[CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen

[Juan Pablo Santos Rodríguez]

Severity
Medium

Vendor
The Apache Software Foundation

Versions Affected
Apache JSPWiki up to 2.11.1

Description
A carefully crafted user preferences for submission could trigger an
XSS vulnerability on Apache JSPWiki, related to the user preferences
screen, which could allow the attacker to execute javascript in the
victim's browser and get some sensitive information about the victim.

Mitigation
Apache JSPWiki users should upgrade to 2.11.2 or later.

Credit
This issue was discovered by Paulos Yibelo, from Octagon Networks.

[CVE-2022-24947] Apache JSPWiki CSRF Account Takeover

[Juan Pablo Santos Rodríguez]

Severity
Critical

Vendor
The Apache Software Foundation

Versions Affected
Apache JSPWiki up to 2.11.1

Description
Apache JSPWiki user preferences form is vulnerable to CSRF attacks,
which can lead to account takeover.

Mitigation
Apache JSPWiki users should upgrade to 2.11.2 or later. Installations
>= 2.7.0 can also enable user management workflows' manual approval to
mitigate the issue.

Credit
This issue was discovered initially by Cristian Borlovan from Ounce
Labs Security (ref. JSPWIKI-79), and later on and independently from
this by Paulos Yibelo, from Octagon Networks.

CVE-2022-24288: Apache Airflow: RCE in example DAGs

[Jedidiah Cunningham]

Severity: high

Description:

In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly 
sanitize user-provided params, making them susceptible to OS Command Injection 
from the web UI.

Mitigation:

This can be mitigated by ensuring `[core] load_examples` is set to `False`.

Credit:

The Apache Airflow PMC would like to thank Kai Zhao of the TToU Security Team 
for reporting this issue.

[ANNOUNCE] Apache Fineract 1.6.0 Release

[Aleksandar Vidakovic]

The Apache Fineract project is pleased to announce the release of
Apache Fineract 1.6.0.
The release is available for download from

https://fineract.apache.org/#downloads

Fineract provides a reliable, robust, and affordable solution for
entrepreneurs, financial institutions, and service providers to offer
financial services to the world’s 2 billion underbanked and unbanked.
Fineract is aimed at innovative mobile and cloud-based solutions, and
enables digital transaction accounts for all.

This release addressed 99 issues.

Readme: https://github.com/apache/fineract/blob/1.6.0/README.md

Release page: 
https://cwiki.apache.org/confluence/display/FINERACT/1.6.0+-+Apache+Fineract

List of fixed issues:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12349949=Html=12319420

For more information on Apache Fineract please visit
project home page: https://fineract.apache.org

The Apache Fineract Team

[ANNOUNCE] Apache Jackrabbit Oak 1.22.11 released

[Nitin Gupta]

The Apache Jackrabbit community is pleased to announce the release of

Apache Jackrabbit Oak 1.22.11. The release is available for download at:


 http://jackrabbit.apache.org/downloads.html


See the full release notes below for details about this release:




Release Notes -- Apache Jackrabbit Oak -- Version 1.22.11


Introduction




Jackrabbit Oak is a scalable, high-performance hierarchical content

repository designed for use as the foundation of modern world-class

web sites and other demanding content applications.


Jackrabbit Oak 1.22.11 is a patch release that contains fixes and

improvements over Oak 1.22. Jackrabbit Oak 1.22.x releases are

considered stable and targeted for production use.


The Oak effort is a part of the Apache Jackrabbit project.

Apache Jackrabbit is a project of the Apache Software Foundation.



Changes in Oak 1.22.11

-


Bug


[OAK-9653] - Adding the index tag option interferes with regex
properties, leads to return zero results


New Feature


[OAK-9587] - Add an attribute to enforce a strict index tag check
("selectionPolicy")


Improvement


[OAK-9634] - CacheLIRS: test failure with ARM processor

[OAK-9651] - Protection against very large queries


In addition to the above-mentioned changes, this release contains

all changes included up to the previous Apache Jackrabbit Oak 1.22.x release.


For more detailed information about all the changes in this and other

Oak releases, please see the Oak issue tracker at


  https://issues.apache.org/jira/browse/OAK


Release Contents




This release consists of a single source archive packaged as a zip file.

The archive can be unpacked with the jar tool from your JDK installation.

See the README.md file for instructions on how to build this release.


The source archive is accompanied by a SHA512 checksums and a PGP

signature that you can use to verify the authenticity of your

download. The public key used for the PGP signature can be found at

https://www.apache.org/dist/jackrabbit/KEYS.


About Apache Jackrabbit Oak

---


Jackrabbit Oak is a scalable, high-performance hierarchical content

repository designed for use as the foundation of modern world-class

web sites and other demanding content applications.


The Oak effort is a part of the Apache Jackrabbit project.

Apache Jackrabbit is a project of the Apache Software Foundation.


For more information, visit http://jackrabbit.apache.org/oak


About The Apache Software Foundation




Established in 1999, The Apache Software Foundation provides organizational,

legal, and financial support for more than 140 freely-available,

collaboratively-developed Open Source projects. The pragmatic Apache License

enables individual and commercial users to easily deploy Apache software;

the Foundation's intellectual property framework limits the legal exposure

of its 3,800+ contributors.


For more information, visit http://www.apache.org/