Apache multiple component vulnerability disclosure (cve-2022-32533/cve-2022-33980/cve-2021-37839)

OSCS( Open source software supply chain security community ) Launch free vulnerabilities 、 Poison information subscription service , Community users can subscribe to intelligence information through robots , For specific subscription methods, please refer to ： ​ ​https://www.oscs1024.com/?src=wx​​

7 month 6 Japan ,OSCS Detected Apache The loopholes of many projects under the foundation are open , Please pay attention to the corresponding component users .

Summary of vulnerability

1、Apache Portals Jetspeed-2（CVE-2022-32533）

Apache Portals Jetspeed-2 User input is not handled securely , Led to including XSS、CSRF、XXE and SSRF Including many problems .

• Vulnerability impact level ： Middle risk
• Utilization cost ： low
• Affected components ：

      
      

       
       org.apache.portals.jetspeed-2:jetspeed-2
      
      
      
      

       
       
1.
      
      

• Affects version ：\[\*,2.3.1\], The government no longer maintains , No fix version
• CVE Number ：CVE-2022-32533

With XSS For example , The registered user name is set to

But officials say Apache Portals Jetspeed-2 yes Apache Portals Items that are no longer maintained in , No updates will be provided ,OSCS Suggest developers to replace .

Reference link ：

      
      

       
       https://www.oscs1024.com/hd/MPS-2022-17607/?src=wx
       
       

       
       
https://nvd.nist.gov/vuln/detail/CVE-2022-32533
      
      
      
      

       
       
1.
       
       
2.
       
       
3.
      
      

2、Apache Commons Configuration（CVE-2022-33980）

Apache Commons Configuration Is a component for managing configuration files , stay 2.8 Some previous versions supported multiple variable value methods , Include javax.script、dns and url, Result in arbitrary code execution or network access .

• Vulnerability impact level ： Middle risk
• Utilization cost ： high
• Affected components ：

      
      

       
       org.apache.commons:commons-configuration2
      
      
      
      

       
       
1.
      
      

• Affects version ：\[2.4,2.8.0), The authorities are already in 2.8.0 Version fixes this problem by disabling dangerous methods
• CVE Number ：CVE-2022-33980

Form like ​​${prefix:name}​​ The string of can be parsed , When interpolate When the string of the operation is controllable , Vulnerabilities can be exploited , Supported by prefix Here's the picture .

The following code can trigger

Reference link ：

      
      

       
       https://www.oscs1024.com/hd/MPS-2022-19214/?src=wx
       
       

       
       
https://nvd.nist.gov/vuln/detail/CVE-2022-33980
      
      
      
      

       
       
1.
       
       
2.
       
       
3.
      
      

3、Apache Superset（CVE-2021-37839） Apache Superset Is a data visualization and data exploration platform .

stay Apache Superset In the affected version , Authenticated users can access metadata information related to the dataset without authorization , Include dataset name 、 Columns and indicators .

• Vulnerability impact level ： Middle risk
• Utilization cost ： in
• Affected components ：

      
      

       
       apache-superset
      
      
      
      

       
       
1.
      
      

• Affects version ：\[\*,1.5.1), The authorities are already in 1.5.1 Version to fix this
• CVE Number ：CVE-2021-37839

      
      

       
        Reference link ：
       
       

       
       
https://www.oscs1024.com/hd/MPS-2021-28604/?src=wx
       
       

       
       
https://nvd.nist.gov/vuln/detail/CVE-2021-37839
      
      
      
      

       
       
1.
       
       
2.
       
       
3.
       
       
4.
       
       
5.
      
      

The disposal of advice

OSCS It is recommended that users use the above components according to the above risk tips , Repair to a safe version as soon as possible .

See more vulnerability information ：​ ​https://www.oscs1024.com/hl​​

Learn more about

1、 Free use OSCS Intelligence subscription service

OSCS ( Open source software supply chain security community ) The latest security risk dynamics of open source projects will be released at the first time , Including open source component security vulnerabilities 、 Information such as events , Community users can use enterprise and wechat 、 nailing 、 Fly Book Robot and other ways to subscribe to intelligence information , For specific subscription methods, please refer to ：

​ ​https://www.oscs1024.com/docs/vuln-warning/intro/​​