An unauthenticated, remote attacker can specify an UNC path for the database file (i.e., \\\sms\), effectively controlling the content of the database to be restored. It takes the path of the zipped database file as the single parameter. The .ResourceManager.smsRestoreDatabaseZip() method is used to restore the HSQLDB database used in SMS. In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `-daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction. In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint. From version 2.7.1 all classes by default are not accessible except those in and need to be manually enabled. For example, tProperty("thod_class_names", "abc") or Java argument thod_class_names="abc" can be used. The issue can be prevented by updating to 2.7.1 or by setting the system property "thod_class_names" to classes which are allowed to be called. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. Those using or in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack.
0 Comments
Leave a Reply. |