10.3, through 2023.11.1, through 2024.9. Published Thursday, February 20, 2025 |