Source: libpf4j-java X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for libpf4j-java. CVE-2023-40826[0]: | An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to | obtain sensitive information and execute arbitrary code via the | zippluginPath parameter. https://github.com/pf4j/pf4j/issues/536 Duplicate/similar to: https://github.com/pf4j/pf4j/issues/526 https://github.com/pf4j/pf4j/pull/538 Fixed by: https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72 CVE-2023-40827[1]: | An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to | obtain sensitive information and execute arbitrary code via the | loadpluginPath parameter. https://github.com/pf4j/pf4j/issues/536 https://github.com/pf4j/pf4j/pull/537 https://github.com/pf4j/pf4j/pull/538 Fixed by: https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72 CVE-2023-40828[2]: | An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to | obtain sensitive information and execute arbitrary code via the | expandIfZip method in the extract function. https://github.com/pf4j/pf4j/pull/537 https://github.com/pf4j/pf4j/pull/538 Fixed by: https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40826 https://www.cve.org/CVERecord?id=CVE-2023-40826 [1] https://security-tracker.debian.org/tracker/CVE-2023-40827 https://www.cve.org/CVERecord?id=CVE-2023-40827 [2] https://security-tracker.debian.org/tracker/CVE-2023-40828 https://www.cve.org/CVERecord?id=CVE-2023-40828 Please adjust the affected versions in the BTS as needed.