Fabian Meumertzheim

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 7u321, 8u311, 11.0.13, 17.0.1 Oracle GraalVM Enterprise Edition versions 20.3.4, 21.3.0 **Description** The issue is related to insufficient input validation in the ImageIO component, allowing an unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE and Oracle GraalVM Enterprise Edition. Successful attacks can result in a partial denial of service. This vulnerability applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. It can also be exploited through APIs in the specified component, such as through a web service supplying data to the APIs. **Recommendations** For Oracle Java SE versions 7u321, 8u311, 11.0.13, 17.0.1, update to a version that includes the fix for this issue. For Oracle GraalVM Enterprise Edition versions 20.3.4 and 21.3.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the ImageIO component until a patch is available. Avoid using APIs in the specified component that supply data from untrusted sources until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 11.0.13, 17.0.1 Oracle GraalVM Enterprise Edition versions 20.3.4, 21.3.0 **Description** The vulnerability in the ImageIO component of Oracle Java SE and Oracle GraalVM Enterprise Edition is related to unlimited resource allocation. Exploitation of this vulnerability can allow a remote attacker to cause a partial denial of service. This issue affects Java deployments that load and run untrusted code, relying on the Java sandbox for security. The vulnerability can be exploited through APIs in the specified component, for example, via a web service that supplies data to the APIs. **Recommendations** For Oracle Java SE versions 11.0.13, 17.0.1: Update to a version that includes the fix for this vulnerability. For Oracle GraalVM Enterprise Edition versions 20.3.4, 21.3.0: Update to a version that includes the fix for this vulnerability. As a temporary workaround, consider restricting access to the ImageIO component until a patch is available. Avoid using APIs in the specified component that may supply data to untrusted sources.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.30 through 2.4.48 **Description** A carefully crafted request uri-path can cause mod proxy uwsgi to read above the allocated memory and crash, resulting in a denial of service (DoS). The issue is related to the mod proxy uwsgi function in the Apache HTTP Server, which allows a remote attacker to exploit the vulnerability by sending a specially crafted uri-path request. **Recommendations** For Apache HTTP Server versions 2.4.30 through 2.4.48, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: OWASP json-sanitizer versions prior to 1.2.2 Description: The issue arises when crafted input is processed, potentially leading to the output of invalid JSON or the throwing of an undeclared exception. This situation may result in a denial of service if the application is not equipped to handle such exceptions. Recommendations: For versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. As a temporary workaround, consider implementing exception handling mechanisms to manage undeclared exceptions and invalid JSON outputs.