Yanshuchong

**Name of the Vulnerable Software and Affected Versions** Facebook Thrift versions prior to 2019.02.18.00 **Description** The issue allows malicious clients to send short messages that take a long time for the server to parse, potentially leading to denial of service. This occurs because Python Facebook Thrift servers do not error upon receiving messages with containers of fields of unknown type. **Recommendations** For versions prior to 2019.02.18.00, update to version 2019.02.18.00 or later to resolve the issue. As a temporary workaround, consider implementing measures to limit the parsing time of incoming messages to prevent potential denial of service attacks.

**Name of the Vulnerable Software and Affected Versions** Facebook Thrift versions prior to 2019.02.18.00 **Description** The issue allows malicious clients to send short messages that take a long time for the server to parse, potentially leading to denial of service. This occurs because Java Facebook Thrift servers do not error when receiving messages with containers of fields of unknown type. **Recommendations** For versions prior to 2019.02.18.00, update to version 2019.02.18.00 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Puppet Discovery versions prior to 1.4.0 **Description** The issue concerns a default generated TLS certificate in the nginx container. Previously, Puppet Discovery was shipped with this default certificate. In version 1.4.0, a unique certificate will be generated on installation, or the user will be able to provide their own TLS certificate for ingress. **Recommendations** For versions prior to 1.4.0, update to version 1.4.0 to generate a unique TLS certificate on installation or provide your own TLS certificate for ingress.

**Name of the Vulnerable Software and Affected Versions** Bootstrap versions prior to 3.4.0 **Description** The issue is related to the affix plugin in Bootstrap, which does not properly protect the structure of a web page, allowing for potential exploitation. This could enable a remote attacker to perform cross-site scripting attacks. **Recommendations** For versions prior to 3.4.0, update to version 3.4.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Eclipse Vert.x versions 3.0.0 through 3.5.3 **Description** The StaticHandler in Eclipse Vert.x uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '' (backslashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems. **Recommendations** For Eclipse Vert.x versions 3.0.0 through 3.5.3, consider updating to a version where this issue is resolved, as the current version does not properly handle pathname construction based on external input. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Eclipse Vert.x versions 3.5.Beta1 through 3.5.3 **Description** The OpenAPI XML type validator in Eclipse Vert.x creates XML parsers without adequate protection against XML attacks when a developer uses it to validate a provided schema. **Recommendations** For versions 3.5.Beta1 through 3.5.3, consider disabling the OpenAPI XML type validator until a patch is available to prevent potential XML attacks. Restrict the use of XML parsers to minimize the risk of exploitation.