Zeddyu Lu

**Name of the Vulnerable Software and Affected Versions** Apache Commons Net versions prior to 3.9.0 **Description** The issue is related to the FTP client in Apache Commons Net, which trusts the host from PASV response by default. This allows a malicious server to redirect the Commons Net code to use a different host, potentially leading to leakage of information about services running on the private network of the client. The default behavior was changed in version 3.9.0 to ignore such hosts. **Recommendations** For versions prior to 3.9.0, update to version 3.9.0 or later to change the default behavior and ignore hosts from PASV responses. As a temporary workaround, consider configuring the FTP client to not trust hosts from PASV responses.

**Name of the Vulnerable Software and Affected Versions** GNU Inetutils versions prior to 2.2 **Description** The issue concerns the ftp client in GNU Inetutils, which fails to validate addresses returned by PASV/LSPV responses, ensuring they match the server address. **Recommendations** For GNU Inetutils versions prior to 2.2, update to version 2.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** JetBrains Ktor versions prior to 1.4.3 **Description** The issue allows for HTTP Request Smuggling, which can be exploited. **Recommendations** For versions prior to 1.4.3, update to version 1.4.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** JetBrains Ktor versions prior to 1.4.2 **Description** The issue is related to weak cipher suites being enabled by default. This could potentially lead to security risks. **Recommendations** For versions prior to 1.4.2, update to version 1.4.2 or later to resolve the issue. As a temporary workaround, consider disabling the use of weak cipher suites until a patch is available. Restrict access to sensitive data to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Web Container component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via HTTP to compromise the server. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data, as well as unauthorized read access to a subset of accessible data. **Recommendations** For versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Web Container component of Oracle WebLogic Server, allowing a remote attacker to cause a denial of service. Successful attacks can result in the ability to cause a hang or frequently repeatable crash of Oracle WebLogic Server. The vulnerability can be exploited by an unauthenticated attacker with network access via HTTP. **Recommendations** For versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 **Description** The issue is related to insufficient access control in the Web Container component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via HTTP to compromise the server. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data or all accessible data, as well as unauthorized read access to a subset of accessible data. **Recommendations** For versions 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Server versions 6.0.0 through 6.2.3 Apache Traffic Server versions 7.0.0 through 7.1.8 Apache Traffic Server versions 8.0.0 through 8.0.5 **Description** The issue is related to inconsistent interpretation of HTTP requests, specifically with Transfer-Encoding and Content length headers in the context of a reverse proxy and proxy redirection. This can be exploited by a remote attacker to gain access to confidential data, compromise data integrity, and cause a denial of service. The vulnerability involves a smuggling attack. **Recommendations** For Apache Traffic Server versions 6.0.0 through 6.2.3, upgrade to version 7.1.9 or later. For Apache Traffic Server versions 7.0.0 through 7.1.8, upgrade to version 7.1.9 or later. For Apache Traffic Server versions 8.0.0 through 8.0.5, upgrade to version 8.0.6 or later.