Pyn3Rd

**Name of the Vulnerable Software and Affected Versions** Apache Calcite versions 1.5.0 through 1.41 **Description** An unsafe reflection issue exists where externally-controlled input can be used to select classes or code. Specifically, a user-controlled model can load arbitrary classes, which may lead to remote code execution. **Recommendations** Upgrade to version 1.42.

**Name of the Vulnerable Software and Affected Versions** Apache ActiveMQ versions prior to 5.19.7 Apache ActiveMQ versions 6.0.0 through 6.2.5 Apache ActiveMQ Web versions prior to 5.19.7 Apache ActiveMQ Web versions 6.0.0 through 6.2.5 **Description** An improper neutralization of input during web page generation allows for Cross-site Scripting (XSS). The `MessageServlet` in the ActiveMQ web console API copies every JMS message property into an HTTP response header without validation. This allows an attacker to overwrite and inject security headers by setting them on JMS messages returned by the servlet. **Recommendations** Upgrade to version 5.19.7. Upgrade to version 6.2.6. As a temporary mitigation, disable the `MessageServlet` function.

**Name of the Vulnerable Software and Affected Versions** Apache ActiveMQ Broker versions prior to 5.19.7 Apache ActiveMQ Broker versions 6.0.0 through 6.2.5 Apache ActiveMQ All versions prior to 5.19.7 Apache ActiveMQ All versions 6.0.0 through 6.2.5 Apache ActiveMQ versions prior to 5.19.7 Apache ActiveMQ versions 6.0.0 through 6.2.5 **Description** Improper input validation and improper control of code generation lead to code injection in Apache ActiveMQ Classic. The software exposes the Jolokia JMX-HTTP bridge at the '/api/jolokia/' endpoint on the web console. The default access policy allows execution operations on all ActiveMQ MBeans, specifically the `addNetworkConnector(String)` function of `BrokerService`. An authenticated attacker can use a crafted discovery URI to trigger the `brokerConfig` parameter of the VM transport via a "masterslave://" URL. This allows the loading of a Spring XML application context using `ResourceXmlApplicationContext`. Since `ResourceXmlApplicationContext` instantiates all singleton beans before the `BrokerService` validates the configuration, arbitrary code can be executed on the broker's JVM through bean factory methods such as `Runtime.exec()`. **Recommendations** Upgrade versions prior to 5.19.7 to 5.19.7. Upgrade versions 6.0.0 through 6.2.5 to 6.2.6.