Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory database within 2.5 days (on average).

CVE-2020-28499

Prototype Pollution in npm/merge

All versions of package merge are vulnerable to Prototype Pollution via `_recursiveMerge`.

Added on 2021-02-26

CVE-2020-36245

Code Injection in pypi/gramaddict

GramAddict allows remote attackers to execute arbitrary code because of use of UIAutomator2 and ATX-Agent. The attacker must be able to reach TCP port, `e.g.`, by being on the same Wi-Fi network.

Added on 2021-02-26

CVE-2020-28490

Argument Injection or Modification in npm/async-git

The package async-git are vulnerable to Command Injection via shell meta-characters (back-ticks). For example, ``git.reset('a`touch HACKED`b')``

Added on 2021-02-26

CVE-2021-27218

Incorrect Conversion between Numeric Types in conan/glib

An issue was discovered in GNOME GLib If `g_byte_array_new_take()` was called with a buffer of 4GB or more on a platform, the length would be truncated modulo `2**32`, causing unintended length truncation.

Added on 2021-02-26

CVE-2021-27219

Incorrect Conversion between Numeric Types in conan/glib

An issue was discovered in GNOME GLib The function `g_bytes_new` has an integer overflow on platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.

Added on 2021-02-26

CVE-2021-26559

Improper Privilege Management in pypi/apache-airflow

Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow

Added on 2021-02-26

CVE-2021-26697

Improper Authentication in pypi/apache-airflow

The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow

Added on 2021-02-26

CVE-2021-23839

Inadequate Encryption Strength in conan/openssl

OpenSSL supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. In order to be vulnerable a server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) The underlying error is in the implementation of the `RSA_padding_check_SSLv23()` function. This also affects the `RSA_SSLV23_PADDING` padding mode used by various other functions.

Added on 2021-02-26

CVE-2020-22425

SQL Injection in packagist/centreon/centreon

Centreon where an authorized user is able to inject additional SQL queries to perform remote command execution.

Added on 2021-02-25

CVE-2021-21311

Server-Side Request Forgery (SSRF) in packagist/vrana/adminer

Adminer is an open-source database management in a single PHP file. In adminer from there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`)` are affected.

Added on 2021-02-23

CVE-2020-13949

Uncontrolled Resource Consumption in maven/org.apache.thrift/libthrift

In Apache Thrift to, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

Added on 2021-02-23

CVE-2020-13949

Uncontrolled Resource Consumption in conan/thrift

In Apache Thrift to, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

Added on 2021-02-23

CVE-2020-13949

Uncontrolled Resource Consumption in npm/thrift

In Apache Thrift to, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

Added on 2021-02-23

CVE-2020-26299

Path Traversal in npm/ftp-srv

ftp-srv is an open-source FTP server designed to be simple yet configurable. In ftp-srv there is a path-traversal vulnerability. Clients of FTP servers utilizing ftp-srv hosted on Windows machines can escape the FTP user's defined root folder using the expected FTP commands, for example, CWD and UPDR. When windows separators exist within the path (`\`), `path.resolve` leaves the upper pointers intact and allows the user to move beyond the root folder defined for that user. We did not take that into account when creating the path resolve function. The issue is patched (commit b859450a37cba10ff3c431eb4aa67771122e3).

Added on 2021-02-23

CVE-2021-21315

OS Command Injection in npm/systeminformation

The System Information Library for `Node.As` a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to `si.inetLatency()`, `si.inetChecksite()`, `si.services()`, `si.processLoad()` ... do only allow strings, reject any arrays. String sanitation works as expected.

Added on 2021-02-23

CVE-2020-13949

Uncontrolled Resource Consumption in go/github.com/apache/thrift/lib/go/thrift

In Apache Thrift to, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

Added on 2021-02-23

CVE-2020-25340

Allocation of Resources Without Limits or Throttling in pypi/nfstream

An issue was discovered in NFStream Because some allocated modules are not correctly freed, if the nfstream object is directly destroyed without being used after it is created, it will cause a memory leak that may result in a local denial of service (DoS).

Added on 2021-02-23

CVE-2020-11979

Injection Vulnerability in maven/org.gradle/gradle-core

As mitigation for CVE-2020-1945 Apache Ant changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately, the `fixcrlf` task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

Added on 2021-02-23

CVE-2021-23334

Code Injection in npm/static-eval

All versions of package static-eval are vulnerable to arbitrary code execution using `FunctionExpressions` and `TemplateLiterals`.

Added on 2021-02-19

CVE-2020-1717

Information Exposure Through an Error Message in npm/keycloak-connect

Keycloak suffers from an information disclosure through error messages. A logged in user can do an account email enumeration attack.

Added on 2021-02-19

CVE-2021-21290

Creation of Temporary File With Insecure Permissions in maven/io.netty/netty-codec-http

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers. There is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method `File.createTempFile` on unix-like systems creates a random file, but, by default will create this file with the permissions `-rw-r--r--`. Thus, if sensitive information is written to this file, other local users can read this information.

Added on 2021-02-19

CVE-2020-1717

Information Exposure Through an Error Message in maven/org.keycloak/keycloak-server-spi-private

Keycloak suffers from an information disclosure through an error message. A logged in user can do an account email enumeration attack.

Added on 2021-02-19

CVE-2020-1717

Information Exposure Through an Error Message in maven/org.keycloak/keycloak-services

Keycloak suffers from an information disclosure through an error message. A logged in user can do an account email enumeration attack.

Added on 2021-02-19

CVE-2020-1717

Information Exposure Through an Error Message in maven/org.keycloak/keycloak-model-jpa

Keycloak suffers from an information disclosure through an error message. A logged in user can do an account email enumeration attack.

Added on 2021-02-19

CVE-2021-22880

Uncontrolled Resource Consumption in gem/rails

The PostgreSQL adapter in Active Record suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

Added on 2021-02-19

CVE-2021-22881

URL Redirection to Untrusted Site (Open Redirect) in gem/rails

The Host Authorization middleware in Action Pack suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.

Added on 2021-02-19

CVE-2021-21290

Creation of Temporary File With Insecure Permissions in maven/io.netty/netty-handler

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers. There is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method `File.createTempFile` on unix-like systems creates a random file, but, by default will create this file with the permissions `-rw-r--r--`. Thus, if sensitive information is written to this file, other local users can read this information.

Added on 2021-02-19

CVE-2020-11023

Cross-site Scripting in packagist/drupal/drupal

In jQuery, passing HTML containing `<option>` elements from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., `.html()`, `.append()`, and others) may execute untrusted code.

Added on 2021-02-19

CVE-2020-11023

Cross-site Scripting in packagist/drupal/core

In jQuery, passing HTML containing `<option>` elements from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., `.html()`, `.append()`, and others) may execute untrusted code.

Added on 2021-02-19

CVE-2020-1717

Information Exposure Through an Error Message in maven/org.keycloak/keycloak-core

Keycloak suffers from an information disclosure through an error message. A logged in user can do an account email enumeration attack.

Added on 2021-02-19

CVE-2021-21290

Creation of Temporary File With Insecure Permissions in maven/io.netty/netty-codec

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers. There is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method `File.createTempFile` on unix-like systems creates a random file, but, by default will create this file with the permissions `-rw-r--r--`. Thus, if sensitive information is written to this file, other local users can read this information.

Added on 2021-02-19

CVE-2020-1717

Information Exposure Through an Error Message in maven/org.keycloak/keycloak-wildfly-server-subsystem

Keycloak suffers from an information disclosure through an error message. A logged in user can do an account email enumeration attack.

Added on 2021-02-19

CVE-2021-21290

Creation of Temporary File With Insecure Permissions in maven/io.netty/netty-all

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers. There is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method `File.createTempFile` on unix-like systems creates a random file, but, by default will create this file with the permissions `-rw-r--r--`. Thus, if sensitive information is written to this file, other local users can read this information.

Added on 2021-02-19

CVE-2021-21290

Creation of Temporary File With Insecure Permissions in maven/io.netty/netty

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers. There is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method `File.createTempFile` on unix-like systems creates a random file, but, by default will create this file with the permissions `-rw-r--r--`. Thus, if sensitive information is written to this file, other local users can read this information.

Added on 2021-02-19

CVE-2021-20188

Incorrect Authorization in go/github.com/containers/podman

An authorization flaw was found in podman. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of security features are disabled when running the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Added on 2021-02-19

CVE-2021-22133

Inclusion of Sensitive Information in Log Files in go/github.com/elastic/apm-agent-go

The Elastic APM agent for Go can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it is possible the headers will not be sanitized before being sent.

Added on 2021-02-19

CVE-2021-21026

Improper Authorization in packagist/magento/community-edition

Magento does not sufficiently protect resources. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

Added on 2021-02-18

CVE-2021-21014

Unrestricted Upload of File with Dangerous Type in packagist/magento/community-edition

Magento is vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Added on 2021-02-18

CVE-2021-21022

Improper Authorization in packagist/magento/community-edition

Magento is vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.

Added on 2021-02-18

CVE-2021-21029

Cross-site Scripting in packagist/magento/community-edition

Magento is vulnerable to Cross-Site Scripting in the admin console. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.

Added on 2021-02-18

CVE-2021-21025

XPath Injection in packagist/magento/community-edition

Magento is vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Added on 2021-02-18

CVE-2021-21023

Cross-site Scripting in packagist/magento/community-edition

Magento is vulnerable to a stored cross-site scripting vulnerability in the admin console. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.

Added on 2021-02-18

CVE-2021-21019

XPath Injection in packagist/magento/community-edition

Magento is vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Added on 2021-02-18

CVE-2021-21027

Cross-Site Request Forgery (CSRF) in packagist/magento/community-edition

Magento is vulnerable to Cross-Site Request Forger. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.

Added on 2021-02-18

CVE-2021-21020

Improper Access Control in packagist/magento/community-edition

Magento is vulnerable to an access control bypass vulnerability in the Login as Customer module. Successful exploitation could lead to unauthorized access to restricted resources.

Added on 2021-02-18

CVE-2021-21031

Insufficient Session Expiration in packagist/magento/community-edition

Magento does not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.

Added on 2021-02-18

CVE-2021-21018

OS Command Injection in packagist/magento/community-edition

Magento is vulnerable to OS command injection via the scheduled operation module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Added on 2021-02-18

CVE-2021-21030

Cross-site Scripting in packagist/magento/community-edition

Magento is vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction.

Added on 2021-02-18

CVE-2021-21015

OS Command Injection in packagist/magento/community-edition

Magento is vulnerable to an OS command injection via the customer attribute save controller. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Added on 2021-02-18

CVE-2021-21016

OS Command Injection in packagist/magento/community-edition

Magento is vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Added on 2021-02-18

CVE-2021-21032

Insufficient Session Expiration in packagist/magento/community-edition

Magento does not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.

Added on 2021-02-18

CVE-2020-14343

Improper Input Validation in pypi/pyyaml

A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the `full_load` method or with the `FullLoader` loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the `python/object/new` constructor. This flaw is due to an incomplete fix for CVE-2020-1747.

Added on 2021-02-18

CVE-2021-21024

SQL Injection in packagist/magento/community-edition

Magento is vulnerable to SQL Injection. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

Added on 2021-02-18

CVE-2020-35125

Cross-site Scripting in packagist/mautic/core

A cross-site scripting (XSS) vulnerability in the forms component of Mautic allows remote attackers to inject executable JavaScript via mautic[return] (a different attack method than CVE-2020-35124, but also related to the Referer concept).

Added on 2021-02-18

CVE-2021-21240

Uncontrolled Resource Consumption in pypi/httplib2

httplib2 is a comprehensive HTTP client library for Python. In httplib2, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server.

Added on 2021-02-15

CVE-2020-7785

OS Command Injection in npm/node-ps

An OS Command Injection vulnerability was found in node-ps located on line 72 of `lib/index.js.`

Added on 2021-02-15

CVE-2021-26539

Origin Validation Error in npm/sanitize-html

sanitize-html does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass the hostname allowlist validation set by the `allowedIframeHostnames` option.

Added on 2021-02-15

CVE-2021-26540

Origin Validation Error in npm/sanitize-html

sanitize-html does not properly validate the hostnames set by the `allowedIframeHostnames` option when the `allowIframeRelativeUrls` is set to true, which allows attackers to bypass the hostname allow list for an iframe element, when using a src value that starts with `/\\example.com`.

Added on 2021-02-15

CVE-2020-7786

OS Command Injection in npm/macfromip

The macfromip package suffers from an OS Command Injection. The vulnerability is located on line 66 `macfromip.js.`

Added on 2021-02-15

CVE-2020-7782

Injection Vulnerability in npm/spritesheet-js

The spritesheet-js package depends on a vulnerable package `platform-command`. The injection point is located on line 32 in `lib/generator.js`, which is triggered by main entry of the package.

Added on 2021-02-15

CVE-2020-13574

NULL Pointer Dereference in conan/gsoap

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

Added on 2021-02-15

CVE-2020-13577

NULL Pointer Dereference in conan/gsoap

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

Added on 2021-02-15

CVE-2020-13578

NULL Pointer Dereference in conan/gsoap

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

Added on 2021-02-15

CVE-2020-13575

NULL Pointer Dereference in conan/gsoap

A denial-of-service vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

Added on 2021-02-15

CVE-2020-13576

Integer Overflow or Wraparound in conan/gsoap

A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

Added on 2021-02-15

CVE-2020-13947

Cross-site Scripting in maven/org.apache.activemq/activemq-jaas

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the `message.jsp` page of Apache ActiveMQ.

Added on 2021-02-15

CVE-2020-13947

Cross-site Scripting in maven/org.apache.activemq/activemq-core

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the `message.jsp` page of Apache ActiveMQ.

Added on 2021-02-15

CVE-2020-13947

Cross-site Scripting in maven/org.apache.activemq/activemq-client

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the `message.jsp` page of Apache ActiveMQ.

Added on 2021-02-15

CVE-2020-13947

Cross-site Scripting in maven/org.apache.activemq/activemq-web-console

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the `message.jsp` page of Apache ActiveMQ.

Added on 2021-02-15

CVE-2020-13947

Cross-site Scripting in maven/org.apache.activemq/activemq-all

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the `message.jsp` page of Apache ActiveMQ.

Added on 2021-02-15

CVE-2020-13947

Cross-site Scripting in maven/org.apache.activemq/activemq-broker

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the `message.jsp` page of Apache ActiveMQ.

Added on 2021-02-15

CVE-2020-13947

Cross-site Scripting in maven/org.apache.activemq/artemis-server

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the `message.jsp` page of Apache ActiveMQ.

Added on 2021-02-15