Bit-Sec

**Name of the Vulnerable Software and Affected Versions** Nacos Spring Project versions 1.1.1 and earlier **Description** The issue allows a remote attacker to execute arbitrary code via the `SnakeYamls` `Constructor()` component. This enables the attacker to potentially gain control over the system, leading to severe security consequences. **Recommendations** For versions 1.1.1 and earlier, consider disabling the `SnakeYamls` component or restricting access to it until a patch is available. As a temporary workaround, avoid using the `Constructor()` function of the `SnakeYamls` component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Archery versions 1.7.0 through 1.8.5 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `checksum` parameter in the report module. **Recommendations** For versions 1.7.0 through 1.8.5, as a temporary workaround, consider restricting access to the report module until a patch is available. Avoid using the `checksum` parameter in the affected module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Archery versions 1.7.5 through 1.8.5 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `where` parameter at the "/archive/apply" API endpoint. **Recommendations** For versions 1.7.5 through 1.8.5, as a temporary workaround, consider restricting access to the "/archive/apply" API endpoint until a patch is available. Avoid using the `where` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Archery versions 1.4.5 through 1.8.5 **Description** The issue concerns multiple SQL injection vulnerabilities. These vulnerabilities exist via the `start file`, `end file`, `start time`, and `stop time` parameters in the binlog2sql interface. **Recommendations** For versions 1.4.5 through 1.8.5, consider restricting access to the binlog2sql interface until a patch is available. As a temporary workaround, avoid using the `start file`, `end file`, `start time`, and `stop time` parameters in the binlog2sql interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Archery versions 1.8.3 through 1.8.5 **Description** The issue is related to multiple SQL injection vulnerabilities. These vulnerabilities can be exploited via the `start time` and `stop time` parameters in the my2sql interface. **Recommendations** For versions 1.8.3 through 1.8.5, consider restricting access to the my2sql interface until a patch is available. As a temporary workaround, avoid using the `start time` and `stop time` parameters in the my2sql interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Archery versions 1.4.0 through 1.8.5 **Description** The issue is related to a SQL injection vulnerability. It occurs via the `ThreadIDs` parameter in the "kill session" interface. **Recommendations** For versions 1.4.0 through 1.8.5, upgrade to version 1.9.0 or above to resolve the issue. As a temporary workaround, consider restricting access to the `kill session` interface until the update is applied. Avoid using the `ThreadIDs` parameter in the affected interface until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Archery versions 1.4.0 through 1.8.5 **Description** The issue is related to a SQL injection vulnerability. It can be exploited via the `ThreadIDs` parameter in the `create kill session` interface. **Recommendations** For Archery versions 1.4.0 through 1.8.5, consider restricting access to the `create kill session` interface until a patch is available. As a temporary workaround, avoid using the `ThreadIDs` parameter in the affected interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.