#apache

Clinic Queuing System version 1.0 suffers from a remote code execution vulnerability.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Delta Electronics Equipment: InfraSuite Device Master Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Delta Electronics products are affected: InfraSuite Device Master: Versions 1.0.10 and prior 3.2 Vulnerability Overview 3.2.1 Deserialization of Untrusted Data CWE-502 Delta Electronics InfraSuite Device Master contains a deserialization of untrusted data vulnerability because it runs a version of Apache ActiveMQ (5.15.2) which is vulnerable to CVE-2023-46604. CVE-2023-46604 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2023-46604. A base score of 9.3 has been calculated...

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.7.0 through 1.11.0. The attackers can bypass using malicious parameters. Users are advised to upgrade to Apache InLong's 1.12.0 or cherry-pick [1], [2] to solve it. [1] https://github.com/apache/inlong/pull/9694 [2]  https://github.com/apache/inlong/pull/9707

An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request. This issue affects Apache Superset before 4.0.0. Users are recommended to upgrade to version 4.0.0, which fixes the issue.

Gentoo Linux Security Advisory 202405-16 - A vulnerability has been discovered in Apache Commons BCEL, which can lead to remote code execution. Versions greater than or equal to 6.6.0 are affected.

Ubuntu Security Notice 6757-2 - USN-6757-1 fixed vulnerabilities in PHP. Unfortunately these fixes were incomplete for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10. This update fixes the problem. It was discovered that PHP incorrectly handled PHP_CLI_SERVER_WORKERS variable. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or produce/consume messages or purge/delete destinations (using the Message REST API). To mitigate, users can update the default conf/jetty.xml configuration file to add authentication requirement: <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">   <property name="constraint" ref="securityConstraint" />   <property name="pathSpec" value="/" /> </bean> Or we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default.

Ubuntu Security Notice 6757-1 - It was discovered that PHP incorrectly handled PHP_CLI_SERVER_WORKERS variable. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that PHP incorrectly handled certain cookies. An attacker could possibly use this issue to cookie by pass.

Red Hat Security Advisory 2024-2387-03 - An update for mod_jk and mod_proxy_cluster is now available for Red Hat Enterprise Linux 9. Issues addressed include cross site scripting and information leakage vulnerabilities.

Ubuntu Security Notice 6729-3 - USN-6729-1 fixed vulnerabilities in Apache HTTP Server. This update provides the corresponding updates for Ubuntu 24.04 LTS. Orange Tsai discovered that the Apache HTTP Server incorrectly handled validating certain input. A remote attacker could possibly use this issue to perform HTTP request splitting attacks. Keran Mu and Jianjun Chen discovered that the Apache HTTP Server incorrectly handled validating certain input. A remote attacker could possibly use this issue to perform HTTP request splitting attacks. Bartek Nowotarski discovered that the Apache HTTP Server HTTP/2 module incorrectly handled endless continuation frames. A remote attacker could possibly use this issue to cause the server to consume resources, leading to a denial of service.