Yakov Shafranovich

**Name of the Vulnerable Software and Affected Versions** Apache Tika versions 1.13 through 3.2.1 Apache Tika tika-core versions 1.13 through 3.2.1 Apache Tika tika-pdf-module versions 2.0.0 through 3.2.1 Apache Tika tika-parsers versions 1.13 through 1.28.5 **Description** A critical XML External Entity (XXE) issue exists in Apache Tika, specifically within the `tika-parser-pdf-module`, `tika-core`, and `tika-parsers` components. This flaw allows an attacker to inject malicious XML code via a crafted XFA file embedded within a PDF document. Successful exploitation could enable an attacker to read sensitive data or initiate unauthorized requests to internal resources or external servers. The root cause of the vulnerability lies within the `PDFParser` component, initially reported in the `tika-parser-pdf-module` but ultimately fixed in `tika-core`. The vulnerability affects versions 1.x where the `PDFParser` resides in the `org.apache.tika:tika-parsers` module. **Recommendations** Upgrade to Apache Tika version 3.2.2 or later. Upgrade `tika-core` to version 3.2.2 or later. Upgrade `tika-pdf-module` to version 3.2.2 or later. Upgrade `tika-parsers` to version 1.28.5 or later.

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 8u411, 8u411-perf, 11.0.23 Oracle GraalVM Enterprise Edition versions 20.3.14, 21.3.10 IBM SDK, Java Technology Edition versions 7.1.0.0 through 7.1.5.18 IBM SDK, Java Technology Edition versions 8.0.0.0 through 8.0.8.26 **Description** The issue is related to insufficient input validation in the Concurrency component, allowing an unauthenticated attacker with network access via multiple protocols to compromise the system. Successful attacks can result in a partial denial of service. This issue applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets. The vulnerability does not apply to Java deployments that load and run only trusted code, typically in servers. **Recommendations** For Oracle Java SE versions 8u411, 8u411-perf, 11.0.23, update to a version that includes the fix for this issue. For Oracle GraalVM Enterprise Edition versions 20.3.14, 21.3.10, update to a version that includes the fix for this issue. For IBM SDK, Java Technology Edition versions 7.1.0.0 through 7.1.5.18, update to a version outside of this range. For IBM SDK, Java Technology Edition versions 8.0.0.0 through 8.0.8.26, update to a version outside of this range. As a temporary workaround, consider restricting access to the Concurrency component until a patch is available.

Name of the Vulnerable Software and Affected Versions: Oracle Java SE versions 8u401, 8u401-perf, 11.0.22 Oracle GraalVM Enterprise Edition versions 20.3.13, 21.3.9 Description: The issue is related to insufficient input validation in the Concurrency component of Oracle Java SE and Oracle GraalVM Enterprise Edition. This can be exploited by an unauthenticated attacker with network access via multiple protocols, potentially leading to a partial denial of service (DOS) of the affected systems. The vulnerability can be exploited through APIs in the specified component, for example, via a web service that supplies data to the APIs. It also affects Java deployments that load and run untrusted code from the internet and rely on the Java sandbox for security. Recommendations: For Oracle Java SE versions 8u401, 8u401-perf, 11.0.22, consider updating to a newer version to mitigate the risk. For Oracle GraalVM Enterprise Edition versions 20.3.13, 21.3.9, consider updating to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the Concurrency component until a patch is available. Avoid using APIs in the Concurrency component that supply data from untrusted sources until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Commons Compress versions 1.3 through 1.25.0 Bamboo Data Center and Server versions 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0 Confluence Data Center and Server version 7.14 **Description** The issue is related to a Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This vulnerability may allow an unauthenticated attacker to expose assets in the environment, susceptible to exploitation, with high impact to confidentiality, integrity, and availability. The vulnerability requires no user interaction. **Recommendations** Apache Commons Compress versions 1.3 through 1.25.0: Upgrade to version 1.26.0. Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.12. Bamboo Data Center and Server 9.4: Upgrade to a release greater than or equal to 9.4.4. Bamboo Data Center and Server 9.5: Upgrade to a release greater than or equal to 9.5.2. Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.25. Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.12. Confluence Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.4.

**Name of the Vulnerable Software and Affected Versions** Apache Commons Compress versions 1.21 through 1.25 **Description** The issue is related to an uncontrolled resource consumption vulnerability in Apache Commons Compress, which can be exploited by an attacker to impact the availability of protected information. This occurs when a damaged Pack200 file is unpacked. **Recommendations** To resolve the issue, users are recommended to upgrade to version 1.26, which fixes the problem.

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE version 17.0.9 Oracle GraalVM for JDK version 17.0.9 Oracle GraalVM Enterprise Edition versions 21.3.8 and 22.3.4 **Description** The issue is related to insufficient input validation in the Security component of the affected software, allowing an unauthenticated attacker with network access via multiple protocols to compromise the system. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data. This vulnerability applies to Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets, and rely on the Java sandbox for security. **Recommendations** For Oracle Java SE version 17.0.9, update to a newer version that contains a fix for this vulnerability. For Oracle GraalVM for JDK version 17.0.9, update to a newer version that contains a fix for this vulnerability. For Oracle GraalVM Enterprise Edition versions 21.3.8 and 22.3.4, update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of the Security component in the affected software until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elasticsearch (affected versions not specified) **Description** An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** logback version 1.4.11 Confluence Data Center and Server versions from 6.0.1 to 8.7.1 Confluence Data Center and Server versions from 8.7.0 to 8.7.1 Confluence Data Center versions from 8.6.0 to 8.6.2 Confluence Data Center versions from 8.5.0 to 8.5.4 LTS Confluence Data Center versions from 8.4.0 to 8.4.5 Confluence Data Center versions from 8.3.0 to 8.3.4 Confluence Data Center versions from 8.2.0 to 8.2.3 Confluence Data Center versions from 8.1.0 to 8.1.4 Confluence Data Center versions from 8.0.0 to 8.0.4 Confluence Data Center versions from 7.20.0 to 7.20.3 Confluence Data Center versions from 7.19.0 to 7.19.17 LTS Confluence Data Center versions from 7.18.0 to 7.18.3 Confluence Data Center versions from 7.17.0 to 7.17.5 Confluence Server versions from 8.5.0 to 8.5.4 LTS Confluence Server versions from 8.4.0 to 8.4.5 Confluence Server versions from 8.3.0 to 8.3.4 Confluence Server versions from 8.2.0 to 8.2.3 Confluence Server versions from 8.1.0 to 8.1.4 Confluence Server versions from 8.0.0 to 8.0.4 Confluence Server versions from 7.20.0 to 7.20.3 Confluence Server versions from 7.19.0 to 7.19.17 LTS Confluence Server versions from 7.18.0 to 7.18.3 Confluence Server versions from 7.17.0 to 7.17.5 Bitbucket Data Center and Server versions 7.21.0, 8.9.0, 8.13.0, 8.14.0, 8.15.0, and 8.16.0 **Description** A serialization vulnerability in the logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This issue is only exploitable if the logback receiver component is deployed. **Recommendations** For logback version 1.4.11, consider disabling the logback receiver component until a patch is available. For Confluence Data Center and Server versions from 6.0.1 to 8.7.1, upgrade to the latest version or one of the specified supported fixed versions. For Confluence Data Center versions from 8.6.0 to 8.6.2, upgrade to version 8.8.0 or later. For Confluence Data Center versions from 8.5.0 to 8.5.4 LTS, upgrade to version 8.8.0, 8.5.5 LTS, or 8.5.6 LTS. For Confluence Data Center versions from 8.4.0 to 8.4.5, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 8.3.0 to 8.3.4, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 8.2.0 to 8.2.3, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 8.1.0 to 8.1.4, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 8.0.0 to 8.0.4, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 7.20.0 to 7.20.3, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 7.19.0 to 7.19.17 LTS, upgrade to version 8.8.0, 8.5.6 LTS, 7.19.18 LTS, or 7.19.19 LTS. For Confluence Data Center versions from 7.18.0 to 7.18.3, upgrade to version 8.8.0, 8.5.6 LTS, or 7.19.19 LTS. For Confluence Data Center versions from 7.17.0 to 7.17.5, upgrade to version 8.8.0, 8.5.6 LTS, or 7.19.19 LTS. For Confluence Server versions from 8.5.0 to 8.5.4 LTS, upgrade to version 8.5.5 LTS or 8.5.6 LTS. For Confluence Server versions from 8.4.0 to 8.4.5, upgrade to version 8.5.6 LTS. For Confluence Server versions from 8.3.0 to 8.3.4, upgrade to version 8.5.6 LTS. For Confluence Server versions from 8.2.0 to 8.2.3, upgrade to version 8.5.6 LTS. For Confluence Server versions from 8.1.0 to 8.1.4, upgrade to version 8.5.6 LTS. For Confluence Server versions from 8.0.0 to 8.0.4, upgrade to version 8.5.6 LTS. For Confluence Server versions from 7.20.0 to 7.20.3, upgrade to version 8.5.6 LTS. For Confluence Server versions from 7.19.0 to 7.19.17 LTS, upgrade to version 8.5.6 LTS, 7.19.18 LTS, or 7.19.19 LTS. For Confluence Server versions from 7.18.0 to 7.18.3, upgrade to version 8.5.6 LTS or 7.19.19 LTS. For Confluence Server versions from 7.17.0 to 7.17.5, upgrade to version 8.5.6 LTS or 7.19.19 LTS. For Bitbucket Data Center and Server versions 7.21.0, upgrade to a release greater than or equal to 7.21.19. For Bitbucket Data Center and Server versions 8.9.0, upgrade to a release greater than or equal to 8.9.9. For Bitbucket Data Center and Server versions 8.13.0, upgrade to a release greater than or equal to 8.13.5. For Bitbucket Data Center and Server versions 8.14.0, upgrade to a release greater than or equal to 8.14.4. For Bitbucket Data Center versions 8.15.0, upgrade to a release greater than or equal to 8.15.3. For Bitbucket Data Center versions 8.16.0, upgrade to a release greater than or equal to 8.16.2.

**Name of the Vulnerable Software and Affected Versions** Apache Commons Compress versions 1.22 through 1.23 **Description** The issue is related to uncontrolled resource consumption due to insufficient input validation when processing TAR archive headers. This can be exploited by a remote attacker to cause a denial of service. The estimated number of potentially affected devices is not specified. **Recommendations** For Apache Commons Compress versions 1.22 through 1.23, update to version 1.24.0 or later to resolve the issue. As a temporary workaround, consider restricting the processing of TAR archives from untrusted sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server versions 18c through 19c **Description** The issue is related to insufficient input validation in the Advanced Networking Option component of Oracle Database Server, allowing an unauthenticated attacker with network access via Oracle Net to compromise the component. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products, potentially resulting in the takeover of Advanced Networking Option. **Recommendations** For versions 18c and 19c, update to a version that includes the fix for this issue to prevent potential exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Webex Event Center (affected versions not specified) Cisco Webex Meeting Center (affected versions not specified) Cisco Webex Support Center (affected versions not specified) Cisco Webex Training Center (affected versions not specified) **Description** A vulnerability in the web interface of the Cisco Webex products could allow an unauthenticated, remote attacker to guess account usernames due to missing CAPTCHA protection in certain URLs. An attacker could exploit this by sending a crafted request to the web interface, potentially allowing them to determine if a given username is valid and find the real name of the user. **Recommendations** For Cisco Webex Event Center, consider implementing CAPTCHA protection for all URLs as a temporary workaround until a patch is available. For Cisco Webex Meeting Center, restrict access to sensitive information to minimize the risk of exploitation. For Cisco Webex Support Center, avoid using vulnerable URLs in the web interface until the issue is resolved. For Cisco Webex Training Center, disable any features that rely on username validation until a fix is provided. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Credentials Plugin versions 2.1.18 and earlier **Description** The issue allows users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path and obtain the certificate content of files containing a PKCS#12 certificate. This can lead to information leakage about files and directories. An attacker can exploit this to create or update credentials and gain access to files containing a PKCS#12 certificate. **Recommendations** For Jenkins Credentials Plugin versions 2.1.18 and earlier, update to a version later than 2.1.18 to resolve the issue. At the moment, there is no information about other specific fixes for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Amazon Fire OS versions prior to 5.3.6.4 **Description** The issue allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages. **Recommendations** For Amazon Fire OS versions prior to 5.3.6.4, update to version 5.3.6.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Android versions 1.0 through 9.0 **Description** The issue concerns Insecure Permissions. **Recommendations** For Android versions 1.0 through 9.0, update to a version with secure permissions to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Android versions 7.0 through 9.0 **Description** The issue concerns information disclosure when WiFi is switched, involving the `sendNetworkStateChangeBroadcast` function of `WifiStateMachine.java`. This function broadcasts an intent that includes detailed WiFi network information, potentially leading to information disclosure without requiring execution privileges. User interaction is not necessary for exploitation. **Recommendations** For Android versions 7.0 through 9.0, consider restricting access to the WiFi network information broadcast by the `sendNetworkStateChangeBroadcast` function of `WifiStateMachine.java` to minimize the risk of information disclosure. As a temporary workaround, consider disabling the `sendNetworkStateChangeBroadcast` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Samsung Display Solutions App versions prior to 3.02 **Description** The issue allows man-in-the-middle attackers to spoof B2B content by leveraging the failure to use encryption during information transmission. **Recommendations** For versions prior to 3.02, update to version 3.02 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Google Chrome OS versions prior to 62.0.3202.74 Description: The issue is related to an inappropriate implementation in ChromeVox, which allowed a remote attacker in a privileged network position to observe or tamper with certain cleartext HTTP requests. Recommendations: For versions prior to 62.0.3202.74, update to version 62.0.3202.74 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: DuoLingo TinyCards version 1.0 and earlier Description: The issue allows remote attackers to spoof content and achieve remote code execution via a man-in-the-middle attack due to the use of unencrypted HTTP. Recommendations: For DuoLingo TinyCards version 1.0 and earlier, update to version 1.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Private Internet Access (PIA) versions prior to 1.3.3.1 **Description** The issue allows remote attackers to cause a denial of service, resulting in an application crash. This can be achieved by providing a large VPN server-list file. **Recommendations** For versions prior to 1.3.3.1, update to version 1.3.3.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zoho Site24x7 Mobile Network Poller version 1.1.4 and earlier **Description** The issue allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a self-signed certificate because the application does not verify X.509 certificates from SSL servers. **Recommendations** For versions prior to 1.1.5, update to version 1.1.5 or later to resolve the issue.