当前位置:网站首页>Apache multiple component vulnerability disclosure (cve-2022-32533/cve-2022-33980/cve-2021-37839)

Apache multiple component vulnerability disclosure (cve-2022-32533/cve-2022-33980/cve-2021-37839)

2022-07-07 14:51:00 51CTO

OSCS( Open source software supply chain security community ) Launch free vulnerabilities 、 Poison information subscription service , Community users can subscribe to intelligence information through robots , For specific subscription methods, please refer to : ​ ​https://www.oscs1024.com/?src=wx​

7 month 6 Japan ,OSCS Detected Apache The loopholes of many projects under the foundation are open , Please pay attention to the corresponding component users .

Summary of vulnerability

1、Apache Portals Jetspeed-2(CVE-2022-32533)

Apache Portals Jetspeed-2 User input is not handled securely , Led to including XSS、CSRF、XXE and SSRF Including many problems .

  • Vulnerability impact level : Middle risk
  • Utilization cost : low
  • Affected components :
      
      

       
       org.apache.portals.jetspeed-2:jetspeed-2
      
      

      
      
    
       
       
  • 1.
    •
  • Affects version :\[\*,2.3.1\], The government no longer maintains , No fix version
  • CVE Number :CVE-2022-32533

With XSS For example , The registered user name is set to

But officials say Apache Portals Jetspeed-2 yes Apache Portals Items that are no longer maintained in , No updates will be provided ,OSCS Suggest developers to replace .

Reference link :

      
      

       
       https://www.oscs1024.com/hd/MPS-2022-17607/?src=wx
       
       

       
       
https://nvd.nist.gov/vuln/detail/CVE-2022-32533
      
      

      
      
    
       
       
  • 1.
    • 
       
       
  • 2.
    • 
       
       
  • 3.
    •

2、Apache Commons Configuration(CVE-2022-33980)

Apache Commons Configuration Is a component for managing configuration files , stay 2.8 Some previous versions supported multiple variable value methods , Include javax.script、dns and url, Result in arbitrary code execution or network access .

  • Vulnerability impact level : Middle risk
  • Utilization cost : high
  • Affected components :
      
      

       
       org.apache.commons:commons-configuration2
      
      

      
      
    
       
       
  • 1.
    •
  • Affects version :\[2.4,2.8.0), The authorities are already in 2.8.0 Version fixes this problem by disabling dangerous methods
  • CVE Number :CVE-2022-33980

Form like ​​${prefix:name}​​ The string of can be parsed , When interpolate When the string of the operation is controllable , Vulnerabilities can be exploited , Supported by prefix Here's the picture .

Apache Multiple component vulnerabilities are exposed (CVE-2022-32533/CVE-2022-33980/CVE-2021-37839)_ Loophole

The following code can trigger

Apache Multiple component vulnerabilities are exposed (CVE-2022-32533/CVE-2022-33980/CVE-2021-37839)_apache_02

Reference link :

      
      

       
       https://www.oscs1024.com/hd/MPS-2022-19214/?src=wx
       
       

       
       
https://nvd.nist.gov/vuln/detail/CVE-2022-33980
      
      

      
      
    
       
       
  • 1.
    • 
       
       
  • 2.
    • 
       
       
  • 3.
    •

3、Apache Superset(CVE-2021-37839) Apache Superset Is a data visualization and data exploration platform .

stay Apache Superset In the affected version , Authenticated users can access metadata information related to the dataset without authorization , Include dataset name 、 Columns and indicators .

  • Vulnerability impact level : Middle risk
  • Utilization cost : in
  • Affected components :
      
      

       
       apache-superset
      
      

      
      
    
       
       
  • 1.
    •
  • Affects version :\[\*,1.5.1), The authorities are already in 1.5.1 Version to fix this
  • CVE Number :CVE-2021-37839
      
      

       
        Reference link :
       
       

       
       
https://www.oscs1024.com/hd/MPS-2021-28604/?src=wx
       
       

       
       
https://nvd.nist.gov/vuln/detail/CVE-2021-37839
      
      

      
      
    
       
       
  • 1.
    • 
       
       
  • 2.
    • 
       
       
  • 3.
    • 
       
       
  • 4.
    • 
       
       
  • 5.
    •

The disposal of advice

OSCS It is recommended that users use the above components according to the above risk tips , Repair to a safe version as soon as possible .

See more vulnerability information :​ ​https://www.oscs1024.com/hl​

Learn more about

1、 Free use OSCS Intelligence subscription service

OSCS ( Open source software supply chain security community ) The latest security risk dynamics of open source projects will be released at the first time , Including open source component security vulnerabilities 、 Information such as events , Community users can use enterprise and wechat 、 nailing 、 Fly Book Robot and other ways to subscribe to intelligence information , For specific subscription methods, please refer to :

 ​https://www.oscs1024.com/docs/vuln-warning/intro/​

Apache Multiple component vulnerabilities are exposed (CVE-2022-32533/CVE-2022-33980/CVE-2021-37839)_apache_03

Apache Multiple component vulnerabilities are exposed (CVE-2022-32533/CVE-2022-33980/CVE-2021-37839)_ Data sets _04

原网站

版权声明
本文为[51CTO]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/188/202207071233106376.html

边栏推荐

猜你喜欢

随机推荐