=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN461
_____________________________________________________________________

DATE                : 14/09/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Any23 versions prior to 2.5.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202109.mbox/%3cpony-b7497055821405926d63668ab1112e0f108e2346-24b556bb9c8200804abff20daacf3205f453d88d@announce.apache.org%3e
http://mail-archives.apache.org/mod_mbox/www-announce/202109.mbox/%3cpony-b7497055821405926d63668ab1112e0f108e2346-fc7885638697ea0fec1186b16e985c55e5d49a83@announce.apache.org%3e
_____________________________________________________________________


CVE-2021-40146: A Remote Code Execution (RCE) vulnerability exists in
Apache Any23 YAMLExtractor.java

Description:

A Remote Code Execution (RCE) vulnerability was discovered in the Any23
YAMLExtractor.java file and is known to affect Any23 versions < 2.5. RCE
vulnerabilities allow a malicious actor to execute any code of their
choice on a remote machine over LAN, WAN, or internet.
RCE belongs to the broader class of arbitrary code execution (ACE)
vulnerabilities.


Credit:

The Apache Any23 Project Management Committee would like to thank
Zhuxuan Wu for reporting the security vulnerability.


Fix and Action:

Upgrade immediately to Any23 2.5 see
https://any23.apache.org/download.html


Support

Please find us on the Any23 community mailing lists at
https://any23.apache.org/mailing-lists.html


Sincerely
lewismc
(On behalf of the Any23 PMC)

_____________________________________________________________________

CVE-2021-38555: An XML external entity (XXE) injection vulnerability
exists in Apache Any23 StreamUtils.java


Severity: critical

Description: An XML external entity (XXE) injection vulnerability was
discovered in the Any23 StreamUtils.java file and is known to affect
Any23 versions < 2.5. XML external entity injection (also known as XXE)
is a web security vulnerability that allows an attacker to interfere
with an application's processing of XML data. It often allows an
attacker to view files on the application server filesystem, and to
interact with any back-end or external systems that the application
itself can access.


Credit:The Apache Any23 Project Management Committee would like to thank
Zhuxuan Wu for reporting the security vulnerability.


Fix and Action: Upgrade immediately to Any23 2.5 see
https://any23.apache.org/download.html


Support: Please find us on the Any23 community mailing lists at
https://any23.apache.org/mailing-lists.html


Sincerely
lewismc
(On behalf of the Any23 PMC)

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================