advisory-database

advisory-database copied to clipboard

[GHSA-p5hg-3xm3-gcjg] Spring Framework allows applications to expose STOMP over WebSocket endpoints

2

**Updates** - References - Source code location **Comments** Add source code location and patch links related to CVE-2018-1270.

sunSUNQ

[GHSA-3p86-xgrq-m6p6] Improper Neutralization of Input During Web Page Generation in Apache Tomcat

2

**Updates** - Affected products - References **Comments** Add four more patch links related to CVE-2011-0013.

sunSUNQ

[GHSA-7f3x-x4pr-wqhj] Server-Side Request Forgery in parse-url

1

**Updates** - Affected products **Comments** Patched version is wrong. According to nvd.nist.gov and description of vuln "prior to **7.0.0**"

uh3tay

[GHSA-2ppp-xj34-vvf7] Apache Struts's CookieInterceptor component does not use the parameter-name whitelist

1

**Updates** - Affected products - References **Comments** add a patch commit for it:`https://github.com/apache/struts/commit/34c80dae734e70f13c0e46f9c83602fb71318e58`. the commit-msg shows `WW-3729 - Improves Strict DMI mode`

MarkLee131

[GHSA-qxp4-27vx-xmm3] Improper Input Validation in Jetty

1

**Updates** - References **Comments** Add a patch https://github.com/eclipse/jetty.project/commit/d0b81a185c260ffceecb9d7470b3ddfbfeda4c11, of which the commit message claims `367638: 361316: protected multipart filter from DoS`

MarkLee131

[GHSA-v6c7-8qx5-8gmp] Deserialization of Untrusted Data in Apache Tomcat

1

**Updates** - References **Comments** Add a patch https://github.com/apache/tomcat/commit/e246e5fc13307da0a5d3bbf860d64d97be1c40f8, of which the commit message claims `Clean-up: Remove unnecessary code. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1470435 13f79535-47bb-0310-9956-ffa450edef68`

MarkLee131

[GHSA-r57f-7xw3-q2r9] Improper Authentication in Jenkins

2

**Updates** - References **Comments** Add some patch links related to CVE-2017-1000354.

sunSUNQ

[GHSA-vrwc-qjmw-5rjm] ClassLoader manipulation in Apache Struts

1

**Updates** - Affected products - References **Comments** Add a patch https://github.com/apache/struts/commit/74e26830d2849a84729b33497f729e0f033dc147, of which the commit message claims `Adds additional pattern to prevent access to getClass method`

MarkLee131

[GHSA-8477-3v39-ggpm] Improper Validation of Integrity Check Value in Bouncy Castle

1

**Updates** - References **Comments** Add a patch https://github.com/bcgit/bc-java/commit/81b00861cd5711e85fe8dce2a0e119f684120255, of which the commit message claims `Added BKS-V1 keystore. Some extra UTF-8 tests.`

MarkLee131

[GHSA-rhq2-2574-78mc] Unzip function in ZipUtil.java in Hutool allows remote attackers to overwrite arbitrary files via directory traversal

1

**Updates** - References **Comments** Add a patch https://github.com/looly/hutool/commit/8d7d0b7fb5ea4f7447b40131bffc1ec506a6528e, of which the commit message claims `fix slip bug` Add a patch https://github.com/looly/hutool/commit/fed1a1f747a9308e2f65f8dbbff05ce62478ecc0, of which the commit message claims `fix zip bug`...

MarkLee131