

All JXPathContext class functions processing a XPath string are vulnerable except compile() and compilePath() function.
#Digital sentry 4.1 remote view code#
Those using JXPath to interpret untrusted XPath expressions may be vulnerable to a remote code execution attack. From version 2.7.1 all classes by default are not accessible except those in and need to be manually enabled. For example, tProperty("thod_class_names", "abc") or Java argument thod_class_names="abc" can be used. The issue can be prevented by updating to 2.7.1 or by setting the system property "thod_class_names" to classes which are allowed to be called. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. Those using or in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack.
#Digital sentry 4.1 remote view upgrade#
Users are recommended to upgrade to version 1.16. This issue affects Apache XML Graphics prior to 1.16. Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.Ī vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.
