ISHACK AI BOT

Debian: CVE-2023-41752: trafficserver -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/17/2023 Created 11/08/2023 Added 11/07/2023 Modified 01/28/2025 Description Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue. Solution(s) debian-upgrade-trafficserver References https://attackerkb.com/topics/cve-2023-41752 CVE - 2023-41752 DLA-3645-1 DSA-5549-1

Oracle MySQL Vulnerability: CVE-2023-22115 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 10/24/2023 Added 10/23/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2023-22115 CVE - 2023-22115 https://www.oracle.com/security-alerts/cpuoct2023.html

CentOS Linux: CVE-2023-22025: Moderate: java-17-openjdk security and bug fix update (Multiple Advisories) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 10/17/2023 Created 11/01/2023 Added 11/01/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 21.3.7 and22.3.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition,.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) centos-upgrade-java-17-openjdk centos-upgrade-java-17-openjdk-debuginfo centos-upgrade-java-17-openjdk-debugsource centos-upgrade-java-17-openjdk-demo centos-upgrade-java-17-openjdk-devel centos-upgrade-java-17-openjdk-devel-debuginfo centos-upgrade-java-17-openjdk-headless centos-upgrade-java-17-openjdk-headless-debuginfo centos-upgrade-java-17-openjdk-javadoc centos-upgrade-java-17-openjdk-javadoc-zip centos-upgrade-java-17-openjdk-jmods centos-upgrade-java-17-openjdk-src centos-upgrade-java-17-openjdk-static-libs centos-upgrade-java-21-openjdk centos-upgrade-java-21-openjdk-debuginfo centos-upgrade-java-21-openjdk-debugsource centos-upgrade-java-21-openjdk-demo centos-upgrade-java-21-openjdk-devel centos-upgrade-java-21-openjdk-devel-debuginfo centos-upgrade-java-21-openjdk-devel-fastdebug-debuginfo centos-upgrade-java-21-openjdk-devel-slowdebug-debuginfo centos-upgrade-java-21-openjdk-fastdebug-debuginfo centos-upgrade-java-21-openjdk-headless centos-upgrade-java-21-openjdk-headless-debuginfo centos-upgrade-java-21-openjdk-headless-fastdebug-debuginfo centos-upgrade-java-21-openjdk-headless-slowdebug-debuginfo centos-upgrade-java-21-openjdk-javadoc centos-upgrade-java-21-openjdk-javadoc-zip centos-upgrade-java-21-openjdk-jmods centos-upgrade-java-21-openjdk-slowdebug-debuginfo centos-upgrade-java-21-openjdk-src centos-upgrade-java-21-openjdk-static-libs References CVE-2023-22025

Oracle MySQL Vulnerability: CVE-2023-22065 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 10/24/2023 Added 10/23/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2023-22065 CVE - 2023-22065 https://www.oracle.com/security-alerts/cpuoct2023.html

Oracle MySQL Vulnerability: CVE-2023-22059 Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 10/17/2023 Created 10/24/2023 Added 10/23/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.34 and prior and8.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2023-22059 CVE - 2023-22059 https://www.oracle.com/security-alerts/cpuoct2023.html

Oracle MySQL Vulnerability: CVE-2023-22078 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 10/24/2023 Added 10/23/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.34 and prior and8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2023-22078 CVE - 2023-22078 https://www.oracle.com/security-alerts/cpuoct2023.html

Oracle MySQL Vulnerability: CVE-2023-22066 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 10/24/2023 Added 10/23/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).Supported versions that are affected are 8.0.34 and prior and8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2023-22066 CVE - 2023-22066 https://www.oracle.com/security-alerts/cpuoct2023.html

Oracle MySQL Vulnerability: CVE-2023-22070 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 10/24/2023 Added 10/23/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.34 and prior and8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2023-22070 CVE - 2023-22070 https://www.oracle.com/security-alerts/cpuoct2023.html

Oracle MySQL Vulnerability: CVE-2023-22102 Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 10/17/2023 Created 10/24/2023 Added 10/23/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J).Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors.Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2023-22102 CVE - 2023-22102 https://www.oracle.com/security-alerts/cpuoct2023.html

Oracle MySQL Vulnerability: CVE-2023-22092 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 10/24/2023 Added 10/23/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2023-22092 CVE - 2023-22092 https://www.oracle.com/security-alerts/cpuoct2023.html

Huawei EulerOS: CVE-2023-45803: python-pip security update Severity 5 CVSS (AV:A/AC:M/Au:M/C:C/I:N/A:N) Published 10/17/2023 Created 10/10/2024 Added 10/09/2024 Modified 01/30/2025 Description urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body. Solution(s) huawei-euleros-2_0_sp12-upgrade-python-pip-wheel huawei-euleros-2_0_sp12-upgrade-python3-pip References https://attackerkb.com/topics/cve-2023-45803 CVE - 2023-45803 EulerOS-SA-2024-2540

Oracle MySQL Vulnerability: CVE-2023-22104 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 10/24/2023 Added 10/23/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2023-22104 CVE - 2023-22104 https://www.oracle.com/security-alerts/cpuoct2023.html

Atlassian Bitbucket (CVE-2022-45688): hutool-json Vulnerability in Bitbucket Data Center and Server Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/17/2023 Created 11/21/2024 Added 11/14/2024 Modified 11/14/2024 Description This High severity Third-Party Dependency vulnerability was introduced in versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, and 8.12.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bitbucket Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Bitbucket Data Center and Server 7.21: Upgrade to a release greater than or equal to 7.21.16 * Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.4 * Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.4 * Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.3 * Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.1 See the release notes (https://confluence.atlassian.com/bitbucketserver/release-notes). You can download the latest version of Bitbucket Data Center and Server from the download center (https://www.atlassian.com/software/bitbucket/download-archives). The National Vulnerability Database provides the following description for this vulnerability: A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. Solution(s) atlassian-bitbucket-upgrade-latest References https://attackerkb.com/topics/cve-2022-45688 CVE - 2022-45688 https://jira.atlassian.com/browse/BSERV-18789

Alpine Linux: CVE-2023-22081: Vulnerability in Multiple Components Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:P) Published 10/17/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11, 21.3.7 and22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) alpine-linux-upgrade-openjdk8 alpine-linux-upgrade-openjdk11 alpine-linux-upgrade-openjdk17 alpine-linux-upgrade-openjdk21 References https://attackerkb.com/topics/cve-2023-22081 CVE - 2023-22081 https://security.alpinelinux.org/vuln/CVE-2023-22081

Amazon Linux AMI 2: CVE-2023-22025: Security patch for java-17-amazon-corretto (ALAS-2023-2314) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 10/17/2023 Created 10/24/2023 Added 10/23/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 21.3.7 and22.3.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition,.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) amazon-linux-ami-2-upgrade-java-17-amazon-corretto amazon-linux-ami-2-upgrade-java-17-amazon-corretto-devel amazon-linux-ami-2-upgrade-java-17-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-17-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-17-amazon-corretto-jmods References https://attackerkb.com/topics/cve-2023-22025 AL2/ALAS-2023-2314 CVE - 2023-22025

Atlassian Bitbucket (CVE-2022-45685): Jettison Vulnerability in Bitbucket Data Center and Server Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/17/2023 Created 11/21/2024 Added 11/14/2024 Modified 11/14/2024 Description This High severity Third-Party Dependency vulnerability was introduced in versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, and 8.12.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bitbucket Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Bitbucket Data Center and Server 7.21: Upgrade to a release greater than or equal to 7.21.15 * Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.4 * Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.4 * Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.3 * Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.1 See the release notes (https://confluence.atlassian.com/bitbucketserver/release-notes). You can download the latest version of Bitbucket Data Center and Server from the download center (https://www.atlassian.com/software/bitbucket/download-archives). The National Vulnerability Database provides the following description for this vulnerability: A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data. Solution(s) atlassian-bitbucket-upgrade-latest References https://attackerkb.com/topics/cve-2022-45685 CVE - 2022-45685 https://jira.atlassian.com/browse/BSERV-18790

Atlassian Bitbucket (CVE-2020-13936): org.apache.velocity Vulnerability in Bitbucket Data Center and Server Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 10/17/2023 Created 11/21/2024 Added 11/14/2024 Modified 11/14/2024 Description This High severity Third-Party Dependency vulnerability was introduced in versions 7.21.0, 7.21.1, 7.21.2, 7.21.3, 7.21.4, 7.21.5, 7.21.6, and 7.21.7 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has a high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.. Atlassian recommends that Bitbucket Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Bitbucket Data Center and Server 7.21: Upgrade to a release greater than or equal to 7.21.8 See the release notes (https://confluence.atlassian.com/bitbucketserver/release-notes). You can download the latest version of Bitbucket Data Center and Server from the download center (https://www.atlassian.com/software/bitbucket/download-archives). The National Vulnerability Database provides the following description for this vulnerability: An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. Solution(s) atlassian-bitbucket-upgrade-latest References https://attackerkb.com/topics/cve-2020-13936 CVE - 2020-13936 https://jira.atlassian.com/browse/BSERV-14568

Atlassian Bitbucket (CVE-2021-46877): jackson-databind Vulnerability in Bitbucket Data Center and Server Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/17/2023 Created 11/21/2024 Added 11/14/2024 Modified 11/14/2024 Description This High severity Third-Party Dependency vulnerability was introduced in versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, and 8.13.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bitbucket Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Bitbucket Data Center and Server 7.21: Upgrade to a release greater than or equal to 7.21.14 * Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.4 * Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.4 * Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.3 * Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.1 * Bitbucket Data Center and Server 8.13: Upgrade to a release greater than or equal to 8.13.1 See the release notes ([https://confluence.atlassian.com/bitbucketserver/release-notes]). You can download the latest version of Bitbucket Data Center and Server from the download center ([https://www.atlassian.com/software/bitbucket/download-archives]). The National Vulnerability Database provides the following description for this vulnerability: jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. Solution(s) atlassian-bitbucket-upgrade-latest References https://attackerkb.com/topics/cve-2021-46877 CVE - 2021-46877 https://jira.atlassian.com/browse/BSERV-18831

Oracle MySQL Vulnerability: CVE-2023-22084 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 10/24/2023 Added 10/23/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).Supported versions that are affected are 5.7.43 and prior, 8.0.34 and prior and8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2023-22084 CVE - 2023-22084 https://www.oracle.com/security-alerts/cpuoct2023.html

Atlassian Bitbucket (CVE-2020-36518): jackson-databind Vulnerability in Bitbucket Data Center and Server Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/17/2023 Created 11/21/2024 Added 11/14/2024 Modified 11/14/2024 Description This High severity Third-Party Dependency vulnerability was introduced in versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, and 8.13.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bitbucket Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Bitbucket Data Center and Server 7.21: Upgrade to a release greater than or equal to 7.21.14 * Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.4 * Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.4 * Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.3 * Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.4 * Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.1 * Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.2 * Bitbucket Data Center and Server 8.13: Upgrade to a release greater than or equal to 8.13.1 See the release notes ([https://confluence.atlassian.com/bitbucketserver/release-notes]). You can download the latest version of Bitbucket Data Center and Server from the download center ([https://www.atlassian.com/software/bitbucket/download-archives]). The National Vulnerability Database provides the following description for this vulnerability: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. Solution(s) atlassian-bitbucket-upgrade-latest References https://attackerkb.com/topics/cve-2020-36518 CVE - 2020-36518 https://jira.atlassian.com/browse/BSERV-18830

Gentoo Linux: CVE-2023-22099: Oracle VirtualBox: Multiple Vulnerabilities Severity 7 CVSS (AV:L/AC:L/Au:M/C:C/I:C/A:C) Published 10/17/2023 Created 09/24/2024 Added 09/23/2024 Modified 01/28/2025 Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).Supported versions that are affected are Prior to 7.0.12. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change).Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: Only applicable to 7.0.x platform. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts).CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Solution(s) gentoo-linux-upgrade-app-emulation-virtualbox References https://attackerkb.com/topics/cve-2023-22099 CVE - 2023-22099 202409-11

Oracle Linux: CVE-2023-22032: ELSA-2024-1141:mysql security update (MODERATE) (Multiple Advisories) Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 02/24/2024 Added 02/22/2024 Modified 01/07/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.34 and prior and8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) oracle-linux-upgrade-mecab oracle-linux-upgrade-mecab-devel oracle-linux-upgrade-mecab-ipadic oracle-linux-upgrade-mecab-ipadic-eucjp oracle-linux-upgrade-mysql oracle-linux-upgrade-mysql-common oracle-linux-upgrade-mysql-devel oracle-linux-upgrade-mysql-errmsg oracle-linux-upgrade-mysql-libs oracle-linux-upgrade-mysql-server oracle-linux-upgrade-mysql-test References https://attackerkb.com/topics/cve-2023-22032 CVE - 2023-22032 ELSA-2024-1141 ELSA-2024-0894

Alma Linux: CVE-2023-38545: Important: curl security update (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 10/17/2023 Created 10/18/2023 Added 10/18/2023 Modified 01/30/2025 Description This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with. Solution(s) alma-upgrade-curl alma-upgrade-curl-minimal alma-upgrade-libcurl alma-upgrade-libcurl-devel alma-upgrade-libcurl-minimal References https://attackerkb.com/topics/cve-2023-38545 CVE - 2023-38545 https://errata.almalinux.org/9/ALSA-2023-5763.html https://errata.almalinux.org/9/ALSA-2023-6745.html

Oracle Linux: CVE-2023-22115: ELSA-2024-1141:mysql security update (MODERATE) (Multiple Advisories) Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 02/24/2024 Added 02/22/2024 Modified 01/07/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) oracle-linux-upgrade-mecab oracle-linux-upgrade-mecab-devel oracle-linux-upgrade-mecab-ipadic oracle-linux-upgrade-mecab-ipadic-eucjp oracle-linux-upgrade-mysql oracle-linux-upgrade-mysql-common oracle-linux-upgrade-mysql-devel oracle-linux-upgrade-mysql-errmsg oracle-linux-upgrade-mysql-libs oracle-linux-upgrade-mysql-server oracle-linux-upgrade-mysql-test References https://attackerkb.com/topics/cve-2023-22115 CVE - 2023-22115 ELSA-2024-1141 ELSA-2024-0894

Oracle Linux: CVE-2023-22068: ELSA-2024-1141:mysql security update (MODERATE) (Multiple Advisories) Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/17/2023 Created 02/24/2024 Added 02/22/2024 Modified 01/07/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).Supported versions that are affected are 8.0.34 and prior and8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) oracle-linux-upgrade-mecab oracle-linux-upgrade-mecab-devel oracle-linux-upgrade-mecab-ipadic oracle-linux-upgrade-mecab-ipadic-eucjp oracle-linux-upgrade-mysql oracle-linux-upgrade-mysql-common oracle-linux-upgrade-mysql-devel oracle-linux-upgrade-mysql-errmsg oracle-linux-upgrade-mysql-libs oracle-linux-upgrade-mysql-server oracle-linux-upgrade-mysql-test References https://attackerkb.com/topics/cve-2023-22068 CVE - 2023-22068 ELSA-2024-1141 ELSA-2024-0894