Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-mcwh-c9pg-xw43: Apache Kafka Deserialization of Untrusted Data vulnerability

In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource. Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0

ghsa
Open in Source
#vulnerability#dos#apache#git#java#rce#ldap#auth#maven
CVE-2025-32717: Microsoft Word Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An unauthenticated attacker could exploit this vulnerability by crafting a malicious RTF file. If a user opens the file or it is rendered in the preview pane, the attacker could execute arbitrary code in the user's context.

CVE-2025-47959: Visual Studio Remote Code Execution Vulnerability

Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code over a network.

CVE-2025-47167: Microsoft Office Remote Code Execution Vulnerability

Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.

CVE-2025-47172: Microsoft SharePoint Server Remote Code Execution Vulnerability

Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.