Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory database within 2.5 days (on average).

CVE-2021-41971

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in pypi/apache-superset

Apache Superset up to and including when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.

Added on 2021-10-25

CVE-2021-37137

Uncontrolled Resource Consumption in maven/io.netty/netty-codec

The Snappy frame decoder function does not restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Added on 2021-10-25

CVE-2021-37136

Uncontrolled Resource Consumption in maven/io.netty/netty-codec

The Bzip2 decompression decoder function does not allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Added on 2021-10-25

CVE-2021-32609

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/apache-superset

Apache Superset up to and including does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (including scripts) into the page.

Added on 2021-10-25

CVE-2021-23449

Improperly Controlled Modification of Dynamically-Determined Object Attributes in npm/vm2

This affects the package vm2 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.

Added on 2021-10-25

CVE-2021-3858

Cross-Site Request Forgery (CSRF) in packagist/snipe/snipe-it

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

Added on 2021-10-22

CVE-2021-41117

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) in npm/keypair

An issue was discovered where this library was generating identical RSA keys used in SSH.

Added on 2021-10-22

CVE-2021-23448

Improper Control of Dynamically-Managed Code Resources in npm/config-handler

All versions of package config-handler are vulnerable to Prototype Pollution when loading config files.

Added on 2021-10-22

CVE-2021-3846

Unrestricted Upload of File with Dangerous Type in packagist/grumpydictator/firefly-iii

firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous Type

Added on 2021-10-22

CVE-2021-3863

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/snipe/snipe-it

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2021-10-22

CVE-2021-41124

Exposure of Sensitive Information to an Unauthorized Actor in pypi/scrapy-splash

Scrapy-splash is a library which provides Scrapy and JavaScript integration.the `http_user` and `http_pass` spider attributes) for Splash authentication will have any non-Splash request expose your credentials to the request target.

Added on 2021-10-22

CVE-2021-21684

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.jenkins-ci.plugins/git

Jenkins Git Plugin does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.

Added on 2021-10-22

CVE-2021-3869

Improper Restriction of XML External Entity Reference in maven/edu.stanford.nlp/stanford-corenlp

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

Added on 2021-10-22

CVE-2021-3851

URL Redirection to Untrusted Site ('Open Redirect') in packagist/grumpydictator/firefly-iii

firefly-iii is vulnerable to URL Redirection to Untrusted Site

Added on 2021-10-22

CVE-2021-3879

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/snipe/snipe-it

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2021-10-22

CVE-2021-41591

Incorrect Authorization in maven/fr.acinq.eclair/eclair-core

ACINQ Eclair allows loss of funds because of dust HTLC exposure.

Added on 2021-10-22

CVE-2021-22942

URL Redirection to Untrusted Site ('Open Redirect') in gem/rails

A possible open redirect vulnerability in the Host Authorization middleware in Action Pack that could allow attackers to redirect users to a malicious website.

Added on 2021-10-22

CVE-2021-3878

Improper Restriction of XML External Entity Reference in maven/edu.stanford.nlp/stanford-corenlp

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

Added on 2021-10-22

CVE-2021-28021

Out-of-bounds Write in conan/stb

Buffer overflow vulnerability in function `stbi__extend_receive` in `stb_image.h` in stb via a crafted JPEG file.

Added on 2021-10-21

CVE-2021-39184

Exposure of Resource to Wrong Sphere in npm/electron

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability allows a sandboxed renderer to request a `thumbnail` image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling `contextIsolation` in one's app. One may also disable the functionality of the `createThumbnailFromPath` API if one does not need it.

Added on 2021-10-21

CVE-2021-42340

Missing Release of Resource after Effective Lifetime in maven/org.apache.tomcat/tomcat

tomcat is vulnerable to a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Added on 2021-10-21

CVE-2021-41136

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in gem/puma

Puma is a HTTP server for Ruby/Rack applications., using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.

Added on 2021-10-20

CVE-2021-41129

Deserialization of Untrusted Data in packagist/pterodactyl/panel

Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user. Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying the token sent to the server. This authentication flaw is present in the `LoginCheckpointController@__invoke` method which handles two-factor authentication for a user. This controller looks for a request input parameter called `confirmation_token` which is expected to be a character random alpha-numeric string that references a value within the Panel's cache containing a `user_id` value. This value is then used to fetch the user that attempted to login, and lookup their two-factor authentication token. Due to the design of this system, any element in the cache that contains only digits could be referenced by a malicious user, and whatever value is stored at that position would be used as the `user_id`. There are a few different areas of the Panel that store values into the cache that are integers, and a user who determines what those cache keys are could pass one of those keys which would cause this code pathway to reference an arbitrary user. At its heart this is a high-risk login bypass vulnerability. However, there are a few additional conditions that must be met in order for this to be successfully executed, notably: ) The account referenced by the malicious cache key must have two-factor authentication enabled. An account without two-factor authentication would cause an exception to be triggered by the authentication logic, thusly exiting this authentication flow. ) Even if the malicious user is able to reference a valid cache key that references a valid user account with two-factor authentication, they must provide a valid two-factor authentication token. However, due to the design of this endpoint once a valid user account is found with two-factor authentication enabled there is no rate-limiting present, thusly allowing an attacker to brute force combinations until successful. This leads to a third condition that must be met: ) For the duration of this attack sequence the cache key being referenced must continue to exist with a valid `user_id` value. Depending on the specific key being used for this attack, this value may disappear quickly, or be changed by other random user interactions on the Panel, outside the control of the attacker. In order to mitigate this vulnerability the underlying authentication logic was changed to use an encrypted session store that the user is therefore unable to control the value of. This completely removed the use of a user-controlled value being used. In addition, the code was audited to ensure this type of vulnerability is not present elsewhere.

Added on 2021-10-20

CVE-2021-42325

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/froxlor/froxlor

Froxl allows SQL injection in `Database/Manager/DbManagerMySQL.php` via a custom DB name.

Added on 2021-10-20

CVE-2021-37714

Loop with Unreachable Exit Condition ('Infinite Loop') in maven/org.apache.maven/maven

jsoup is a Java library for working with HTML. Those using jsoup to parse untrusted HTML or XML may be vulnerable to DoS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Added on 2021-10-20

CVE-2021-33609

Uncontrolled Resource Consumption in maven/com.vaadin/vaadin-server

Missing check in `DataCommunicator` class in com.vaadin:vaadin-server allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.

Added on 2021-10-20

CVE-2021-41137

Improper Authorization in go/github.com/minio/minio

Minio is a Kubernetes native application for cloud storage. All users are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, `checkKeyValid()` should return owner true for `rootCreds`. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts.

Added on 2021-10-20

CVE-2021-42009

Improper Input Validation in go/github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/login

An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the `/deliveryservices/request` Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address.

Added on 2021-10-20

CVE-2021-42134

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/unicorn

The Unicorn framework for Django allows XSS via a component. NOTE, this issue exists because of an incomplete fix for CVE-2021-42053.

Added on 2021-10-19

CVE-2021-25738

Improper Input Validation in maven/io.kubernetes/client-java

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

Added on 2021-10-19

CVE-2021-28661

Incorrect Authorization in packagist/silverstripe/framework

Default SilverStripe GraphQL Server (aka silverstripe/graphql) permission checker is not inherited by query subclass.

Added on 2021-10-18

CVE-2021-41103

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go/github.com/containerd/containerd

containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files.

Added on 2021-10-18

CVE-2021-36150

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/silverstripe/secureassets

SilverStripe Framework suffers from a XSS vulnerablity.

Added on 2021-10-18

CVE-2021-36150

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/silverstripe/framework

SilverStripe Framework allows XSS.

Added on 2021-10-18

CVE-2021-42053

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/unicorn

The Unicorn framework for Django allows XSS via `component.name`.

Added on 2021-10-18

CVE-2021-41126

Improper Authentication in packagist/october/october

October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend.

Added on 2021-10-18

CVE-2021-41125

Exposure of Sensitive Information to an Unauthorized Actor in pypi/scrapy

Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. If you cannot upgrade to a patched version, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.

Added on 2021-10-18

CVE-2021-28661

Incorrect Authorization in packagist/silverstripe/secureassets

Default SilverStripe GraphQL Server (aka silverstripe/graphql) permission checker is not inherited by query subclass.

Added on 2021-10-18

CVE-2021-23447

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/teddy

A type confusion vulnerability can be used to bypass input sanitization when the model content is an array (instead of a string).

Added on 2021-10-18

CVE-2021-41824

Improper Neutralization of Formula Elements in a CSV File in packagist/craftcms/cms

Craft CMS allows CSV injection.

Added on 2021-10-14

CVE-2021-23445

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/datatables.net

This affects the package datatables.net If an array is passed to the HTML escape entities function it would not have its contents escaped.

Added on 2021-10-13

CVE-2019-11358

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in gem/jquery-rails

jQuery, as used in Drupal, Backdrop CMS, and other products, mishandles `jQuery.extend(true, {}, ...)` because of `Object.prototype` pollution. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native Object.prototype.

Added on 2021-10-13