昨年発売された新型iPad Proには、iPhoneで先行していたFace ID技術が搭載されました…
[org.exist-db:exist-core] exist-db:exist-core XML External Entity (XXE) vulnerability
exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.
References
https://nvd.nist.gov/vuln/detail/CVE-…
[org.springframework.security:spring-security-oauth2-jose] Spring Security vulnerable to Authorization Bypass
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that ca…
[org.springframework.security:spring-security-oauth2-jose] Spring Security vulnerable to Authorization Bypass
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that ca…
[flatmap-stream] Critical severity vulnerability that affects event-stream and flatmap-stream
The NPM package flatmap-stream is considered malicious. A malicious actor added this package as a dependency to the NPM event-stream package in version 3.3.6. Users of event-stream are encouraged to downgrade to the last non-malicious version, 3.3.4,…
[org.eclipse.jetty:jetty-server] Jetty vulnerable to authorization bypass due to inconsistent HTTP request handling (HTTP Request Smuggling)
Eclipse Jetty Server versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), are vulnerable to HTTP Request Smuggling when presented with two content-lengths headers, allowing authorization bypass. Wh…
[org.apache.struts:struts2-core] Apache Struts vulnerable to remote command execution (RCE) due to improper input validation
Apache Struts contains a Remote Code Execution when using results with no namespace and it’s upper actions have no or wildcard namespace. The same flaw exists when using a url tag with no value, action set, and it’s upper actions have no or wildcard n…
[org.springframework:spring-core] Files or Directories Accessible to External Parties in org.springframework:spring-core
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script …
[org.springframework:spring-core] Spring Framework when used in combination with any versions of Spring Security contains an authorization bypass
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
…
[org.springframework:spring-core] Spring Framework when used in combination with any versions of Spring Security contains an authorization bypass
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
…