Alvaro Munoz

**Name of the Vulnerable Software and Affected Versions** Apache Kylin version 4.0.0 **Description** The issue is related to a command injection vulnerability due to a mismatch between the checked and used project name in the DiagnosisService. This may allow an attacker to execute arbitrary commands by passing an illegal project name. The vulnerability is associated with a lack of input data sanitization. **Recommendations** For Apache Kylin version 4.0.0, update to a version that includes a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Kylin versions 2.6.6 and prior Apache Kylin versions 3.1.2 and prior Apache Kylin versions 4.0.0 and prior **Description** Apache Kylin provides encryption classes `PasswordPlaceholderConfigurer` to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class `PasswordPlaceholderConfigurer` to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. **Recommendations** For Apache Kylin 2 versions 2.6.6 and prior, consider disabling the `PasswordPlaceholderConfigurer` class until a patch is available. For Apache Kylin 3 versions 3.1.2 and prior, consider disabling the `PasswordPlaceholderConfigurer` class until a patch is available. For Apache Kylin 4 versions 4.0.0 and prior, consider disabling the `PasswordPlaceholderConfigurer` class until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Kylin versions 2.6.6 and prior Apache Kylin versions 3.1.2 and prior Apache Kylin versions 4.0.0 and prior **Description** The issue allows cross-origin requests with credentials to be sent from any origin. This could potentially lead to unauthorized access to sensitive data. **Recommendations** For Apache Kylin versions 2.6.6 and prior, update to a version later than 2.6.6 to resolve the issue. For Apache Kylin versions 3.1.2 and prior, update to a version later than 3.1.2 to resolve the issue. For Apache Kylin versions 4.0.0 and prior, update to a version later than 4.0.0 to resolve the issue. As a temporary workaround, consider restricting access to sensitive data and implementing additional security measures to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Apache Dubbo versions prior to 2.7.13 Apache Dubbo versions prior to 3.0.2 **Description** The issue concerns a pre-authentication unsafe Java deserialization in Apache Dubbo. This allows an attacker to bypass security checks and perform a deserialization operation using native Java serialization. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For Apache Dubbo versions prior to 2.7.13, update to version 2.7.13 or later to resolve the issue. For Apache Dubbo versions prior to 3.0.2, update to version 3.0.2 or later to resolve the issue. As a temporary workaround, consider disabling the native Java serialization to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Dubbo versions prior to 2.7.13 Apache Dubbo versions prior to 3.0.2 **Description** The issue arises from the use of the SnakeYAML library to parse YAML rules in Apache Dubbo, which by default enables the calling of arbitrary constructors. An attacker with access to the configuration center can poison the rules, leading to remote code execution (RCE) on all consumer systems that retrieve the tainted rules. **Recommendations** For Apache Dubbo versions prior to 2.7.13, update to version 2.7.13 or later. For Apache Dubbo versions prior to 3.0.2, update to version 3.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Dubbo versions prior to 2.7.13 Apache Dubbo versions prior to 2.6.10.1 **Description** The issue concerns the Hessian protocol in Apache Dubbo, which is implemented on top of HTTP. The HessianSkeleton is created without configuration of the serialization factory, and thus without applying allowed or blocked type lists. Additionally, the generic service is always exposed, making it easier for attackers as they do not need to find a valid service/method name pair. **Recommendations** For versions prior to 2.7.13, update to version 2.7.13 or later. For versions prior to 2.6.10.1, update to version 2.6.10.1 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Velocity Engine versions up to 2.2 Bitbucket Data Center and Server versions 7.21.0 through 7.21.7 **Description** An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates. The issue is related to incorrect management of code generation in the Java velocity template mechanism, which can allow a remote attacker to access confidential data, disrupt its integrity, and cause a denial of service. **Recommendations** For Apache Velocity Engine versions up to 2.2, consider disabling the ability for untrusted users to upload or modify Velocity templates until a patch is available. For Bitbucket Data Center and Server versions 7.21.0 through 7.21.7, upgrade to a release greater than or equal to 7.21.8 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Alfresco Enterprise Content Management (ECM) versions prior to 6.2.1 **Description** An issue was discovered that allows a user with privileges to edit a FreeMarker template to execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Alfresco. **Recommendations** For versions prior to 6.2.1, update to version 6.2.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Atlassian Confluence Server and Data Center versions prior to 7.4.5 Atlassian Confluence Server and Data Center versions 7.5.0 through 7.5.0 **Description** The issue allows remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. **Recommendations** For versions prior to 7.4.5, update to version 7.4.5 or later. For version 7.5.0, update to version 7.5.1 or later. As a temporary workaround, consider restricting access to custom user macros until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions prior to 7.3.2 Liferay DXP 7.0 versions prior to fix pack 92 Liferay DXP 7.1 versions prior to fix pack 18 Liferay DXP 7.2 versions prior to fix pack 6 **Description** The template API does not restrict user access to sensitive objects, allowing remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates. **Recommendations** For Liferay Portal versions prior to 7.3.2, update to version 7.3.2 or later. For Liferay DXP 7.0 versions prior to fix pack 92, apply fix pack 92 or later. For Liferay DXP 7.1 versions prior to fix pack 18, apply fix pack 18 or later. For Liferay DXP 7.2 versions prior to fix pack 6, apply fix pack 6 or later.

**Name of the Vulnerable Software and Affected Versions** Sourcegraph versions prior to 3.15.1 **Description** The issue is related to a vulnerable authentication workflow due to improper validation in the `SafeRedirectURL` method. This method, located in `cmd/frontend/auth/redirect.go`, fails to properly validate URLs, which can be exploited. For example, the substring `//foo//example.com` can be used to bypass validation. **Recommendations** For versions prior to 3.15.1, update to version 3.15.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `SafeRedirectURL` method in `cmd/frontend/auth/redirect.go` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Akka versions <=2.4.16 Akka version 2.5-M1 **Description** The issue concerns a Java deserialization attack in the Remoting component of Akka, which can result in remote code execution in the context of the ActorSystem. **Recommendations** For Akka versions <=2.4.16, update to a version greater than 2.4.16 to resolve the issue. For Akka version 2.5-M1, update to a version greater than 2.5-M1 to resolve the issue. As a temporary workaround, consider restricting access to the Remoting component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Atlassian Crowd versions prior to 2.8.8 Atlassian Crowd versions 2.9.x prior to 2.9.5 **Description** The issue allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object. This is related to the LDAP directory connector in Atlassian Crowd. **Recommendations** For versions prior to 2.8.8, update to version 2.8.8 or later. For versions 2.9.x prior to 2.9.5, update to version 2.9.5 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions prior to 2.3.29 Apache Struts 2.5.x versions prior to 2.5.1 **Description** The issue is related to improper action name clean up, which may allow attackers to have an unspecified impact. It is also described as a vulnerability in the implementation of the action name cleanup method, associated with insufficient input validation. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code. **Recommendations** For Apache Struts versions prior to 2.3.29, update to version 2.3.29 or later. For Apache Struts 2.5.x versions prior to 2.5.1, update to version 2.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** Restlet Framework versions 2.1.x through 2.1.7 Restlet Framework versions 2.x.x through 2.2 RC1 **Description** The issue allows attackers to cause a denial of service via an XML Entity Expansion (XEE) attack when using XMLRepresentation or XML serializers. **Recommendations** For versions 2.1.x through 2.1.7, update to version 2.1.7 or later. For versions 2.x.x through 2.2 RC1, update to version 2.2 RC1 or later.