There are expansion limits in place so that availability is not affected. SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. Versions 5.1.11 and 5.2.4 contain a fix for this issue. In the specific use case of `java.io.File`, the behavior of the internal web-server stack will lead to information exposure by including the entire file content in the response to the REST request. This will execute arbitrary code that is run during class instantiation. If a user with the appropriate permissions performs the request, arbitrary classes with 1-arg String constructors can be instantiated. To validate the existence of the requested class before using them, Graylog loads the class using the class loader. Graylog's cluster config system uses fully qualified class names as config keys. Starting in version 2.0.0 and prior to versions 5.1.11 and 5.2.4, arbitrary classes can be loaded and instantiated using a HTTP PUT request to the `/api/system/cluster_config/` endpoint. Graylog is a free and open log management platform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |