Tony Torralba

**Name of the Vulnerable Software and Affected Versions** Meshery versions prior to 0.7.22 **Description** A SQL injection issue may lead to arbitrary file write by using a SQL injection stacked queries payload and the ATTACH DATABASE command. Attackers may be able to access and modify any data stored in the database, including performance profiles, Meshery application data, or Kubernetes configuration. The Meshery project exposes the function `GetMeshSyncResourcesKinds` at the API endpoint "/api/system/meshsync/resources/kinds". The `order` query parameter is directly used to build a SQL query in `meshync handler.go`. **Recommendations** For Meshery versions prior to 0.7.22, update to version 0.7.22 to resolve the issue. As a temporary workaround, consider restricting access to the `/api/system/meshsync/resources/kinds` API endpoint until a patch is available. Avoid using the `order` query parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Meshery versions prior to 0.7.22 **Description** A SQL injection vulnerability may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Attackers may be able to access and modify any data stored in the database, like performance profiles, Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetAllEvents` at the API endpoint "/api/v2/events". The `sort` query parameter read in `events streamer.go` is directly used to build a SQL query in `events persister.go`. **Recommendations** For versions prior to 0.7.22, update to version 0.7.22 or later, which fixes this issue by using the `SanitizeOrderInput` function. As a temporary workaround, consider restricting access to the `/api/v2/events` API endpoint until the issue is resolved. Avoid using the `sort` query parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Owncast versions prior to 0.1.3 **Description** Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL "/api/admin". The "emoji/delete" endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The `name` parameter is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. **Recommendations** For versions prior to 0.1.3, update to version 0.1.3 to resolve the issue. As a temporary workaround, consider restricting access to the "/api/admin" endpoint, specifically the "emoji/delete" endpoint, to minimize the risk of exploitation. Avoid using the `name` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Meshery versions prior to 0.7.17 **Description** A SQL injection issue allows a remote attacker to obtain sensitive information via the `order` parameter of `GetMeshSyncResources`. This affects Meshery's ability to manage Kubernetes-based infrastructure and applications securely. **Recommendations** For versions prior to 0.7.17, update to version 0.7.17 to resolve the issue. As a temporary workaround, consider restricting access to the `GetMeshSyncResources` function or avoiding the use of the `order` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Redisson versions prior to 3.22.0 **Description** The issue concerns a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers can trick clients into communicating with a malicious server, including specially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on. **Recommendations** For versions prior to 3.22.0, update to version 3.22.0 to resolve the issue. As a temporary workaround, consider restricting the allowed classes for deserialization by using the `SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses)` constructor. Avoid using the `Kryo5Codec` as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the `setRegistrationRequired(false)` call. Use `KryoCodec` as a safe alternative for deserialization.

**Name of the Vulnerable Software and Affected Versions** Jenkins Bitbucket Push and Pull Request Plugin versions 2.4.0 through 2.8.3 **Description** The issue allows attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload. This is possible because the plugin trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs. **Recommendations** For Jenkins Bitbucket Push and Pull Request Plugin versions 2.4.0 through 2.8.3, update to a version that fixes the issue, as the current versions trust values provided in the webhook payload, allowing potential exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Aerospike Java Client versions prior to 7.0.0 Aerospike Java Client versions prior to 6.2.0 Aerospike Java Client versions prior to 5.2.0 Aerospike Java Client versions prior to 4.5.0 **Description** The Aerospike Java client has a vulnerability related to the deserialization of Java objects received from the server. Attackers can trick clients into communicating with a malicious server, which can include crafted objects in its responses that force the client to execute arbitrary code when deserialized. This can be abused to take control of the machine the client is running on. The issue is related to the `ObjectInputStream` used in the `Buffer.bytesToObject` method, which deserializes objects from the message bytes without proper validation. **Recommendations** For versions prior to 7.0.0, update to version 7.0.0 or later. For versions prior to 6.2.0, update to version 6.2.0 or later. For versions prior to 5.2.0, update to version 5.2.0 or later. For versions prior to 4.5.0, update to version 4.5.0 or later. As a temporary workaround, consider avoiding deserialization of untrusted data if possible, and use other formats like JSON or XML instead of serialized objects. However, be aware that these formats should not be deserialized into complex objects to minimize attack opportunities.

**Name of the Vulnerable Software and Affected Versions** Jenkins External Monitor Job Type Plugin versions 206.v9a 94ff0b 4a 10 and earlier **Description** The issue allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the plugin not configuring its XML parser to prevent XML external entity (XXE) attacks. **Recommendations** For versions 206.v9a 94ff0b 4a 10 and earlier, update to version 207.v98a a 37a 85525 or later, which disables external entity resolution for its XML parser. As a temporary workaround, consider restricting access to the plugin's XML parser to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins MathWorks Polyspace Plugin versions 1.0.5 and earlier **Description** The issue allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file system. This is due to the lack of restriction on the path of attached files in the Polyspace Notification post-build step. **Recommendations** For Jenkins MathWorks Polyspace Plugin versions 1.0.5 and earlier, consider restricting access to the Polyspace Notification post-build step to prevent attackers from sending emails with arbitrary files. As a temporary workaround, restrict the Item/Configure permission to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins AWS CodeCommit Trigger Plugin versions 3.0.12 and earlier **Description** The issue allows attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system due to the lack of restriction on the AWS SQS queue name path parameter in an HTTP endpoint. **Recommendations** For Jenkins AWS CodeCommit Trigger Plugin versions 3.0.12 and earlier, consider restricting access to the HTTP endpoint until a patch is available. As a temporary workaround, restrict the Item/Read permission to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ownCloud Android app versions prior to 3.0 **Description** The ownCloud Android app has an incomplete fix for a path traversal issue and is vulnerable to two bypass methods. These bypasses may lead to information disclosure when uploading the app's internal files and to arbitrary file write when uploading plain text files, although this is limited by the .txt extension. **Recommendations** For versions prior to 3.0, update to version 3.0 to fix the reported bypasses. As a temporary workaround, consider restricting file uploads to minimize the risk of exploitation. Avoid using the app to upload plain text files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ownCloud Android app version 2.21.1 ownCloud Android app versions 3.0 and earlier **Description** The ownCloud Android app is affected by a SQL injection issue in `FileContentProvider.kt`, which can lead to information disclosure. Two databases, `filelist` and `owncloud database`, are impacted. Although the `filelist` database was deprecated in version 3.0, injections affecting `owncloud database` remain relevant as of version 3.0. **Recommendations** For version 2.21.1, consider updating to a version where the SQL injection issue in `FileContentProvider.kt` is fixed. For versions 3.0 and earlier, restrict access to the `owncloud database` to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling the `FileContentProvider.kt` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apache OFBiz versions prior to 18.12.06 **Description** The issue arises from the way Apache OFBiz handles URLs provided by external, unauthenticated users, making it vulnerable to Regular Expression Denial of Service (ReDoS). **Recommendations** For versions prior to 18.12.06, upgrade to 18.12.06 or apply the necessary patches to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache Tapestry versions up to 5.8.1 **Description** The issue is related to a Regular Expression Denial of Service (ReDoS) in the way Apache Tapestry handles Content Types. Specially crafted Content Types can cause catastrophic backtracking, taking exponential time to complete, due to the regular expression used on the parameter of the `org.apache.tapestry5.http.ContentType` class. This vulnerability cannot be triggered by web requests in Tapestry code alone and would only occur if non-Tapestry code passes outside input to the `ContentType` class constructor. **Recommendations** For Apache Tapestry versions up to 5.8.1, update to version 5.8.2 to resolve the issue. As a temporary workaround, consider restricting the use of the `org.apache.tapestry5.http.ContentType` class to minimize the risk of exploitation, especially when handling outside input.

**Name of the Vulnerable Software and Affected Versions** No information is available about the vulnerable software and its affected versions. **Description** The issue is related to a security problem, but details are not provided. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JetBrains PyCharm versions prior to 2020.3.4 **Description** The issue allows for local code execution due to insufficient checks when getting the project from VCS. **Recommendations** For versions prior to 2020.3.4, update to version 2020.3.4 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: JetBrains YouTrack versions prior to 2020.6.8801 Description: The issue concerns information disclosure in an issue preview. Recommendations: For versions prior to 2020.6.8801, update to version 2020.6.8801 or later to resolve the issue.