Stephan Sekula

**Name of the Vulnerable Software and Affected Versions** Replicated Classic versions prior to 2.53.1 **Description** The issue allows authenticated users with Admin Console access to retrieve sensitive data, including application secrets, via accessing container definitions with environment variables through the Admin Console API on port 8800. This data is shared over authenticated sessions to the Admin Console only, and was never displayed or used in the application processing. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** To resolve the issue, update to version 2.53.1 or later. As a temporary workaround, consider restricting access to the Admin Console API on port 8800 to minimize the risk of exploitation. Avoid using environment variables that may contain sensitive data in container definitions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Gradle Enterprise versions through 2021.3 **Description** The issue allows probing of the server-side network environment via an SMTP configuration test. Administrators can test configured SMTP server settings through the installation configuration user interface, which can reveal information about the internal network environment by identifying listening TCP ports available to the server. **Recommendations** For versions through 2021.3, consider restricting access to the SMTP configuration test function to minimize the risk of internal network environment probing. As a temporary workaround, limit the use of the SMTP server settings testing feature until a patch is available.

Name of the Vulnerable Software and Affected Versions: CheckSec Canopy versions prior to 3.5.2 Description: The issue allows XSS attacks against the login page via the `LOGIN PAGE DISCLAIMER` parameter. Recommendations: For versions prior to 3.5.2, update to version 3.5.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the login page or avoiding the use of the `LOGIN PAGE DISCLAIMER` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Cesanta Mongoose Embedded Web Server Library versions 6.7 and earlier Mongoose OS versions 1.2 and earlier **Description** The issue is related to a use-after-free vulnerability in the `mg http multipart wait for boundary` function. This vulnerability can be exploited by sending a multipart/form-data POST request without a MIME boundary string, which can cause a denial of service (crash). **Recommendations** For Cesanta Mongoose Embedded Web Server Library versions 6.7 and earlier, update to a version later than 6.7 to resolve the issue. For Mongoose OS versions 1.2 and earlier, update to a version later than 1.2 to resolve the issue. As a temporary workaround, consider restricting access to the `mg http multipart wait for boundary` function until a patch is available.