Codeplutos

**Name of the Vulnerable Software and Affected Versions** Grails versions prior to 3.3.15 Grails versions 4.x prior to 4.1.1 Grails versions 5.x prior to 5.1.9 Grails versions 5.2.x prior to 5.2.1 **Description** A vulnerability has been discovered in the Grails data-binding logic which allows for Remote Code Execution in a Grails application. This exploit requires the application to be running on Java 8, either deployed as a WAR to a servlet container, or an executable JAR. A remote attacker can execute code by gaining access to the class loader. **Recommendations** For Grails versions prior to 3.3.15, update to version 3.3.15 or later. For Grails versions 4.x prior to 4.1.1, update to version 4.1.1 or later. For Grails versions 5.x prior to 5.1.9, update to version 5.1.9 or later. For Grails versions 5.2.x prior to 5.2.1, update to version 5.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 **Description** The issue exists due to insufficient input validation in the Coherence Container component of Oracle WebLogic Server, allowing a remote attacker to compromise the server's confidentiality, integrity, and availability via T3 and IIOP protocols. Successful attacks can result in the takeover of Oracle WebLogic Server. **Recommendations** For Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0, update to a version that includes the fix for this issue. For Oracle WebLogic Server version 14.1.1.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the T3 and IIOP protocols to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 14.1.1.0.0 **Description** The issue is related to the Samples component of Oracle WebLogic Server and is caused by inadequate access control. It allows an unauthenticated attacker with network access via IIOP, T3 protocols to compromise the server. Successful attacks can result in the takeover of Oracle WebLogic Server. **Recommendations** For versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 14.1.1.0.0 **Description** The issue is related to a vulnerability in the Oracle WebLogic Server product, specifically in the Console component. This vulnerability allows an unauthenticated attacker with network access via HTTP to compromise the Oracle WebLogic Server, potentially resulting in a takeover. The vulnerability is easily exploitable and can impact the confidentiality, integrity, and availability of the server. It is associated with errors in code generation management and can be exploited using HTTP requests. **Recommendations** For versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, update to a version that includes the emergency patch released by Oracle to fix this critical flaw. As a temporary workaround, consider restricting access to the Console component until a patch is applied. Avoid using the vulnerable Console component in the affected Oracle WebLogic Server versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via IIOP, T3 protocols to compromise the server. Successful attacks can result in the takeover of Oracle WebLogic Server. **Recommendations** For Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0, update to a version that includes the fix for this issue. For Oracle WebLogic Server version 14.1.1.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the IIOP and T3 protocols until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 3.2.0 through 3.2.5 **Description** The issue is related to the Kafka protocol dissector component in Wireshark, which could crash due to a double free error during LZ4 decompression. This could potentially allow a remote attacker to cause a denial of service. The problem was addressed by modifying the epan/dissectors/packet-kafka.c file to avoid the double free error. **Recommendations** For Wireshark versions 3.2.0 through 3.2.5, update the software to a version where the issue has been fixed, specifically by applying the changes made to the epan/dissectors/packet-kafka.c file to avoid the double free error during LZ4 decompression. As a temporary workaround, consider disabling the Kafka protocol dissector until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Redis versions prior to 6.0.3 **Description** The issue is caused by an integer overflow in the `getnum` function, which allows context-dependent attackers with permission to run Lua code in a Redis session to cause a denial of service or possibly bypass intended sandbox restrictions. This can be achieved by providing a large number that triggers a stack-based buffer overflow. The issue exists due to a regression of a previously known problem. **Recommendations** For versions prior to 6.0.3, update to version 6.0.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of Lua code in Redis sessions to minimize the risk of exploitation.