/techtags/language.java/ Recent content in Language.Java on ZAP Hugo en-us /docs/alerts/40043-1/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/40043-1/ <p>Apache Log4j2 &lt;=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.</p> /docs/alerts/40043-2/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/40043-2/ <p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments.</p> /docs/alerts/40042/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/40042/ <p>Spring Actuator for Health is enabled and may reveal sensitive information about this application. Spring Actuators can be used for real monitoring purposes, but should be used with caution as to not expose too much information about the application or the infrastructure running it.</p> /docs/alerts/40045/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/40045/ <p>The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding.</p> /docs/alerts/40047/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/40047/ <p>Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults.Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded.The application has been shown to initial contact with remote servers via variable interpolation and may well be vulnerable to Remote Code Execution (RCE).</p>