#maven

Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue. Version 2.1.6 has yet to be published in the Maven registry.

Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex

Prior to Opencast 17.8 and 18.2 the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodified. ### Impact The vulnerability allows attackers to inject and malicious HTML and JavaScript in the player, which would then be executed in the browsers of users watching the prepared media. This can then be used to modify the site or to execute actions in the name of logged-in users. To inject malicious metadata, an attacker needs write access to the system. For example, the ability to upload media and modify metadata. This cannot be exploited by unauthenticated users. ### Patches This issue is fixed in Opencast 17.8 and 18.2, however they are not published to the Maven registry. ### Resources - [Patch fixing the issue](https://github.com/opencast/opencast/commit/2809520fa88d108d8104c760f00c10bad42c14f9) ### For more information If you have any questions or comments about this advisory: * Open an issue in [our issue tracker](htt...

The cyber world never hits pause, and staying alert matters more than ever. Every week brings new tricks, smarter attacks, and fresh lessons from the field. This recap cuts through the noise to share what really matters—key trends, warning signs, and stories shaping today’s security landscape. Whether you’re defending systems or just keeping up, these highlights help you spot what’s coming

Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 35 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle text, or (3) Last Name text fields.

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

## Summary Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (`crit`), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, `bork` or `cnf`) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. ## Affected Component and Versions - Library: Authlib (JWS verification) - API: `authlib.jose.JsonWebSignature.deserialize_compact(...)` - Version tested: 1.6.3 - Configuration: Default; no allowlist or special handling for `crit` ## Details RFC 7515 (JWS) §4.1.11 defines `crit` as a “must‑understand” list: recipients MUST understand and enforce every header parameter listed in `crit`, otherwise they MUST reject the token. Security‑sensitive semantics such as token binding (e.g., `cnf` from RFC 7800) are often conveyed via `crit`. Observed behavior with Authlib 1...

In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output (including `jenkins.log` and equivalent) does not restrict or transform the characters that can be inserted from user-specified content in log messages. This allows attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output. Jenkins 2.528, LTS 2.516.3 adds an indicator at the beginning of a line that was inserted as part of log message content: `[CR]`, `[LF]`, or `[CRLF]` (representing the kind of line break), followed by `>` .