Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

Apache NiFi GetAsanaObject Processor has Remote Code Execution via Unsafe Deserialization

Elasticsearch has Excessive Allocation of Resources via Submission of Oversized User Settings Data

Elasticsearch privileged authenticated users can cause DoS through Excessive Resource Allocation

Apache Log4j does not verify the TLS hostname in its Socket Appender

Amazon S3 Encryption Client for Java has a Key Commitment Issue

jose4j is vulnerable to DoS via compressed JWE content

ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay

Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder

Elasticsearch PKI Realm Authentication Bypass Vulnerability Allows User Impersonation Through Crafted Client Certificates

snail-job is vulnerable to Code Injection through QLExpressEngine.doEval function

aircompressor Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer

Liferay Portal and DXP Instance Admin can execute code using Objects Actions and Validations

Apache StreamPark: Use the user’s password as the secret key Vulnerability

Apache StreamPark uses a Weak Encryption Algorithm

Apache StreamPark has a hard-coded encryption key

Apache HugeGraph-Server: RAFT and deserialization vulnerability

PowerJob has a server-side request forgery vulnerability in PingPongUtils.java

Race condition in the Okta Java SDK

Improper Memory Cleanup in the Okta Java SDK