Arnout Engelen

**Name of the Vulnerable Software and Affected Versions** Apache Commons Configuration versions 1.x **Description** The issue is related to Uncontrolled Resource Consumption in Apache Commons Configuration 1.x, which can lead to excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. Users who load untrusted configurations or give attackers control over usage patterns are at risk. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Apache Commons Configuration version 1.x, upgrade to the 2.x version line, which fixes these issues. Note that Apache Commons Configuration 2.x is not a drop-in replacement, but it can be loaded side-by-side with the 1.x version, making it possible to do a gradual migration.

**Name of the Vulnerable Software and Affected Versions** Apache Commons VFS versions prior to 2.10.0 **Description** The FileObject API in Commons VFS has a `resolveFile` method that takes a `scope` parameter. Specifying `NameScope.DESCENDENT` promises that an exception is thrown if the resolved file is not a descendent of the base file. However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. **Recommendations** For versions prior to 2.10.0, upgrade to version 2.10.0, which fixes the issue. As a temporary workaround, consider restricting the use of the `resolveFile` method with the `NameScope.DESCENDENT` scope to minimize the risk of exploitation. Avoid using encoded ".." characters in paths passed to the `resolveFile` method until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache James versions prior to 3.7.5 and 3.8.0 **Description** The issue concerns the exposure of a JMX endpoint on localhost, which is subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadget, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default, the JMX endpoint is only bound locally. **Recommendations** - Upgrade to a non-vulnerable Apache James version - Run Apache James isolated from other processes (docker - dedicated virtual machine) - If possible, turn off JMX

**Name of the Vulnerable Software and Affected Versions** Apache Xerces C++ XML parser versions 3.0.0 through 3.2.5 **Description** The issue is related to a use-after-free error triggered during the scanning of external DTDs. This can allow a remote attacker to execute arbitrary code. Users can mitigate the issue by disabling DTD processing, which can be accomplished via the DOM using a standard parser feature, or via SAX using the `XERCES DISABLE DTD` environment variable. **Recommendations** To resolve the issue, upgrade to version 3.2.5, which fixes the problem. As a temporary workaround, consider disabling DTD processing via the DOM using a standard parser feature, or via SAX using the `XERCES DISABLE DTD` environment variable.

**Name of the Vulnerable Software and Affected Versions** Apache Zeppelin versions prior to 0.8.2 **Description** An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') issue allows logged-in users to execute arbitrary javascript in other users' browsers. **Recommendations** For versions prior to 0.8.2, upgrade to a supported version of Zeppelin. As a temporary workaround, consider restricting access to sensitive features until a patch is available.