Chapter 3. MTA 6.2.2

CVE-2022-45693: Vulnerability in Jettison 

Versions of Jettison before v1.5.2 are vulnerable to a Denial of Service (DoS) caused by a stack-based buffer overflow. By sending a specially crafted request using the map parameter, a remote attacker could exploit this vulnerability to cause a DoS attack. This issue has been resolved in MTA version 6.2.2.

CVE-2023-29406: HTTP/1 client does not fully validate the contents of the Host header

Versions of Golang before 1.19.11 are vulnerable to HTTP header injection, caused by improper contents validation of Host header by the HTTP/1 client. A maliciously crafted Host header can inject additional headers or entire requests. In version 1.19.11 Golang, and later, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. This issue has been resolved in MTA version 6.2.2.

CVE-2023-29409: Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. A Denial of Service (DoS) vulnerability was found in the Golang Go package, caused by an uncontrolled resource consumption flaw. By persuading a victim to use a specially crafted certificate with large RSA keys, a remote attacker can cause a client/server to expend significant CPU time verifying signatures, resulting in a denial of service condition. This issue has been resolved in MTA version 6.2.2.

CVE-2022-1962: Uncontrolled recursion in the Parse functions in go/parser

In versions of Golang, before 1.17.12 and 1.18.4, a flaw was found in the standard library go/parser, uncontrolled recursion could allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. This issue has been resolved in MTA version 6.2.2.

CVE-2023-26159: Improper handling of URLs by the url.parse() function

In versions of the follow-redirects package before 1.15.4, there is a vulnerability to Improper Input Validation. This flaw is caused by the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, and could lead to information disclosure, phishing attacks, or other security breaches. This issue has been resolved in MTA version 6.2.2.

CVE-2022-46751: Improper Restriction of XML External Entity Reference, XML Injection vulnerability in Apache Ivy

In version of Apache Ivy before 2.5.2, parsing XML files, either its configuration, Ivy files or Apache Maven POMs, it allows downloading external document type definitions and expand any entity references contained. This process can be used to exfiltrate data, access resources only the machine running Ivy has access to, or disturb the execution of Ivy in different ways. This issue has been resolved in MTA version 6.2.2.

CVE-2023-2976: Java’s default temporary directory for file creation in FileBackedOutputStream

Version of Google Guava versions 1.0 to 31.1 could allow a local authenticated attacker to obtain sensitive information. This is caused by a flaw with using Java’s default temporary directory for file creation in FileBackedOutputStream. Using Java’s default temporary directory for file creation in FileBackedOutputStream on Unix systems, could allow other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. This issue has been resolved in MTA version 6.2.2.

CVE-2023-35116:  Versions of jackson-databind before 2.15.2 could allow attackers to cause a denial of service or other unspecified impact (disputed)

Versions of jackson-databind before 2.15.2 could allow attackers to cause a denial of service or other unspecified impact. The vendor believes that this is not a valid vulnerability because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker. This issue has been resolved in MTA version 6.2.2.

CVE-2023-1436:  An infinite recursion is triggered in Jettison when constructing a JSONArray

An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being returned.  This issue has been resolved in MTA version 6.2.2.

CVE-2024-25710: Denial of service caused by an infinite loop

Loop with Unreachable Exit Condition, Infinite Loop, vulnerability in Apache Commons Compress. This vulnerability affects Apache Commons Compress, versions 1.3 to 1.25.0, and can lead to a Denial of Service (DoS).

CVE-2023-6291: Keycloak redirect_uri validation bypass

An issue was found in the redirect_uri validation logic in Keycloak that allows for a bypass of otherwise explicitly allowed hosts. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

CVE-2024-1300: Eclipse Vert.x memory leak when a TCP server is configured with TLS and SNI support

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with Transport Layer Security (TLS) and Server Name Indication (SNI) support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the Secure Sockets Layer (SSL) context is mistakenly cached in the server name map, leading to memory exhaustion. This issue could allow attackers to send TLS client hello messages with fake server names, triggering a Java virtual machine (JVM) Out-of-Memory (OOM) error.

CVE-2023-45286

A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same \*bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that has not had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

CVE-2023-48631: Adobe’s css-tools versions 4.3.1 and earlier are affected by an Improper Input Validation vulnerability

A Regular Expression Denial of Service (ReDoS) vulnerability was found in Adobe’s css-tools when parsing CSS. This issue occurs due to improper input validation and may allow an attacker to use a carefully crafted input string to cause a denial of service, when attempting to parse CSS.

CVE-2023-36479: Improper addition of quotation marks to user inputs in CgiServlet

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a specific command structure may have the wrong command executed. If a user sends a request to an org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.