当前位置:网站首页>Apache multiple component vulnerability disclosure (cve-2022-32533/cve-2022-33980/cve-2021-37839)
Apache multiple component vulnerability disclosure (cve-2022-32533/cve-2022-33980/cve-2021-37839)
2022-07-07 14:51:00 【51CTO】
OSCS( Open source software supply chain security community ) Launch free vulnerabilities 、 Poison information subscription service , Community users can subscribe to intelligence information through robots , For specific subscription methods, please refer to : https://www.oscs1024.com/?src=wx
7 month 6 Japan ,OSCS Detected Apache The loopholes of many projects under the foundation are open , Please pay attention to the corresponding component users .
Summary of vulnerability
1、Apache Portals Jetspeed-2(CVE-2022-32533)
Apache Portals Jetspeed-2 User input is not handled securely , Led to including XSS、CSRF、XXE and SSRF Including many problems .
- Vulnerability impact level : Middle risk
- Utilization cost : low
- Affected components :
- Affects version :\[\*,2.3.1\], The government no longer maintains , No fix version
- CVE Number :CVE-2022-32533
With XSS For example , The registered user name is set to
But officials say Apache Portals Jetspeed-2 yes Apache Portals Items that are no longer maintained in , No updates will be provided ,OSCS Suggest developers to replace .
Reference link :
2、Apache Commons Configuration(CVE-2022-33980)
Apache Commons Configuration Is a component for managing configuration files , stay 2.8 Some previous versions supported multiple variable value methods , Include javax.script、dns and url, Result in arbitrary code execution or network access .
- Vulnerability impact level : Middle risk
- Utilization cost : high
- Affected components :
- Affects version :\[2.4,2.8.0), The authorities are already in 2.8.0 Version fixes this problem by disabling dangerous methods
- CVE Number :CVE-2022-33980
Form like ${prefix:name}
The string of can be parsed , When interpolate When the string of the operation is controllable , Vulnerabilities can be exploited , Supported by prefix Here's the picture .
The following code can trigger
Reference link :
3、Apache Superset(CVE-2021-37839) Apache Superset Is a data visualization and data exploration platform .
stay Apache Superset In the affected version , Authenticated users can access metadata information related to the dataset without authorization , Include dataset name 、 Columns and indicators .
- Vulnerability impact level : Middle risk
- Utilization cost : in
- Affected components :
- Affects version :\[\*,1.5.1), The authorities are already in 1.5.1 Version to fix this
- CVE Number :CVE-2021-37839
The disposal of advice
OSCS It is recommended that users use the above components according to the above risk tips , Repair to a safe version as soon as possible .
See more vulnerability information : https://www.oscs1024.com/hl
Learn more about
1、 Free use OSCS Intelligence subscription service
OSCS ( Open source software supply chain security community ) The latest security risk dynamics of open source projects will be released at the first time , Including open source component security vulnerabilities 、 Information such as events , Community users can use enterprise and wechat 、 nailing 、 Fly Book Robot and other ways to subscribe to intelligence information , For specific subscription methods, please refer to :
边栏推荐
- Multi merchant mall system function disassembly lecture 01 - Product Architecture
- Démontage de la fonction du système multi - Merchant Mall 01 - architecture du produit
- Decrypt the three dimensional design of the game
- Pandora IOT development board learning (HAL Library) - Experiment 12 RTC real-time clock experiment (learning notes)
- 数据湖(九):Iceberg特点详述和数据类型
- JSON解析实例(Qt含源码)
- PD虚拟机教程:如何在ParallelsDesktop虚拟机中设置可使用的快捷键?
- 用于增强压缩视频质量的可变形卷积密集网络
- Substance Painter笔记:多显示器且多分辨率显示器时的设置
- PAG experience: complete AE dynamic deployment and launch all platforms in ten minutes!
猜你喜欢
Stm32cubemx, 68 sets of components, following 10 open source protocols
Novel Slot Detection: A Benchmark for Discovering Unknown Slot Types in the Dialogue System
Instructions d'utilisation de la trousse de développement du module d'acquisition d'accord du testeur mictr01
Webrtc audio anti weak network technology (Part 1)
LeetCode每日一题(636. Exclusive Time of Functions)
CVPR2022 | 医学图像分析中基于频率注入的后门攻击
防火墙基础之服务器区的防护策略
小程序目录结构
电脑Win7系统桌面图标太大怎么调小
Navigation - are you sure you want to take a look at such an easy-to-use navigation framework?
随机推荐
潘多拉 IOT 开发板学习(HAL 库)—— 实验12 RTC实时时钟实验(学习笔记)
【服务器数据恢复】某品牌StorageWorks服务器raid数据恢复案例
Full details of efficientnet model
Leetcode——344. Reverse string /541 Invert string ii/151 Reverse the word / Sword finger in the string offer 58 - ii Rotate string left
低代码平台中的数据连接方式(下)
Leetcode one question per day (636. exclusive time of functions)
云上“视界” 创新无限 | 2022阿里云直播峰会正式上线
智汀不用Home Assistant让小米智能家居接入HomeKit
6. Electron borderless window and transparent window lock mode setting window icon
比尔·盖茨晒48年前简历:“没你们的好看”
Pytorch model trains practical skills and breaks through the bottleneck of speed
Simple use of websocket
Novel Slot Detection: A Benchmark for Discovering Unknown Slot Types in the Dialogue System
13 ux/ui/ue best creative inspiration websites in 2022
一文读懂数仓中的pg_stat
The world's first risc-v notebook computer is on pre-sale, which is designed for the meta universe!
什么是云原生?这回终于能搞明白了!
Nllb-200: meta open source new model, which can translate 200 languages
半小时『直播连麦搭建』动手实战,大学生技术岗位简历加分项get!
AWS学习笔记(三)