Lidor Ben Shitrit

**Name of the Vulnerable Software and Affected Versions** Azure Service Fabric Explorer versions 8.1.316 and earlier **Description** The issue allows an attacker to potentially gain administrator rights in a cluster. It affects the Azure Service Fabric Explorer, a tool used for managing Azure Service Fabric clusters, which are utilized for creating and deploying cloud-based microservice applications. The problem is related to a privilege escalation vulnerability, where an attacker with 'Create Compose Application' permissions via the SFX client can create a malicious application, exploit a cross-site scripting (XSS) vulnerability in the 'Application name' field, and deliver a payload. Using this payload, the attacker can ultimately reset a cluster node and erase all custom settings, such as passwords and security configurations. **Recommendations** For Azure Service Fabric Explorer versions 8.1.316 and earlier, update to a version that includes the fix for this issue, as provided by Microsoft in their recent updates. As a temporary workaround, consider restricting access to the SFX client for users with 'Create Compose Application' permissions to minimize the risk of exploitation. Avoid using the 'Application name' field in the SFX client until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Oracle GoldenGate versions prior to 21.7.0.0.0 Oracle GoldenGate versions prior to 19.1.0.0.220719 **Description** The issue is related to insufficient input validation in the Oracle GoldenGate component, allowing a remote attacker to potentially execute arbitrary code. The vulnerability can be exploited via HTTP and requires human interaction from a person other than the attacker. Successful attacks can result in the takeover of Oracle GoldenGate. **Recommendations** For Oracle GoldenGate versions prior to 21.7.0.0.0, update to version 21.7.0.0.0 or later. For Oracle GoldenGate versions prior to 19.1.0.0.220719, update to version 19.1.0.0.220719 or later.