X1R0Z

**Name of the Vulnerable Software and Affected Versions** Apache HugeGraph-Server versions prior to 1.7.0 **Description** A remote code execution issue exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks. Hessian is a binary object serialization format. **Recommendations** Upgrade to version 1.7.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache EventMesh versions prior to 1.11.0 **Description** The issue concerns the deserialization of untrusted data at the eventmesh-meta-raft plugin module in Apache EventMesh, allowing attackers to send controlled messages and execute remote code via the Hessian deserialization RPC protocol. This affects platforms such as Windows, Linux, and Mac OS. **Recommendations** For versions prior to 1.11.0, users can use the code under the master branch in the project repository or update to version 1.11.0 to fix this issue. As a temporary workaround, consider restricting access to the vulnerable `eventmesh-meta-raft` plugin module until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apache Seata versions 1.0.0 through 1.8.0 Apache Seata version 2.0.0 **Description** The issue is related to the deserialization of untrusted data in Apache Seata. When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This can allow a remote attacker to cause a denial of service using a specially crafted request. **Recommendations** For Apache Seata versions 1.0.0 through 1.8.0, upgrade to version 1.8.1, which fixes the issue. For Apache Seata version 2.0.0, upgrade to version 2.1.0, which fixes the issue. As a temporary workaround, consider disabling the authentication on the Seata-Server or using the Seata client SDK dependencies to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.10.0 through 1.12.0 **Description** The issue affects Apache InLong due to improper control of code generation, which could lead to remote code execution. This allows a remote attacker to execute arbitrary code. Users are advised to take immediate action to mitigate the threat. **Recommendations** For Apache InLong versions 1.10.0 through 1.12.0, upgrade to Apache InLong's 1.13.0 or cherry-pick the provided patch to solve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.7.0 through 1.9.0 **Description** The issue is related to the deserialization of untrusted data in Apache InLong, allowing attackers to perform an arbitrary file read attack using the mysql driver. **Recommendations** For Apache InLong versions 1.7.0 through 1.9.0, upgrade to Apache InLong's 1.10.0 or cherry-pick the fix from https://github.com/apache/inlong/pull/9331 to solve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.5.0 through 1.9.0 **Description** The issue is related to an Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong, which could lead to Remote Code Execution. This vulnerability affects Apache InLong versions from 1.5.0 through 1.9.0. **Recommendations** To solve the issue, users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick the solution provided in https://github.com/apache/inlong/pull/9329.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.4.0 through 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle WebLogic Server, part of the Oracle Fusion Middleware platform. This can be exploited by a remote attacker to gain unauthorized access to protected information. Successful attacks can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. **Recommendations** For versions 12.2.1.4.0 and 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 **Description** The issue is related to errors in handling input data in the Core component of the Oracle WebLogic Server. It allows an unauthenticated attacker with network access via T3 to compromise the server. Successful attacks can result in unauthorized access to critical data or complete access to all accessible data on the Oracle WebLogic Server. **Recommendations** For Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0, update to a version that includes the fix for this issue. For Oracle WebLogic Server version 14.1.1.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the T3 protocol to minimize the risk of exploitation.