-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Findings for Medium #56
Comments
Finding [138476467|https://app.armorcode.com/#/findings/185/656/138476467] status changed from Open to Confirmed |
Finding [138476496|https://app.armorcode.com/#/findings/185/656/138476496] status changed from Open to Confirmed |
Finding [138476518|https://app.armorcode.com/#/findings/185/656/138476518] status changed from Open to Confirmed |
Finding [138476468|https://app.armorcode.com/#/findings/185/656/138476468] status changed from Open to Confirmed |
Finding [138476498|https://app.armorcode.com/#/findings/185/656/138476498] status changed from Open to Confirmed |
Finding [138476499|https://app.armorcode.com/#/findings/185/656/138476499] status changed from Open to Confirmed |
Finding [138476475|https://app.armorcode.com/#/findings/185/656/138476475] status changed from Open to Confirmed |
Finding [138476497|https://app.armorcode.com/#/findings/185/656/138476497] status changed from Open to Confirmed |
Findings for Medium
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
References:
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
References:
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Affected packages
Only the
org.apache.logging.log4j:log4j-core
package is directly affected by this vulnerability. Theorg.apache.logging.log4j:log4j-api
should be kept at the same version as theorg.apache.logging.log4j:log4j-core
package to ensure compatability if in use.This issue does not impact default configurations of Log4j2 and requires an attacker to have control over the Log4j2 configuration, which reduces the likelihood of being exploited.
References:
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
References:
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
References:
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
References:
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
References:
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
References:
The text was updated successfully, but these errors were encountered: