Liyw979

**Name of the Vulnerable Software and Affected Versions** Ambari (affected versions not specified) **Description** A code injection vulnerability exists in the Ambari Alert Definition feature, allowing authenticated users to inject and execute arbitrary shell commands. The vulnerability arises when defining alert scripts, where the script filename field is executed using `sh -c`. An attacker with authenticated access can exploit this vulnerability to inject malicious commands, leading to remote code execution on the server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Spring Cloud Data Flow versions prior to 2.11.4 **Description** A malicious user who has access to the Skipper server API can use a crafted upload request to write an arbitrary file to any location on the file system, which could lead to compromising the server. The issue is related to incorrect management of code generation. Exploitation of the issue may allow a remote attacker to write a file to any directory on the system using a specially formed API request. **Recommendations** For Spring Cloud Data Flow versions prior to 2.11.4, update to version 2.11.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the Skipper server API to minimize the risk of exploitation. Avoid using the API to upload files to sensitive locations on the server until the issue is resolved.