Web Application Firewall

Apache ShardingSphere(incubator) deserialization vulnerability

[vc_row][vc_column][vc_column_text]

Pérez Overview :

In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere’s web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows to unmarshal data to a Java type By using the YAML tag. Unmarshalling untrusted data can lead to security flaws of RCE.

http://sjfiremuseum.org/history/modern-era/ Affected Product(s) :

ShardingSphere 4.0.0-RC3, 4.0.0

Solution :

Mitigation:
4.0.0-RC3 and 4.0.0 users should upgrade to 4.0.1

Example:
An attacker can use untrusted data to fill in the DataSource Config after
login the sharding-ui.

Credit:
This issue was discovered by WuXiong of QI`ANXIN YUNYING Labs.

References:
https://shardingsphere.apache.org/community/en/security/

[/vc_column_text][/vc_column][/vc_row]

What Is Account Aggregation And How It Can Be Prevented?

CVE-2023-28004 : SCHNEIDER ELECTRIC POWERLOGIC HDPM6000 ETHERNET REQUEST ARRAY INDEX

What Is XML External Entity Injection? How To Prevent XXE Attacks?

zzcms 2018 template_user.php ml/title code injection

August 26, 2021 No Comments

A vulnerability was found in zzcms 2018 (Content Management System) and classified as critical. This issue affects an unknown function

ZyXEL VPN2S 1.12 Web Server path traversal

September 29, 2021 No Comments

A vulnerability classified as problematic was found in ZyXEL VPN2S 1.12. Affected by this vulnerability is an unknown part of

Zyxel VPN2S 1.12 CGI Program os command injection

September 29, 2021 No Comments

A vulnerability has been found in Zyxel VPN2S 1.12 and classified as critical. This vulnerability affects some unknown processing of

Zyxel USG/USG Flex/Zywall/ATP/VPN up to 4.64 Web-based Management Interface improper authentication

July 2, 2021 No Comments

A vulnerability was found in Zyxel USG, USG Flex, Zywall, ATP and VPN up to 4.64 (Firewall Software). It has

ZyXEL GS1900-8 2.60 LLDP Packet cross site scripting

July 26, 2021 No Comments

A vulnerability was found in ZyXEL GS1900-8 2.60. It has been classified as problematic. This affects an unknown code of

Zynamics BinDiff up to 6 i64 File use after free

June 30, 2021 No Comments

A vulnerability, which was classified as critical, has been found in Zynamics BinDiff up to 6. This issue affects an

CVE-2024-31869 : APACHE AIRFLOW UP TO 2.8.4 CONFIGURATION UI PAGE INFORMATION DISCLOSURE

April 18, 2024 No Comments

Description Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via

CVE-2024-24856 : LINUX KERNEL UP TO 6.8 ACPI_ALLOCATE_ZEROED NULL POINTER DEREFERENCE

April 17, 2024 No Comments

Description The memory allocation function ACPI_ALLOCATE_ZEROED does not guarantee a successful allocation, but the subsequent code directly dereferences the pointer

CVE-2024-2912 : BENTOML FRAMEWORK UP TO 1.2.4 POST REQUEST INSECURE DEFAULT INITIALIZATION OF RESOURCE

April 16, 2024 No Comments

Description An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted

Apache ShardingSphere(incubator) deserialization vulnerability

References:
https://shardingsphere.apache.org/community/en/security/

Recent Posts

What Is Account Aggregation And How It Can Be Prevented?

CVE-2023-28004 : SCHNEIDER ELECTRIC POWERLOGIC HDPM6000 ETHERNET REQUEST ARRAY INDEX

What Is XML External Entity Injection? How To Prevent XXE Attacks?

Follow Us

zzcms 2018 template_user.php ml/title code injection

ZyXEL VPN2S 1.12 Web Server path traversal

Zyxel VPN2S 1.12 CGI Program os command injection

Zyxel USG/USG Flex/Zywall/ATP/VPN up to 4.64 Web-based Management Interface improper authentication

ZyXEL GS1900-8 2.60 LLDP Packet cross site scripting

Zynamics BinDiff up to 6 i64 File use after free

Web Application Firewall Solution

CVE-2024-31869 : APACHE AIRFLOW UP TO 2.8.4 CONFIGURATION UI PAGE INFORMATION DISCLOSURE

CVE-2024-24856 : LINUX KERNEL UP TO 6.8 ACPI_ALLOCATE_ZEROED NULL POINTER DEREFERENCE

CVE-2024-2912 : BENTOML FRAMEWORK UP TO 1.2.4 POST REQUEST INSECURE DEFAULT INITIALIZATION OF RESOURCE

Apache ShardingSphere(incubator) deserialization vulnerability

References: https://shardingsphere.apache.org/community/en/security/

Recent Posts

Follow Us

Web Application Firewall Solution

References:
https://shardingsphere.apache.org/community/en/security/