脆弱性情報
高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
CedarJava has a type confusion vulnerability
脆弱性説明
CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 2.3.6, 3.4.1 and 4.9.0, under certain circumstances, improper input handling could allow Record-to-Entity type confusion across the Java-Rust FFI boundary. CedarJava sends authorization requests to the Rust cedar-policy evaluator as JSON. The JSON protocol reserves magic single-key object shapes (__entity and __extn) for entity references and extension values. When serializing a CedarMap, there is no validation preventing these reserved keys from being used. If an integrating service builds a CedarMap from caller-supplied key/value data (such as request headers, user-defined metadata, or resource tags), an actor who controls those keys could cause the Rust evaluator to interpret a record as an entity reference. This issue requires the integrating service to build a CedarMap where the an actor controls the keys, and a policy must reference that value in a when/unless clause. This vulnerability has been fixed in versions 2.3.6, 3.4.1, and 4.9.
CVSS情報
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
脆弱性タイプ
使用不兼容类型访问资源(类型混淆)
脆弱性タイトル
CedarJava 缓冲区错误漏洞
脆弱性説明
Cedar CedarJava是Cedar组织的一款消息队列中间件。 CedarJava存在缓冲区错误漏洞,该漏洞源于输入处理不当,可能导致Java-Rust FFI边界的Record-to-Entity类型混淆。以下版本受到影响:2.3.6之前版本、3.1.2至3.4.1之前版本以及4.0.0至4.9.0之前版本。
CVSS情報
N/A
脆弱性タイプ
N/A