![]() ![]() IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components could expose sensitive information using a combination of flaws and configurations. All users should immediately upgrade the Snowflake JDBC driver to the latest version: 3.13.29. ![]() The vulnerability was patched on Maas part of Snowflake JDBC driver Version 3.13.29. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution. An attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. Users of the Snowflake JDBC driver were vulnerable to a command injection vulnerability. ![]() Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake. A subsequent call to one of these methods can read or change the state of existing services without any effect on availability. In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and authentication. IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. SQLite JDBC is a library for accessing and creating SQLite database files in Java. The OPC UA Legacy Java Stack before 6f176f2 enables an attacker to block OPC UA server applications via uncontrolled resource consumption so that they can no longer serve client applications. Minecraft through 1.19 and 1.20 pre-releases before 7 (Java) allow arbitrary file overwrite, and possibly code execution, via crafted world data that contains a symlink. As a workaround, users can avoid this issue by using only double quotes `"` for HTML attributes. Common practice is to escape `'` as `'`. To mitigate this vulnerability, the template engine should properly escape special characters, including single quotes. Version 1.0.1 contains a patch for this issue. This can lead to various consequences, including session hijacking, defacement of web pages, theft of sensitive information, or even the propagation of malware. ![]() This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of other users visiting pages that use this template engine. Prior to version 1.0.1, JStachio fails to escape single quotes `'` in HTML, allowing an attacker to inject malicious code. JStachio is a type-safe Java Mustache templating engine. Users of JavaCPP Presets are advised to upgrade as a precaution. This issue has been addressed in version 1.5.9. For example, the commit message is used in a run statement - resulting in a command injection vulnerability due to string interpolation. All the actions in the `bytedeco/javacpp-presets` use the `_ssage​ ` parameter in an insecure way. JavaCPP Presets is a project providing Java distributions of native C++ libraries. ![]()
0 Comments
Leave a Reply. |