有新的漏洞组件被发现啦,组件ID:phpMyAdmin
An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.

在 phpMyAdmin 5.15.1.2之前发现了一个问题。攻击者可以将恶意代码注入安装脚本的各个方面，从而允许 XSS 或 HTML 注入。

有新的漏洞组件被发现啦,组件ID:phpMyAdmin
An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.

phpMyAdmin 4.9在4.9.8和5.1在5.1.2之前发现了一个问题。已经通过 phpMyAdmin 身份验证的有效用户可以操作他们的帐户，以绕过将来登录实例的双因素身份验证。

有新的漏洞组件被发现啦,组件ID:F5
A Divide By Zero vulnerability exists in HDF5 v1.13.1-1 vis the function H5T__complete_copy () at /hdf5/src/H5T.c. This vulnerability causes an aritmetic exception, leading to a Denial of Service (DoS).

HDF5 v1.13.1-1针对/HDF5/src/H5T.c 函数 h5t_ complete _ copy ()存在一个被零除的漏洞。这个漏洞引起了一个密封异常，导致一个分布式拒绝服务攻击异常(DoS)。

有新的漏洞组件被发现啦,组件ID:F5
An untrusted pointer dereference vulnerability exists in HDF5 v1.13.1-1 via the function H5O__dtype_decode_helper () at hdf5/src/H5Odtype.c. This vulnerability can lead to a Denial of Service (DoS).

HDF5 v1.13.1-1中通过 HDF5/src/h5odtype.c 的函数 H5O _ dtype _ decode _ helper ()存在不可信指针解引用漏洞。这个漏洞可能导致分布式拒绝服务攻击攻击。

有新的漏洞组件被发现啦,组件ID:F5
HDF5 v1.13.1-1 was discovered to contain a heap-use-after free via the component H5AC_unpin_entry.

HDF5 v1.13.1-1通过组件 H5AC _ unpin _ entry 被发现包含堆后免费使用。

有新的漏洞组件被发现啦,组件ID:Shiro
MCMS v5.2.4 was discovered to have a hardcoded shiro-key, allowing attackers to exploit the key and execute arbitrary code.

MCMS v5.2.4被发现有一个硬编码的 shiro-key，允许攻击者利用该密钥并执行任意代码。

有新的漏洞组件被发现啦,组件ID:Apache
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions.

在 Apache ShardingSphere ElasticJob-UI 中将敏感信息暴露给一个 Unauthorized Actor 漏洞，这使得拥有客户帐户的攻击者可以进行权限提升攻击。这个问题影响到 Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0和之前的版本。

有新的漏洞组件被发现啦,组件ID:SVN
Espruino 2v11.251 was discovered to contain a stack buffer overflow via src/jsvar.c in jsvNewFromString.

Esprit 2v11.251通过 jsvNewFromString 中的 src/jsvar.c 被发现包含一个堆栈缓冲区溢出。

有新的漏洞组件被发现啦,组件ID:Apache
In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.

2.2.0之前的阿帕奇气流。这个 CVE 适用于一个特定的情况，在 DAG 运行中拥有“ can _ create”权限的用户可以为他们没有“编辑”权限的狗创建 DAG Runs。

有新的漏洞组件被发现啦,组件ID:IBM WebSphere
IBM WebSphere Application Server Liberty 21.0.0.10 through 21.0.0.12 could provide weaker than expected security. A remote attacker could exploit this weakness to obtain sensitive information and gain unauthorized access to JAX-WS applications. IBM X-Force ID: 217224.

IBM WebSphere Application Server 自由21.0.0.10到21.0.0.12可能提供弱于预期的安全。远程攻击者可以利用这个弱点获取敏感信息，并获得对 JAX-WS 应用程序的未授权访问。IBM X-Force ID: 217224.

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle Fusion 中间件(组件: Web 容器) WebLogic 产品的漏洞。受影响的支持版本有12.1.3.0.0、12.2.1.3.0、1

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Oracle Fusion 中间件(组件: Web 容器) WebLogic 产品的漏洞。受影响的支持版本有12.1.3.0.0、12.2.1.3.0、12.2.1.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 HTTP 进行网络访问的未经身份验证的攻击者入侵 WebLogic。成功攻击此漏洞可能导致未经授权访问关键数据或完全访问所有可访问的 WebLogic 数据。CVSS 3.1基本得分7.5(机密性影响)。CVSS 向量: (CVSS: 3.1/AV: n/AC: l/PR: n/UI: n/s: u/c: h/i: n/a: n)。

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Weblogic). Supported versions that are affected are 8.57, 8.58 and 8.59. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Oracle PeopleSoft 的 PeopleSoft 企业人员工具产品(组件: Weblogic)中的漏洞。受影响的支持版本是8.57、8.58和8.59。易于利用的漏洞允许通过 HTTP 进行网络访问的未经身份验证的攻击者入侵 PeopleSoft 企业用户工具。成功攻击此漏洞可能导致对 PeopleSoft 企业用户工具可访问数据的子集进行未经授权的读取访问。CVSS 3.1基本得分5.3(机密性影响)。CVSS 向量: (CVSS: 3.1/AV: n/AC: l/PR: n/UI: n/s: u/c: l/i: n/a: n)。

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Sample apps). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle Fusion 中间件 WebLogic 产品中的漏洞(组件: 示例应用程序)。受影响的支持版本是12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 HTTP 进行网络访问的未经

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).

Oracle Fusion 中间件 WebLogic 产品中的漏洞。受影响的支持版本是12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许未经身份验证的攻击者通过 t 3访问网络，从而危及 WebLogic 安全。该漏洞的成功攻击可能导致未经授权的更新，插入或删除访问一些 WebLogic 可访问的数据和未经授权的能力，造成部分分布式拒绝服务攻击(部分 DOS)的 WebLogic。CVSS 3.1基本得分6.5(完整性和可用性影响)。CVSS 向量: (CVSS: 3.1/AV: n/AC: l/PR: n/UI: n/s: u/c

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).

Oracle Fusion 中间件 WebLogic 产品中的漏洞。受影响的支持版本有12.1.3.0.0、12.2.1.3.0、12.2.1.1.4.0和14.1.1.0.0。易于利用的漏洞允许未经身份验证的攻击者通过 t 3访问网络，从而危及 WebLogic 安全。该漏洞的成功攻击可能导致未经授权的更新，插入或删除访问一些 WebLogic 可访问的数据和未经授权的能力，造成部分分布式拒绝服务攻击(部分 DOS)的 WebLogic。CVSS 3.1基本得分6.5(完整性和可用性影响)。CVSS 向量: (CVSS: 3.1/AV: n

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).

Oracle Fusion 中间件 WebLogic 产品中的漏洞。受影响的支持版本有12.1.3.0.0、12.2.1.3.0、12.2.1.1.4.0和14.1.1.0.0。易于利用的漏洞允许未经身份验证的攻击者通过 t 3访问网络，从而危及 WebLogic 安全。该漏洞的成功攻击可能导致未经授权的更新，插入或删除访问一些 WebLogic 可访问的数据和未经授权的能力，造成部分分布式拒绝服务攻击(部分 DOS)的 WebLogic。CVSS 3.1基本得分6.5(完整性和可用性影响)。CVSS 向量: (CVSS: 3.1/AV: n

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle Fusion 中间件 WebLogic 产品中的漏洞。受影响的支持版本有12.1.3.0.0、12.2.1.3.0、12.2.1.1.4.0和14.1.1.0.0。易于利用的漏洞允许未经身份验证的攻击者通过 t 3访问网络，从而危及 WebLogic 安全。成功的攻击这个漏洞可以导致 WebLogic 的被接管。CVSS 3.1基本得分9.8(机密性、完整性和可用性影响)。CVSS 向量: (CVSS: 3.1/AV: n/AC: l/PR: n/UI: n/s: u/c: h/i: h/a: h)。

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Oracle Fusion 中间件 WebLogic 产品中的漏洞(组件: 示例)。受影响的支持版本是12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 HTTP 进行网络访问的未经身份验证的攻击者入侵 WebLogic。成功攻击此漏洞可能导致未经授权访问关键数据或完全访问所有可访问的 WebLogic 数据。CVSS 3.1基本得分7.5(机密性影响)。CVSS 向量: (CVSS: 3.1/AV: n/AC: l/PR: n/UI: n/s: u/c: h/i: n/a: n)。

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle Fusion 中间件 WebLogic 产品中的漏洞(组件: 示例)。受影响的支持版本是12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 HTTP 进行网络访问的未经身份验证的攻击者

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle Fusion 中间件 WebLogic 产品中的漏洞(组件: 示例)。受影响的支持版本是12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 HTTP 进行网络访问的未经身份验证的攻击者

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle Fusion 中间件 WebLogic 产品中的漏洞(组件: 示例)。受影响的支持版本是12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 HTTP 进行网络访问的未经身份验证的攻击者

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle Fusion 中间件 WebLogic 产品中的漏洞(组件: 示例)。受影响的支持版本是12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 HTTP 进行网络访问的未经身份验证的攻击者

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples). The supported version that is affected is 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle Fusion 中间件 WebLogic 产品中的漏洞(组件: 示例)。受影响的支持版本是14.1.1.0.0。易于利用的漏洞允许通过 HTTP 进行网络访问的未经身份验证的攻击者入侵 WebLogic。成功的攻击需要攻击者以外的

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle Fusion 中间件 WebLogic 产品中的漏洞(组件: 示例)。受影响的支持版本是12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 HTTP 进行网络访问的未经身份验证的攻击者

有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

Oracle Fusion 中间件 WebLogic 产品中的漏洞(组件: 示例)。受影响的支持版本是12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 HTTP 进行网络访问的未经身份验证的攻击者入侵 WebLogic。这个漏洞的成功攻击可能导致未经授权的更新，插入或删除访问一些 WebLogic 可访问的数据，以及未经授权的读取访问一个子集的 WebLogic 可访问的数据。CVSS 3.1基本得分6.5(机密性和完整性影响)。CVSS 向量: (CVSS: 3.1/AV: n/AC: l/PR: n/UI: n/s: u/c: l/i: l/a: n)。

有新的漏洞组件被发现啦,组件ID:Apache
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Cve-2020-9493确定了阿帕奇链锯存在的反序列化问题。在电锯 V2.0版本之前，它是 Apache Log4j 1.2. x 的一个组件，也存在同样的问题。

有新的漏洞组件被发现啦,组件ID:Apache
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

根据设计，Log4j 1.2.x 中的 JDBCAppender 接受一个 SQL 语句作为配置参数，其中要插入的值是来自 PatternLayout 的转换器。消息转换器% m 很可能始终包括在内。这允许攻击者通过在应用程序的输入字段或头中输入精心制作的字符串来操作 SQL，这些输

有新的漏洞组件被发现啦,组件ID:Apache
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

当攻击者对 Log4j 配置具有写访问权限时，或者当配置引用攻击者可以访问的 LDAP 服务时，Log4j 1. x 所有版本中的 JMSSink 都容易被不可信数据反序列化。攻击者可以提供一个 TopicConnectionFactoryBindingName 配置，使 JMSSink 执行 JNDI 请求，从而以类似于 cve-2021-4104的方式执行远程代码。注意这个问题只在特别配置为使用 JMSSink 时影响 Log4j 1.x，而 JMSSink 不是默认值。在2015年8月，Apache Log4j 1.2到达了生命的尽头。用户应该升级到 Log4j 2，因为它解决了许多其他问题从以前的版本。

有新的漏洞组件被发现啦,组件ID:Django
Wagtail is a Django based content management system focused on flexibility and user experience. When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not have editing access to, as long as they have left a comment or reply somewhere on the site. A patched version has been released as Wagtail 2.15.2, which restores the intended behaviour - to send notifications for new replies to the participants in the active thread only (editing permissions are not considered). New comments can be disabled by setting `WAGTAILADMIN_COMMENTS_ENABLED = False` in the Django settings file.

是一个基于 Django 的内容管理系统，注重灵活性和用户体验。当评论线程中新回复的通知被发送时，它们被发送给所有在站点上任何地方进行了回复或评论的用户，而不仅仅是在相关的线程中。这意味着用户只要在网站的某个地方留下了评论或回复，就可以收听到他们无法编辑访问的页面上的新评论回复。一个补丁版本已经发布为 Wagtail 2.15.2，它恢复了预期的行为——仅在活动线程中向参与者发送新答复的通知(不考虑编辑权限)。可以通过

有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group was due to incorrect handling of file.

GitLab CE/EE 中发现了一个问题，影响从14.5开始的所有版本。由于对文件的不正确处理，可以通过导入组来任意读取文件。

有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.3. Under certain conditions it was possible to bypass the IP restriction for public projects through GraphQL allowing unauthorised users to read titles of issues, merge requests and milestones.

GitLab CE/EE 中发现了一个问题，影响了从12.3开始的所有版本。在某些条件下，可以通过 GraphQL 绕过公共项目的 IP 限制，允许未授权用户阅读问题标题、合并请求和里程碑。

有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account.

在 GitLab 已经发现了一个问题，它影响了所有版本，从14.4.5之前的7.7版本开始，所有版本从14.5.0之前的14.5.3版本开始，所有版本从14.6.0之前的14.6.2版本开始。跨站请求伪造攻击允许恶意用户将他们的 GitHub 项目导入到另一个 GitLab 用户账户。

有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to unauthorized access to some particular fields through the GraphQL API.

在 GitLab 发现了一个问题，它影响了14.4.5之前的13.10版本，14.5.3之前的14.5.0版本，14.6.2之前的14.6.0版本。通过 GraphQL API，GitLab 很容易被未经授权访问某些特定的字段。

有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not correctly handling requests to delete existing packages which could result in a Denial of Service under specific conditions.

在 GitLab 已经发现了一个问题，影响所有版本，从14.4.5之前的12.10开始，所有版本从14.5.0之前的14.5.3开始，所有版本从14.6.0之前的14.6.2开始。GitLab 没有正确处理删除现有包的请求，在特定条件下，这可能导致分布式拒绝服务攻击。

有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not verifying that a maintainer of a project had the right access to import members from a target project.

在 GitLab 已经发现了一个问题，它影响了14.4.5之前的12.0版本，14.5.3之前的14.5.0版本，14.6.2之前的14.6.0版本。GitLab 没有核实项目维护人员是否有权从目标项目中导入成员。

有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. Gitlab's Slack integration is incorrectly validating user input and allows to craft malicious URLs that are sent to slack.

在14.4.5之前，在14.5.0和14.5.3之间，在14.6.0和14.6.1之间，已经发现了一个影响 GitLab 版本的问题。的 Slack 集成错误地验证了用户输入，并允许精心制作恶意的 url 发送到 Slack。

有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab allows a user with an expired password to access sensitive information through RSS feeds.

在14.4.5之前，在14.5.0和14.5.3之间，在14.6.0和14.6.1之间，已经发现了一个影响 GitLab 版本的问题。GitLab 允许密码过期的用户通过 RSS feed 访问敏感信息。

有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab is configured in a way that it doesn't ignore replacement references with git sub-commands, allowing a malicious user to spoof the contents of their commits in the UI.

在14.4.5之前，在14.5.0和14.5.3之间，在14.6.0和14.6.1之间，已经发现了一个影响 GitLab 版本的问题。GitLab 的配置方式不会忽略 git 子命令的替换引用，允许恶意用户在用户界面中欺骗他们提交的内容。

有新的漏洞组件被发现啦,组件ID:GitLab
Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis

GitLab CE/EE 版本14.3至14.3.6、14.4至14.4.4和14.5至14.5.2中的用户输入中和不当允许攻击者滥用与表情符号相关的 HTML 代码生成来利用 XSS

有新的漏洞组件被发现啦,组件ID:GitLab
A denial of service vulnerability in GitLab CE/EE affecting all versions starting from 12.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows low-privileged users to bypass file size limits in the NPM package repository to potentially cause denial of service.

GitLab CE/EE 中的分布式拒绝服务攻击安全漏洞影响了14.3.6之前的12.0版本，14.4.4之前的14.4版本，14.5.2之前的14.5版本，允许低权限用户绕过 NPM 包存储库中的文件大小限制，从而可能导致分布式拒绝服务攻击安全。

有新的漏洞组件被发现啦,组件ID:GitLab
Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.x, between 14.5.0 and 14.5.x, and between 14.6.0 and 14.6.x would fail to protect against attacks sending requests to localhost on port 80 or 443 if GitLab was configured to run on a port other than 80 or 443

如果 GitLab 配置为在80或443以外的端口上运行，那么 GitLab CE/EE 版本8.4至14.4. x、14.5.0至14.5. x 以及14.6.0至14.6. x 中的服务器端请求伪造保护将无法防止向端口80或443的本地主机发送请求的攻击

有新的漏洞组件被发现啦,组件ID:GitLab
In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users.

在 GitLab CE/EE 自12.0版以来的所有版本中，权限较低的用户可以从没有维护角色的项目中导入用户，并公开这些用户的电子邮件地址。

有新的漏洞组件被发现啦,组件ID:Docker
When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image

当 Windows tentnacle docker 映像启动时，它会记录所有与参数一起运行的命令，这些命令以明文形式写入 Octopus Server API 键。这不会影响 Linux Docker 映像

有新的漏洞组件被发现啦,组件ID:Apache
When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign.

当在1.6.1之前使用 Apache Knox SSO 时，由于不正确的 URL 解析，可以精心设计请求将用户重定向到恶意页面。一个包含特殊设计的请求参数的请求可以用来将用户重定向到一个由攻击者控制的页面。这个 URL 需要通过 XSS 或网络钓鱼活动在正常请求流之外呈现给用户。

有新的漏洞组件被发现啦,组件ID:F5
Frontier is Substrate's Ethereum compatibility layer. Prior to commit number `8a93fdc6c9f4eb1d2f2a11b7ff1d12d70bf5a664`, a bug in Frontier's MODEXP precompile implementation can cause an integer underflow in certain conditions. This will cause a node crash for debug builds. For release builds (and production WebAssembly binaries), the impact is limited as it can only cause a normal EVM out-of-gas. Users who do not use MODEXP precompile in their runtime are not impacted. A patch is available in pull request #549.

边疆是基质的以太兼容层。在提交编号8a93fdc6c9f4eb1d2f2a11b7ff1d12d70bf5a664之前，Frontier 的 MODEXP 预编译实现中的一个 bug 在某些情况下可能会导致整数底流。这将导致调试版本的节点崩溃。对于发布版本(以及生产的 WebAssembly 二进制文件) ，影响是有限的，因为它只能导致一个正常的 EVM 耗尽气体。不在运行时中使用 MODEXP 预编译的用户不会受到影响。一个补丁可在拉请求 # 549。

有新的漏洞组件被发现啦,组件ID:SAP NetWeaver
In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible.

在 SAP NetWeaver AS for ABAP 和 ABAP Platform-versions 701,702,711,730,731,740,750,751,752,753,754,755,756,786中，经过身份验证的攻击者可以使用 s/4 Hana 仪表板显示他们通常不允许看到的系统和服务。不能改变信息或分布式拒绝服务攻击。

有新的漏洞组件被发现啦,组件ID:Zabbix
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.

在初始设置过程之后，不仅超级管理员可以访问 setup.php 文件的某些步骤，未经身份验证的用户也可以访问这些步骤。恶意参与者可以通过步骤检查，并有可能改变 Zabbix Frontend 的配置。

有新的漏洞组件被发现啦,组件ID:Zabbix
During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level

在从 RPM 安装 Zabbix 期间，DAC _ override SELinux 功能用于访问[/var/run/Zabbix ]文件夹中的 PID 文件。在这种情况下，zabbixproxy 或 Server 进程可以绕过文件系统级的文件读、写和执行权限检查

有新的漏洞组件被发现啦,组件ID:Zabbix
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).

对于启用了 SAML SSO 身份验证(非默认)的实例，会话数据可能会被恶意参与者修改，因为存储在会话中的用户登录没有得到验证。恶意的未经身份验证的演员可能利用这个问题升级的特权和获得管理员访问 Zabbix Frontend。要执行攻击，需要启用 SAML 身份验证，并且参与者必须知道 Zabbix 用户的用户名(或者使用 guest 帐户，该帐户默认是禁用的)。

有新的漏洞组件被发现啦,组件ID:Eyou
eyouCMS V1.5.5-UTF8-SP3_1 suffers from Arbitrary file deletion due to insufficient filtering of the parameter filename.

eyouCMS V1.5.5-UTF8-SP3 _ 1由于没有对参数文件名进行足够的过滤而遭受任意文件删除。

有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller.

Jenkins Debian Package Builder Plugin 1.6.11和更早的版本实现了允许代理在控制器上的攻击者指定的路径上调用命令行“ git”的功能，允许攻击者控制代理进程在控制器上调用任意的 OS 命令。

有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller.

Jenkins concepr Secrets Plugin 1.0.9及更早的版本实现了允许攻击者控制代理进程检索存储在 Jenkins 控制器上的所有用户名/密码凭据的功能。

有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

詹金斯共轭秘密插件1.0.9和早期实现的功能，允许攻击者能够控制代理进程，解密存储在詹金斯通过其他方法获得的秘密。

有新的漏洞组件被发现啦,组件ID:Jenkins
Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch task Plugin 1.19 and earlier allows attackers with Overall/Read access to retrieve logs, build or delete a batch task.

在 Jenkins 批处理任务插件1.19以及更早版本中的跨站请求伪造安全漏洞允许具有全局/读取访问权限的攻击者检索日志、构建或删除批处理任务。

有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Jenkins Publish Over SSH Plugin 1.22及早期版本将未加密的密码存储在 Jenkins 控制器上的全局配置文件中，用户可以通过访问 Jenkins 控制器文件系统查看该文件。

有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.

Jenkins Publish Over SSH Plugin 1.22和更早版本对文件名进行验证，指定文件名是否存在，从而导致路径遍历漏洞，允许具有 Item/Configure 权限的攻击者发现 Jenkins 控制器文件的名称。

有新的漏洞组件被发现啦,组件ID:Jenkins
A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.

Jenkins publishover SSH Plugin 1.22和更早版本中的缺少权限检查允许具有 Overall/Read 访问权限的攻击者使用攻击者指定的凭据连接到攻击者指定的 SSH 服务器。

有新的漏洞组件被发现啦,组件ID:Jenkins
A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.

Jenkins Publish Over SSH Plugin 1.22及更早版本中的一个跨站请求伪造安全漏洞允许攻击者使用攻击者指定的凭据连接到攻击者指定的 SSH 服务器。

有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

Jenkins Publish Over SSH Plugin 1.22及更早版本没有逃脱 SSH 服务器名称，导致存储的跨网站脚本/服务器(XSS)漏洞被具有 Overall/manship 权限的攻击者利用。