Parsing of these numbers uses the BigDecimal class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 ). No input validation is performed prior to the parsing of header values. The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. The format for the PAX extended headers carrying this data consists of two numbers separated by a period, indicating seconds and subsecond precision (for example “1647221103.5998539”). In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 ). A third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption. Users are recommended to upgrade to version 1.24.0, which fixes the issue. Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0. To be vulnerable to the bypass, the application must use toolkit version allowedClasses)` constructor to restrict the allowed classes for deserialization. `ZipSecurity#isBelowCurrentDirectory` is vulnerable to a partial-path traversal bypass. The Pixee Java Code Security Toolkit is a set of security APIs meant to help secure Java code. Versions 5.1.11 and 5.2.4 contain a fix for this issue. In the specific use case of `java.io.File`, the behavior of the internal web-server stack will lead to information exposure by including the entire file content in the response to the REST request. This will execute arbitrary code that is run during class instantiation. If a user with the appropriate permissions performs the request, arbitrary classes with 1-arg String constructors can be instantiated. To validate the existence of the requested class before using them, Graylog loads the class using the class loader. Graylog's cluster config system uses fully qualified class names as config keys. Starting in version 2.0.0 and prior to versions 5.1.11 and 5.2.4, arbitrary classes can be loaded and instantiated using a HTTP PUT request to the `/api/system/cluster_config/` endpoint. Graylog is a free and open log management platform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |