Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory database within 2.7 days (on average).

CVE-2020-16254

Injection Vulnerability in gem/chartkick

The Chartkick gem for Ruby allows Cascading Style Sheets (CSS) Injection (without attribute).

Added on 2020-08-07

CVE-2020-8192

Uncontrolled Resource Consumption in npm/fastify

A denial of service vulnerability exists in Fastify that allows a malicious user to trigger resource exhaustion (when the `allErrors` option is used) with specially crafted schemas.

Added on 2020-08-07

CVE-2020-16252

Cross-Site Request Forgery (CSRF) in gem/field_test

The Field Test gem for Ruby allows CSRF.

Added on 2020-08-06

CVE-2020-16253

Cross-Site Request Forgery (CSRF) in gem/pghero

The PgHero gem allows CSRF.

Added on 2020-08-06

CVE-2020-15086

Deserialization of Untrusted Data in packagist/friendsoftypo3/mediace

In TYPO3 installations with the `mediace` extension, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message authentication code and can lead to remote code execution. To successfully exploit this vulnerability, an attacker must have access to at least one `Extbase` plugin or module action in a TYPO3 installation.

Added on 2020-08-06

CVE-2020-15098

Deserialization of Untrusted Data in packagist/typo3/cms

In TYPO3 CMS, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains including potential privilege escalation, insecure deserialization & remote code execution. The overall severity of this vulnerability is high based on mentioned attack chains and the requirement of having a valid backend user session (authenticated).

Added on 2020-08-06

CVE-2020-16165

SQL Injection in maven/org.springblade/blade-core-log

The DAO/DTO implementation in SpringBlade through allows SQL Injection in an ORDER BY clause. This is related to the `/api/blade-log/api/list` `ascs` and `desc` parameters.

Added on 2020-08-06

CVE-2020-15099

Improper Input Validation in packagist/typo3/cms

In TYPO3 CMS, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1), it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch `typo3conf/LocalConfiguration.php`, which again contains the `encryptionKey` as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows the ability to completely retrieve, manipulate or delete database contents. This includes creating an administration user account which can be used to trigger remote code execution by injecting custom extensions.

Added on 2020-08-06

CVE-2020-8552

Allocation of Resources Without Limits or Throttling in go/github.com/kubernetes/kubernetes

The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.

Added on 2020-08-05

CVE-2020-8559

URL Redirection to Untrusted Site (Open Redirect) in go/github.com/kubernetes/kubernetes

The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

Added on 2020-08-05

CVE-2020-8553

Externally Controlled Reference to a Resource in Another Sphere in go/github.com/kubernetes/ingress-nginx

The Kubernetes ingress-nginx component allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses `nginx.ingress.kubernetes.io/auth-type`.

Added on 2020-08-05

CVE-2020-15128

Reliance on Cookies without Validation and Integrity Checking in packagist/october/october

In OctoberCMS, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them.

Added on 2020-08-05

CVE-2020-15125

Information Exposure Through an Error Message in npm/auth0-js

In auth0 (npm package), a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. You are affected by this vulnerability if you are using the auth0 npm package, and you are using a Machine to Machine application authorized to use Auth0's management API.

Added on 2020-08-05

CVE-2020-15131

Incorrect Comparison in npm/slp-validate

In SLP Validate (npm package slp-validate), there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification.

Added on 2020-08-05

CVE-2020-14316

Improper Privilege Management in go/github.com/kubevirt/kubevirt

Virtual Machine Instances (VMIs) can be used to gain access to the host's filesystem. Successful exploitation allows an attacker to assume the privileges of the VM process on the host system. In worst-case scenarios an attacker can read and modify any file on the system where the VMI is running. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Added on 2020-08-05

CVE-2020-7699

Injection Vulnerability in npm/express-fileupload

This affects the package express-fileupload. If the `parseNested` option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.

Added on 2020-08-05

CVE-2020-7694

Injection Vulnerability in pypi/uvicorn

The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with `urllib.parse.unquote`, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators.

Added on 2020-08-05

CVE-2020-8551

Allocation of Resources Without Limits or Throttling in go/github.com/kubernetes/kubelet

The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.

Added on 2020-08-04

CVE-2020-15130

Incorrect Comparison in npm/slpjs

In SLPJS (npm package slpjs), there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification.

Added on 2020-08-04

CVE-2020-13997

Insufficiently Protected Credentials in packagist/shopware/shopware

In Shopware, the database password is leaked to an unauthenticated user when a `DriverException` occurs and verbose error handling is enabled.

Added on 2020-08-03

CVE-2020-7698

Injection Vulnerability in pypi/gerapy

The Gerapy suffers from an OS command injection vulnerability. Unsanitized input is passed to `Popen`, via the `project_configure` endpoint.

Added on 2020-08-03

CVE-2020-13970

Server-Side Request Forgery (SSRF) in packagist/shopware/shopware

Shopware is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.

Added on 2020-08-03

CVE-2020-13971

Cross-site Scripting in packagist/shopware/shopware

In Shopware, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.

Added on 2020-08-03

CVE-2020-8557

Uncontrolled Resource Consumption in go/github.com/kubernetes/kubelet

The `/etc/hosts` file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the `/etc/hosts` file, it could fill the storage space of the node and cause the node to fail.

Added on 2020-07-31

CVE-2020-16095

Cross-site Scripting in packagist/kitodo/presentation

The dlf (aka `Kitodo.Presentation`) for TYPO3 allows XSS.

Added on 2020-07-31

CVE-2020-15945

Buffer Overflow in conan/lua

Lua has a segmentation fault in `changedline` in `ldebug.c` (e.g., when called by `luaG_traceexec`) because it incorrectly expects that an `oldpc` value is always updated upon a return of the flow of control to a function.

Added on 2020-07-31

CVE-2020-15881

Cross-site Scripting in packagist/munkireport/munki_facts

A Cross-Site Scripting (XSS) vulnerability in the `munki_facts` (aka Munki Conditions) module for `MunkiReport` allows remote attackers to inject arbitrary web script or HTML via the key name.

Added on 2020-07-31

CVE-2020-8558

Improper Authentication in go/github.com/kubernetes/kube-proxy

kube-proxy was found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.

Added on 2020-07-31

CVE-2020-7697

Injection Vulnerability in npm/mock2easy

A malicious user could inject commands through the `_data` variable

Added on 2020-07-31

CVE-2020-9692

Incorrect Authorization in packagist/magento/community-edition

Magento has a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

Added on 2020-07-31

CVE-2020-9689

Path Traversal in packagist/magento/community-edition

Magento has a path traversal vulnerability. Successful exploitation could lead to arbitrary code execution.

Added on 2020-07-31

CVE-2020-15953

Injection Vulnerability in npm/libetpan

LibEtPan has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a `begin TLS` response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka `response injection.`

Added on 2020-07-31

CVE-2020-15111

Injection Vulnerability in go/github.com/gofiber/fiber

In Fiber, the filename that is given in `c.Attachment()` is not escaped, and therefore vulnerable for a CRLF injection attack. An attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. A possible workaround is to serialize the input before passing it to `ctx.Attachment()`.

Added on 2020-07-31

CVE-2020-9690

Information Exposure Through Discrepancy in packagist/magento/community-edition

Magento has an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.

Added on 2020-07-31

CVE-2020-7695

Injection Vulnerability in pypi/uvicorn

Uvicorn is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.

Added on 2020-07-30

CVE-2020-15092

Cross-site Scripting in npm/@knight-lab/timelinejs

In TimelineJS, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file.

Added on 2020-07-30

CVE-2020-7685

Insecure Default Initialization of Resource in nuget/umbracoforms

This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies.

Added on 2020-07-30

CVE-2020-9691

Cross-site Scripting in packagist/magento/community-edition

Magento has a DOM-based cross-site scripting vulnerability. Successful exploitation could lead to arbitrary code execution.

Added on 2020-07-30

CVE-2020-15118

Cross-site Scripting in pypi/wagtail

When a form page type is made available to Wagtail editors through the `wagtail.contrib.forms` app, and the page template is built using Django's standard form rendering helpers such as `form.as_p`, any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation.

Added on 2020-07-30

CVE-2020-15904

Out-of-bounds Write in pypi/bsdiff4

A buffer overflow in the patching routine of bsdiff4 allows an attacker to write to heap memory (beyond allocated bounds) via a crafted patch file.

Added on 2020-07-30

CVE-2020-15126

Incorrect Authorization in npm/parse-server

In parser-server, an authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.

Added on 2020-07-30

CVE-2020-7686

Path Traversal in npm/rollup-plugin-dev-server

This affects all versions of package rollup-plugin-dev-server. There is no path sanitization in the `readFile` operation inside the `readFileFromContentBase` function.

Added on 2020-07-29

CVE-2020-15886

SQL Injection in packagist/munkireport/reportdata

An SQL injection vulnerability in `reportdata_controller.php` in the reportdata module for MunkiReport allows attackers to execute arbitrary SQL commands via the `req` parameter of the `/module/reportdata/ip` endpoint.

Added on 2020-07-29

CVE-2020-7681

Path Traversal in npm/marscode

This affects all versions of the marscode package. There is no path sanitization for the path provided in `fs.readFile` of `index.js`.

Added on 2020-07-29

CVE-2020-15885

Cross-site Scripting in packagist/munkireport/comment

A Cross-Site Scripting (XSS) vulnerability in the comment module for MunkiReport allows remote attackers to inject arbitrary web script or HTML by posting a new comment.

Added on 2020-07-29

CVE-2020-15391

Improper Authentication in npm/devspace

The UI in DevSpace allows web-sites to execute actions on pods (on behalf of a victim) because of a lack of authentication for the WebSocket protocol. This leads to remote code execution.

Added on 2020-07-29

CVE-2020-15123

OS Command Injection in npm/codecov

In codecov (npm package), the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for GHSA-5q88-cjfq-g2mh) was issued but the fix was incomplete. It only blocked `&`, and command injection is still possible using backticks instead to bypass the sanitizer. The attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.

Added on 2020-07-29

CVE-2020-7683

Path Traversal in npm/rollup-plugin-server

This affects all versions of package rollup-plugin-server. There is no path sanitization in the `readFile` operation performed inside the `readFileFromContentBase` function.

Added on 2020-07-29

CVE-2020-7682

Path Traversal in npm/marked-tree

This affects all versions of the marked-tree package. There is no path sanitization for the path provided in `fs.readFile` of `index.js`.

Added on 2020-07-29

CVE-2020-6165

Incorrect Default Permissions in packagist/silverstripe/graphql

The automatic permission-checking mechanism in the `silverstripe/graphql` module does not provide complete protection against lists that are limited (e.g., through pagination), resulting in records that should have failed a permission check being added to the final result set. GraphQL endpoints are configured by default (e.g., for assets), but the `admin/graphql` endpoint is access protected by default. This limits the vulnerability to all authenticated users, including those with limited permissions (e.g., where viewing records exposed through `admin/graphql` requires administrator permissions). However, if custom GraphQL endpoints have been configured for a specific implementation (usually under `/graphql`), this vulnerability could also be exploited through unauthenticated requests. This vulnerability only applies to reading records; it does not allow unauthorised changing of records.

Added on 2020-07-28

CVE-2020-9309

Unrestricted Upload of File with Dangerous Type in packagist/silverstripe/mimevalidator

Silverstripe CMS can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents.

Added on 2020-07-28

CVE-2020-14000

Deserialization of Untrusted Data in npm/scratch-vm

MIT Lifelong Kindergarten Scratch scratch-vm loads extension URLs from untrusted `project.json` files with certain `_` characters, resulting in remote code execution because the URL content is treated as a script and is executed as a worker. The responsible code is `getExtensionIdForOpcode` in `serialization/sb3.js`. The use of `_` is incompatible with a protection mechanism in older versions, in which URLs were split and consequently deserialization attacks were prevented.

Added on 2020-07-28

CVE-2020-9311

Cross-site Scripting in packagist/silverstripe/framework

In SilverStripe, malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs.

Added on 2020-07-28

CVE-2020-8175

Uncontrolled Resource Consumption in npm/jpeg-js

Uncontrolled resource consumption in `jpeg-js` allows attacker to launch denial of service attacks using specially a crafted JPEG image.

Added on 2020-07-28

CVE-2020-8559

URL Redirection to Untrusted Site (Open Redirect) in go/github.com/kubernetes/apimachinery

The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

Added on 2020-07-28

CVE-2020-15107

Covert Channel in nuget/open-enclave

In openenclave, enclaves that use x87 FPU operations are vulnerable to tampering by a malicious host application. By violating the Linux System V Application Binary Interface (ABI) for such operations, a host app can compromise the execution integrity of some x87 FPU operations in an enclave. Depending on the FPU control configuration of the enclave app and whether the operations are used in secret-dependent execution paths, this vulnerability may also be used to mount a side-channel attack on the enclave.

Added on 2020-07-28

CVE-2020-15883

Cross-site Scripting in packagist/munkireport/managedinstalls

A Cross-Site Scripting (XSS) vulnerability in the managedinstalls module for MunkiReport allows remote attackers to inject arbitrary web script or HTML via the last two URL parameters (through which installed packages names and versions are reported).

Added on 2020-07-28

CVE-2020-7687

Path Traversal in npm/fast-http

This affects all versions of package fast-http. There is no path sanitization in the path provided at `fs.readFile` in index.js.

Added on 2020-07-28

CVE-2020-2226

Cross-site Scripting in maven/org.jenkins-ci.plugins/matrix-auth

Jenkins Matrix Authorization Strategy Plugin does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability.

Added on 2020-07-28

CVE-2020-15887

SQL Injection in packagist/munkireport/softwareupdate

An SQL injection vulnerability in `softwareupdate_controller.php` in the Software Update module for MunkiReport allows attackers to execute arbitrary SQL commands via the last URL parameter of the `/module/softwareupdate/get_tab_data/` endpoint.

Added on 2020-07-28

CVE-2020-2228

Improper Privilege Management in maven/org.jenkins-ci.plugins/gitlab-oauth

Jenkins Gitlab Authentication Plugin does not perform group authorization checks properly, resulting in a privilege escalation vulnerability.

Added on 2020-07-27

CVE-2020-8203

Object Prototype Pollution in npm/lodash

Prototype pollution attack when using `_.zipObjectDeep` in lodash.

Added on 2020-07-27

CVE-2020-2227

Cross-site Scripting in maven/org.jenkins-ci.plugins/deployer-framework

Jenkins Deployer Framework Plugin does not escape the URL displayed in the build home page, resulting in a stored cross-site scripting vulnerability.

Added on 2020-07-27

CVE-2020-6164

Information Exposure in packagist/silverstripe/framework

In SilverStripe, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).

Added on 2020-07-27

CVE-2020-9665

Cross-site Scripting in packagist/magento/community-edition

Magento has a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.

Added on 2020-07-27

CVE-2020-11981

OS Command Injection in pypi/apache-airflow

An issue was found in Apache Airflow. When using `CeleryExecutor`, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.

Added on 2020-07-27

CVE-2020-15366

Improper Input Validation in npm/ajv

An issue was discovered in `ajv.validate()` in Ajv (aka Another JSON Schema Validator). A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code)

Added on 2020-07-27

CVE-2020-11982

Deserialization of Untrusted Data in pypi/apache-airflow

An issue was found in Apache Airflow. When using `CeleryExecutor`, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.

Added on 2020-07-27

CVE-2020-9664

Code Injection in packagist/magento/community-edition

Magento has a php object injection vulnerability. Successful exploitation could lead to arbitrary code execution.

Added on 2020-07-27

CVE-2020-15889

Out-of-bounds Read in conan/lua

Lua has a heap-based buffer over-read in `lgc.c`.

Added on 2020-07-27

CVE-2020-15779

Path Traversal in npm/socket.io-file

A Path Traversal issue was discovered in the socket.io-file package for Node.js. The `socket.io-file::createFile` message uses path.join with `../` in the name option, and the `uploadDir` and rename options determine the path.

Added on 2020-07-27

CVE-2020-15888

Buffer Overflow in conan/lua

Lua mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.

Added on 2020-07-27