Sw0Rd1Ight

**Name of the Vulnerable Software and Affected Versions** Airflow versions prior to 2.11.1 **Description** The software contains a flaw that permits authenticated users possessing audit log access to view sensitive values within audit logs that they are not authorized to see. Specifically, when sensitive connection parameters were established through the Airflow command-line interface (CLI), the values of these variables were exposed in the audit log and stored unencrypted within the Airflow database. This risk is confined to users with audit log access. The issue concerns connection secrets not being masked in the user interface when connections are added via the CLI. **Recommendations** Upgrade to Airflow version 2.11.1 or a later version. Manually delete entries containing sensitive connection values from the log table for users who previously used the CLI to set connections.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 8.5.0 through 8.5.100 Apache Tomcat versions 9.0.0.M1 through 9.0.109 Apache Tomcat versions 10.1.0-M1 through 10.1.46 Apache Tomcat versions 11.0.0-M1 through 11.0.11 **Description** An improper resource shutdown or release issue exists in Apache Tomcat. During a multipart upload, if an error occurs (including exceeding limits), temporary copies of the uploaded parts written to disc were not immediately cleaned up. These copies were left for garbage collection. Depending on JVM settings, application memory usage, and application load, the space for these temporary copies could be filled faster than garbage collection could clear it, potentially leading to a denial-of-service (DoS) condition. **Recommendations** Upgrade to Apache Tomcat version 11.0.12 or later. Upgrade to Apache Tomcat version 10.1.47 or later. Upgrade to Apache Tomcat version 9.0.110 or later.

**Name of the Vulnerable Software and Affected Versions** Django versions 4.2 through 4.2.25 Django versions 5.1 through 5.1.13 Django versions 5.2 through 5.2.7 **Description** A SQL injection issue exists in Django’s QuerySet methods—specifically `annotate()`, `alias()`, `aggregate()`, and `extra()`—when using a crafted dictionary with dictionary expansion as the `kwargs` passed to these methods on MySQL and MariaDB databases. The issue affects column aliases. **Recommendations** Update to Django version 4.2.25 or later. Update to Django version 5.1.13 or later. Update to Django version 5.2.7 or later.

**Name of the Vulnerable Software and Affected Versions** html.parser.HTMLParser (affected versions not specified) **Description** The issue concerns the html.parser.HTMLParser class, which has worse-case quadratic complexity when processing certain crafted malformed inputs. This could potentially lead to amplified denial-of-service attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vite versions prior to 6.2.6 Vite versions prior to 6.1.5 Vite versions prior to 6.0.15 Vite versions prior to 5.4.18 Vite versions prior to 4.5.13 **Description** Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request, for those requests with an invalid request-line, the spec recommends to reject them with 400 or 301. On Node and Bun, those requests are not rejected internally and are passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check. Only apps explicitly exposing the Vite dev server to the network and running the Vite dev server on runtimes that are not Deno (e.g., Node, Bun) are affected. Over 130,000 services are potentially affected. **Recommendations** To resolve the issue for versions prior to 6.2.6, update to version 6.2.6 or later. To resolve the issue for versions prior to 6.1.5, update to version 6.1.5 or later. To resolve the issue for versions prior to 6.0.15, update to version 6.0.15 or later. To resolve the issue for versions prior to 5.4.18, update to version 5.4.18 or later. To resolve the issue for versions prior to 4.5.13, update to version 4.5.13 or later.

**Name of the Vulnerable Software and Affected Versions** Django versions 5.1 before 5.1.8 Django versions 5.0 before 5.0.14 **Description** An issue was discovered where the NFKC normalization is slow on Windows, making certain views subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. The affected views include `django.contrib.auth.views.LoginView`, `django.contrib.auth.views.LogoutView`, and `django.views.i18n.set language`. **Recommendations** For Django versions 5.1 before 5.1.8, update to version 5.1.8 or later. For Django versions 5.0 before 5.0.14, update to version 5.0.14 or later.

**Name of the Vulnerable Software and Affected Versions** Django versions 4.2 through 4.2.19 Django versions 5.0 through 5.0.12 Django versions 5.1 through 5.1.6 **Description** A potential denial-of-service attack can occur when the django.utils.text.wrap() method and wordwrap template filter are used with very long strings. **Recommendations** For Django versions 4.2 through 4.2.19, update to version 4.2.20 or later. For Django versions 5.0 through 5.0.12, update to version 5.0.13 or later. For Django versions 5.1 through 5.1.6, update to version 5.1.7 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 9.0.0.M1 through 9.0.98 Apache Tomcat versions 10.1.0-M1 through 10.1.34 Apache Tomcat versions 11.0.0-M1 through 11.0.2 **Description** The issue affects Apache Tomcat due to a path equivalence vulnerability, allowing remote code execution and/or information disclosure and/or malicious content added to uploaded files via the write-enabled default servlet. A malicious user can view security-sensitive files and/or inject content into those files if certain conditions are met, including writes enabled for the default servlet, support for partial PUT, and specific knowledge of security-sensitive file names. Additionally, remote code execution is possible under specific conditions, including the use of Tomcat's file-based session persistence and the presence of a library that can be leveraged in a deserialization attack. It is estimated that over 10.7 million services are potentially affected. **Recommendations** To resolve the issue, upgrade to version 11.0.3, 10.1.35, or 9.0.98, which fixes the issue. As a temporary workaround, consider disabling the write-enabled default servlet until a patch is available. Restrict access to security-sensitive files and directories to minimize the risk of exploitation. Avoid using partial PUT requests until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 2.10.0 **Description** The issue allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This requires the provider to be installed on the web server and the user to click the provider link. **Recommendations** For Apache Airflow versions prior to 2.10.0, upgrade to 2.10.0 or later, which fixes this issue. As a temporary workaround, consider restricting access to provider documentation links to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.4.0 through 14.1.1.0.0 **Description** The issue is related to errors in handling input data in the Oracle WebLogic Server Core component. This can be exploited by a remote attacker to execute arbitrary code by injecting specially crafted messages via T3 and IIOP protocols. Successful attacks can result in the takeover of the Oracle WebLogic Server. **Recommendations** For versions 12.2.1.4.0 and 14.1.1.0.0, consider restricting access to the T3 and IIOP protocols until a patch is available. As a temporary workaround, consider disabling the Core component of the Oracle WebLogic Server until a patch is available. Avoid using the Oracle WebLogic Server for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow Spark Provider versions prior to 4.1.3 **Description** The issue allows an attacker to pass in malicious parameters when establishing a connection, giving an opportunity to read files on the Airflow server. **Recommendations** For versions prior to 4.1.3, it is recommended to upgrade to a version that is not affected.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow Drill Provider versions prior to 2.4.3 **Description** The issue is related to improper input validation in Apache Airflow Drill Provider, allowing an attacker to pass malicious parameters when establishing a connection with DrillHook. This gives the attacker an opportunity to read files on the Airflow server. **Recommendations** For versions prior to 2.4.3, it is recommended to upgrade to a version that is not affected. As a temporary workaround, consider restricting access to the DrillHook connection to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.4.0 through 1.7.0 **Description** The issue affects Apache InLong, allowing an attacker to bypass the current logic and achieve arbitrary file reading by exploiting a deserialization of untrusted data vulnerability. This could enable a remote attacker to read files arbitrarily. **Recommendations** To solve this issue, users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8130.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.4.0 through 1.6.0 **Description** The issue is related to the deserialization of untrusted data, which allows attackers to bypass the `autoDeserialize` option filtering by adding blanks. This can potentially lead to the execution of arbitrary code. **Recommendations** To solve the issue, users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7674.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 **Description** The issue allows an unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. This is due to insufficient input validation in the Core component. **Recommendations** For Oracle WebLogic Server versions 12.2.1.3.0 and 12.2.1.4.0, update to a version that fixes the issue. For Oracle WebLogic Server version 14.1.1.0.0, update to a version that fixes the issue. As a temporary workaround, consider restricting access to the T3 protocol to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Linkis versions 1.3.0 through 1.3.1 **Description** The issue is related to the lack of effective filtering of parameters in Apache Linkis, which can lead to a deserialization vulnerability. This vulnerability can be triggered by an attacker configuring malicious Mysql JDBC parameters in the JDBC EngineConn Module, resulting in remote code execution. The parameters in the Mysql JDBC URL should be blacklisted to prevent exploitation. **Recommendations** For Apache Linkis versions 1.3.0 through 1.3.1, upgrade the version of Linkis to version 1.3.2 to resolve the issue. As a temporary workaround, consider blacklisting the parameters in the Mysql JDBC URL to minimize the risk of exploitation. Restrict access to the JDBC EngineConn Module to prevent malicious configuration of Mysql JDBC parameters.

**Name of the Vulnerable Software and Affected Versions** Apache Linkis versions 1.3.1 and earlier **Description** The issue arises because parameters are not effectively filtered in Apache Linkis, allowing an attacker to use the MySQL data source and malicious parameters to configure a new data source. This triggers a deserialization vulnerability, eventually leading to remote code execution. **Recommendations** For Apache Linkis versions 1.3.1 and earlier, upgrade the version of Linkis to version 1.3.2.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow Hive Provider versions prior to 6.0.0 **Description** The issue is related to improper control of generation of code, also known as 'Code Injection'. This allows a remote attacker to execute arbitrary code. **Recommendations** For versions prior to 6.0.0, update to version 6.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the system to minimize the risk of exploitation.