Joseph Beeton

**Name of the Vulnerable Software and Affected Versions** MLFlow versions 2.8.1 and before **Description** An issue in MLFlow allows a remote attacker to obtain sensitive information via a crafted request to the REST API. Approximately 4,120 devices are potentially affected, mainly distributed in the United States, Germany, and other countries. **Recommendations** For MLFlow versions 2.8.1 and before, consider restricting access to the REST API until a patch is available. As a temporary workaround, avoid using the REST API for sensitive information exchange until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Tiles versions 2 onwards **Description** The issue arises from the lack of validation of the value set as the `DefaultLocaleResolver.LOCALE KEY` attribute on the session while resolving XML definition files. This can lead to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. The use of user-controlled data in this key may be relatively common, as seen in the 'tiles-test' application shipped with Tiles, where it was used to set the language. **Recommendations** As a temporary workaround, consider disabling the use of the `DefaultLocaleResolver.LOCALE KEY` attribute until a patch is available. Restrict access to the XML definition files to minimize the risk of exploitation. Avoid using user-controlled data in the `DefaultLocaleResolver.LOCALE KEY` attribute until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Spring for Apache Kafka versions 3.0.9 and earlier Spring for Apache Kafka versions 2.9.10 and earlier **Description** The issue is related to a deserialization attack vector in Spring for Apache Kafka. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers. The application is vulnerable when the user does not configure an `ErrorHandlingDeserializer` for the key and/or value of the record, explicitly sets container properties `checkDeserExWhenKeyNull` and/or `checkDeserExWhenValueNull` to true, and allows untrusted sources to publish to a Kafka topic. By default, these properties are false, and the container only attempts to deserialize the headers if an `ErrorHandlingDeserializer` is configured. **Recommendations** For Spring for Apache Kafka versions 3.0.9 and earlier, consider configuring an `ErrorHandlingDeserializer` for the key and/or value of the record to prevent the vulnerability. For Spring for Apache Kafka versions 2.9.10 and earlier, consider configuring an `ErrorHandlingDeserializer` for the key and/or value of the record to prevent the vulnerability. As a temporary workaround, consider setting container properties `checkDeserExWhenKeyNull` and/or `checkDeserExWhenValueNull` to false to minimize the risk of exploitation. Restrict access to Kafka topics to trusted sources only to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Nome do software vulnerável e versões afetadas** quarkus (versões afetadas não especificadas) **Descrição** O problema está relacionado ao componente Dev UI Config Editor da estrutura Java quarkus, que está vulnerável à execução remota de código devido a um gerenciamento incorreto da geração de código. Isso pode permitir que um invasor remoto execute código arbitrário. A vulnerabilidade também é descrita como suscetível a ataques drive-by no localhost. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.