Dan Amodio

**Name of the Vulnerable Software and Affected Versions** SQLFluff versions prior to 2.1.2 **Description** In environments where untrusted users have access to the config files, there is a potential security issue where those users could use the `library path` config value to allow arbitrary python code to be executed via macros. This may not be an issue for users with already escalated privileges, but it could be a problem in larger user bases or where SQLFluff is bundled into another tool. The `library path` argument can be used to execute arbitrary python code, and an example of how an external URL might be called to reveal internal information is provided. **Recommendations** For versions prior to 2.1.2, use the option `--library-path none` when invoking SQLFluff to disable the `library-path` option entirely. As a temporary workaround, limit access to or validate configuration files before they are ingested by SQLFluff. For version 2.1.2 and later, no additional action is required as the `--library-path` option can be used to override any values provided in the config files.

**Name of the Vulnerable Software and Affected Versions** OpenMRS htmlformentry module versions prior to 3.11.0 **Description** A remote code execution issue was discovered, allowing a malicious Velocity Template Language file to be written to a directory through path traversal. This file could then be accessed and executed. **Recommendations** For versions prior to 3.11.0, update to version 3.11.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Velocity Template Language files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Java SE versions 7u251, 8u241, 11.0.6, and 14 Java SE Embedded version 8u241 **Description** The issue is related to insufficient input validation in the Lightweight HTTP Server component of Oracle Java SE and Java SE Embedded. This can be exploited by a remote attacker to gain unauthorized access to modify, add, or delete data, or to access protected information. The vulnerability can only be exploited by supplying data to APIs in the specified component without using untrusted Java Web Start applications or untrusted Java applets. Successful attacks can result in unauthorized update, insert, or delete access to some accessible data, as well as unauthorized read access to a subset of accessible data. **Recommendations** For Java SE versions 7u251, 8u241, 11.0.6, and 14, consider disabling access to the Lightweight HTTP Server component until a patch is available. For Java SE Embedded version 8u241, restrict access to the vulnerable component to minimize the risk of exploitation. As a temporary workaround, avoid using APIs in the specified component without proper validation and sanitization of input data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.