Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory database within 2.7 days (on average).

CVE-2021-3517

Improper Restriction of Operations within the Bounds of a Memory Buffer in gem/nokogiri

There is a flaw in the xml entity encoding functionality of libxml2. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Added on 2021-07-21

CVE-2021-3541

Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion) in gem/nokogiri

A flaw was found in libxml2. By exploiting an exponential entity expansion attack its possible bypassing all existing protection mechanisms and lead to a denial of service.

Added on 2021-07-21

CVE-2021-36716

Improper Input Validation in npm/is-email

A ReDoS (regular expression denial of service) flaw was found in the Segment is-email package for Node.js. An attacker that is able to provide crafted input to the `isEmail(input)` function may cause an application to consume an excessive amount of CPU.

Added on 2021-07-19

CVE-2021-36373

Uncontrolled Resource Consumption in maven/org.apache.ant/ant

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant.

Added on 2021-07-17

CVE-2021-36374

Uncontrolled Resource Consumption in maven/org.apache.ant/ant

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files.

Added on 2021-07-17

CVE-2021-34552

Buffer Overflow in pypi/Pillow

Pillow and PIL (aka Python Imaging Library) allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in `Convert.c.`

Added on 2021-07-17

CVE-2021-33767

Improper Privilege Management in nuget/open-enclave

Open Enclave SDK Elevation of Privilege Vulnerability

Added on 2021-07-17

CVE-2021-30639

Improper Handling of Exceptional Conditions in maven/tomcat/jasper-runtime

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the `Request` object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability.

Added on 2021-07-17

CVE-2021-36383

Incorrect Authorization in npm/xo-server

Xen Orchestra mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.

Added on 2021-07-16

CVE-2021-30639

Improper Handling of Exceptional Conditions in maven/org.apache.tomcat/tomcat-coyote

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service.

Added on 2021-07-16

CVE-2021-33037

Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) in maven/org.apache.tomcat/tomcat-coyote

Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy.

Added on 2021-07-16

CVE-2021-30639

Improper Handling of Exceptional Conditions in maven/tomcat/catalina

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat to ; ;

Added on 2021-07-16

CVE-2021-32754

Improper Restriction of XML External Entity Reference in maven/de.tud.sse/soot-infoflow

FlowDroid is a data flow analysis tool. FlowDroid contained an XML external entity (XXE) vulnerability that allowed an attacker who had control over the source/sink definition file in XML format to read files from external locations. In order for this to occur, the XML-based format for sources and sinks had to be used and the attacker had to able control the source/sink definition file.

Added on 2021-07-16

CVE-2021-25953

Prototype Pollution in npm/putil-merge

Prototype pollution vulnerability in 'putil-merge' allows attacker to cause a denial of service and may lead to remote code execution.

Added on 2021-07-16

CVE-2021-36383

Incorrect Authorization in npm/xo-web

Xen Orchestra (with xo-web and xo-server ) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.

Added on 2021-07-16

CVE-2021-23389

Code Injection in npm/total.js

The package total.js are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.

Added on 2021-07-15

CVE-2021-23390

Code Injection in npm/total4

The package total4 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.

Added on 2021-07-15

CVE-2021-27293

Incorrect Comparison in nuget/RestSharp

RestSharp uses a regular expression which is vulnerable to Regular Expression Denial of Service (ReDoS) when converting strings into DateTimes. If a server responds with a malicious string, the client using RestSharp will be stuck processing it for an exceedingly long time. Thus the remote server can trigger Denial of Service.

Added on 2021-07-15

CVE-2021-3637

Allocation of Resources Without Limits or Throttling in maven/org.keycloak/keycloak-model-infinispan

A flaw was found in keycloak-model-infinispan in keycloak where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack.

Added on 2021-07-15

CVE-2021-3541

Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion) in nuget/libxml2.vc140_xp.mt.static.x86

A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.

Added on 2021-07-13

CVE-2021-32740

Uncontrolled Resource Consumption in gem/addressable

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

Added on 2021-07-13

CVE-2021-32738

Improper Authentication in npm/js-stellar-sdk

js-stellar-sdk is a Javascript library for communicating with a Stellar Horizon server. The `Utils.readChallengeTx` function used in SEP-10 Stellar Web Authentication states in its function documentation that it reads and validates the challenge transaction including verifying that the `serverAccountID` has signed the transaction. In js-stellar-sdk, the function does not verify that the server has signed the transaction. Applications that also used `Utils.verifyChallengeTxThreshold` or `Utils.verifyChallengeTxSigners` to verify the signatures including the server signature on the challenge transaction are unaffected as those functions verify the server signed the transaction. Applications calling `Utils.readChallengeTx` should update to, the first version with a patch for this vulnerability, to ensure that the challenge transaction is completely valid and signed by the server creating the challenge transaction.

Added on 2021-07-13

CVE-2021-3541

Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion) in conan/libxml2

A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.

Added on 2021-07-13

CVE-2020-23700

Cross-site Scripting in packagist/lavalite/cms

Cross Site Scripting (XSS) vulnerability in LavaLite-CMS via the Menu Links feature.

Added on 2021-07-13

CVE-2021-29479

HTTP Request Smuggling in maven/io.ratpack/ratpack-core

A user supplied `X-Forwarded-Host` header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the `X-Forwarded-Host` header as a cache key. Users are only vulnerable if they do not configure a custom `PublicAddress` instance. F, by default, Ratpack utilizes an inferring version of `PublicAddress` which is vulnerable. This can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location. The vulnerability was patched in Ratpack As a workaround, ensure that `ServerConfigBuilder::publicAddress` correctly configures the server in production.

Added on 2021-07-12

CVE-2021-29485

Deserialization of Untrusted Data in maven/io.ratpack/ratpack-core

Ratpack is a toolkit for creating web applications., a malicious attacker can achieve Remote Code Execution (RCE) via a maliciously crafted Java deserialization gadget chain leveraged against the Ratpack session store. If one's application does not use Ratpack's session mechanism, it is not vulnerable. Ratpack introduces a strict allow-list mechanism that mitigates this vulnerability when used. Two possible workarounds exist. The simplest mitigation for users of earlier versions is to reduce the likelihood of attackers being able to write to the session data store. Alternatively or additionally, the allow-list mechanism could be manually back ported by providing an alternative implementation of `SessionSerializer` that uses an allow-list.

Added on 2021-07-12

CVE-2021-29480

Use of Insufficiently Random Values in maven/io.ratpack/ratpack-core

Ratpack is a toolkit for creating web applications., the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation's recommendation.

Added on 2021-07-12

CVE-2021-25952

Improperly Controlled Modification of Dynamically-Determined Object Attributes in npm/just-safe-set

Prototype pollution vulnerability in ‘just-safe-set’ allows an attacker to cause a denial of service and may lead to remote code execution.

Added on 2021-07-12

CVE-2021-32659

Missing Authentication for Critical Function in npm/matrix-appservice-bridge

If a bridge has room upgrade handling turned on in the configuration (the `roomUpgradeOpts` key when instantiating a new `Bridge` instance.), any `m.room.tombstone` event it encounters will be used to unbridge the current room and bridge into the target room.

Added on 2021-07-12

CVE-2021-32736

Improperly Controlled Modification of Dynamically-Determined Object Attributes in npm/think-helper

think-helper defines a set of helper functions for ThinkJS. The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Added on 2021-07-12

CVE-2021-26920

Incorrect Authorization in maven/org.apache.druid/druid

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource.

Added on 2021-07-12

CVE-2021-35331

Use of Externally-Controlled Format String in conan/tcl

In Tcl, a format string vulnerability in nmakehlp.c might allow code execution via a crated file.

Added on 2021-07-12

CVE-2021-20750

Cross-site Scripting in packagist/ec-cube/ec-cube

Cross-site scripting vulnerability in EC-CUBE EC-CUBE to (EC-CUBE 3 series) and EC-CUBE to (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation.

Added on 2021-07-12

CVE-2021-35440

Cross-site Scripting in gem/smashing

Smashing is vulnerable to Cross Site Scripting (XSS). A URL for a widget can be crafted and used to execute JavaScript on the victim's computer. The JavaScript code can then steal data available in the session/cookies depending on the user environment (e.g. if re-using internal URL's for deploying, or cookies that are very permissive) private information may be retrieved by the attacker.

Added on 2021-07-12

CVE-2021-32559

Integer Overflow or Wraparound in pypi/pywin32

When adding an access control entry (ACE) to an access control list (ACL) that would cause the size to be greater than bytes. An attacker who successfully exploited this vulnerability could crash the vulnerable process.

Added on 2021-07-12

CVE-2021-35042

SQL Injection in pypi/Django

Django allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

Added on 2021-07-12

CVE-2021-23401

URL Redirection to Untrusted Site (Open Redirect) in pypi/Flask-User

When using the `make_safe_url` function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes.

Added on 2021-07-12

CVE-2021-20778

Improper Access Control in packagist/ec-cube/ec-cube

Improper access control vulnerability in EC-CUBE (EC-CUBE 4 series) allows a remote attacker to bypass access restriction and obtain sensitive information via unspecified vectors.

Added on 2021-07-12

CVE-2021-3598

Improper Restriction of Operations within the Bounds of a Memory Buffer in conan/openexr

There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.

Added on 2021-07-12

CVE-2021-20751

Cross-site Scripting in packagist/ec-cube/ec-cube

Cross-site scripting vulnerability in EC-CUBE allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation.

Added on 2021-07-09

CVE-2021-29481

Cleartext Storage of Sensitive Information in maven/io.ratpack/ratpack-core

Ratpack is a toolkit for creating web applications., the default configuration of client side sessions results in unencrypted, but signed, data being set as cookie values. This means that if something sensitive goes into the session, it could be read by something with access to the cookies. For this to be a vulnerability, some kind of sensitive data would need to be stored in the session and the session cookie would have to leak. For example, the cookies are not configured with httpOnly and an adjacent XSS vulnerability within the site allowed capture of the cookies. As of, a securely randomly generated signing key is used. As a workaround, one may supply an encryption key, as per the documentation recommendation.

Added on 2021-07-09