Superxiaoxiong

**Name of the Vulnerable Software and Affected Versions** DataEase versions prior to 1.18.5 **Description** DataEase is an open source data visualization analysis tool where users can modify data, and data sources are expected to sanitize data properly. However, the AWS redshift data source does not provide data sanitization, which may lead to remote code execution. **Recommendations** For versions prior to 1.18.5, upgrade to version 1.18.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the AWS redshift data source until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** metersphere versions prior to 1.20.20 lts metersphere versions prior to 2.7.1 **Description** metersphere is an open source continuous testing platform. An improper access control issue exists in "/api/jmeter/download/files", which allows any user to download any file without authentication. This may expose all files available to the running process. **Recommendations** For versions prior to 1.20.20 lts, upgrade to version 1.20.20 lts or later. For versions prior to 2.7.1, upgrade to version 2.7.1 or later. As a temporary workaround, consider restricting access to the "/api/jmeter/download/files" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GoCD versions prior to 22.1.0 **Description** The issue affects the gocd-ldap-authentication-plugin bundled with the GoCD Server, which fails to correctly escape special characters when using the `username` to construct LDAP queries. This allows an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, enabling them to deduce facts about other users or entries within the LDAP database through brute force mechanisms. The issue only affects users with a working LDAP authorization configuration enabled on their GoCD server and is exploitable by users authenticating using such an LDAP configuration. **Recommendations** For versions prior to 22.1.0, update to GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144, to resolve the issue. As a temporary workaround, consider restricting access to the LDAP authentication configuration to minimize the risk of exploitation.