Osword

**Name of the Vulnerable Software and Affected Versions** IBM WebSphere Application Server versions 8.5, 9.0 IBM WebSphere Application Server Liberty versions 17.0.0.3 through 24.0.0.3 **Description** The issue is related to server-side request forgery (SSRF). By sending a specially crafted request, an attacker could exploit this vulnerability to conduct the SSRF attack. **Recommendations** For IBM WebSphere Application Server versions 8.5, 9.0, consider disabling the vulnerable functionality until a patch is available. For IBM WebSphere Application Server Liberty versions 17.0.0.3 through 24.0.0.3, restrict access to the affected modules to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Spring Security versions 5.6 prior to 5.6.9 Spring Security versions 5.7 prior to 5.7.5 **Description** The issue concerns the potential bypass of authorization rules in Spring Security via forward or include dispatcher types. An application is vulnerable if it expects Spring Security to apply security to forward and include dispatcher types, uses the `AuthorizationFilter` manually or via the `authorizeHttpRequests()` method, configures the `FilterChainProxy` to apply to forward and/or include requests, and may forward or include the request to a higher privilege-secured endpoint. The application must also configure Spring Security to apply to every dispatcher type via `authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)`. **Recommendations** For Spring Security version 5.6 prior to 5.6.9, update to version 5.6.9 or later to resolve the issue. For Spring Security version 5.7 prior to 5.7.5, update to version 5.7.5 or later to resolve the issue. As a temporary workaround, consider disabling the `AuthorizationFilter` or restricting the use of `authorizeHttpRequests()` until a patch is available. Restrict access to higher privilege-secured endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 7u331, 8u321, 11.0.14, 17.0.2, 18 Oracle GraalVM Enterprise Edition versions 20.3.5, 21.3.1, 22.0.0.2 **Description** The issue is related to insufficient input validation in the Libraries component of Oracle Java SE and Oracle GraalVM Enterprise Edition. This can be exploited by an unauthenticated attacker with network access via multiple protocols, potentially resulting in unauthorized update, insert, or delete access to some accessible data. The vulnerability applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. It can also be exploited through the use of APIs in the specified component. **Recommendations** For Oracle Java SE versions 7u331, 8u321, 11.0.14, 17.0.2, 18, update to a version that includes the fix for this issue. For Oracle GraalVM Enterprise Edition versions 20.3.5, 21.3.1, 22.0.0.2, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Libraries component until a patch is available. Avoid using APIs in the specified component that may supply data to untrusted sources until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.1.3.0.0 through 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle WebLogic Server. This allows an unauthenticated attacker with network access via the T3 protocol to compromise the server. Successful attacks can result in unauthorized access to modify or delete data and cause a partial denial of service. **Recommendations** For Oracle WebLogic Server versions 12.1.3.0.0 through 12.2.1.4.0, update to a version that includes the fix for this issue. For Oracle WebLogic Server version 14.1.1.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the T3 protocol to minimize the risk of exploitation.