Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory database within 2.9 days (on average).

CVE-2022-22817

Improper Control of Generation of Code ('Code Injection') in pypi/Pillow

`PIL.ImageMath.eval` in Pillow allows evaluation of arbitrary expressions, such as ones that use the Python `exec` method.

Added on 2022-01-21

CVE-2022-23118

Improper Privilege Management in maven/ru.yandex.jenkins.plugins.debuilder/debian-package-builder

Jenkins Debian Package Builder Plugin implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller.

Added on 2022-01-21

CVE-2022-22815

Improper Initialization in pypi/Pillow

`path_getbbox` in `path.c` in Pillow improperly initializes `ImagePath.Path`.

Added on 2022-01-21

CVE-2021-21408, GHSA-4h9c-v5vg-5m6m

Improper Input Validation in packagist/smarty/smarty

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. A vulnerability was found that may allow template authors could run restricted static php methods.

Added on 2022-01-21

CVE-2022-0198

Improper Restriction of XML External Entity Reference in maven/edu.stanford.nlp/stanford-corenlp

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

Added on 2022-01-21

CVE-2021-29454, GHSA-29gp-2c3m-3j6m

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in packagist/smarty/smarty

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string.

Added on 2022-01-21

CVE-2022-21676, GHSA-273r-mgr4-v34f

Improper Check for Unusual or Exceptional Conditions in npm/engine.io

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

Added on 2022-01-21

CVE-2022-22816

Out-of-bounds Read in pypi/Pillow

`path_getbbox` in `path.c` in Pillow has a buffer over-read during initialization of `ImagePath.Path`.

Added on 2022-01-21

CVE-2022-0174

Improper Input Validation in packagist/dolibarr/dolibarr

dolibarr is vulnerable to Business Logic Errors

Added on 2022-01-21

CVE-2021-36410

Out-of-bounds Write in conan/libde265

A stack-buffer-overflow exists in libde265 via `fallback-motion.cc` in function `put_epel_hv_fallback` when running program `dec265`.

Added on 2022-01-21

CVE-2021-44648

Out-of-bounds Write in conan/gdk-pixbuf

GNOME gdk-pixbuf is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals `12`

Added on 2022-01-21

CVE-2021-36409

Reachable Assertion in conan/libde265

There is an Assertion `scaling_list_pred_matrix_id_delta==1` failed at `sps.cc:925` in libde265 when decoding a file, which allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file or possibly have unspecified other impact.

Added on 2022-01-21

CVE-2022-22844

Out-of-bounds Read in conan/libtiff

LibTIFF has an out-of-bounds read in `_TIFFmemcpy` in `tif_unix.c` in certain situations involving a custom tag and `0x0200` as the second word of the `DE` field.

Added on 2022-01-21

CVE-2021-36411

Out-of-bounds Read in conan/libde265

An issue has been found in libde265 v1.0.8 due to incorrect access control. A SEGV caused by a READ memory access in function `derive_boundaryStrength` of `deblock.cc` has occurred. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service.

Added on 2022-01-21

CVE-2021-36408

Use After Free in conan/libde265

There is a Heap-use-after-free in `intrapred.h` when decoding a file using `dec265`.

Added on 2022-01-21

CVE-2021-43816, GHSA-mvff-h3cj-wj9c

Improper Preservation of Permissions in go/github.com/containerd/containerd

containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via `hostPath` volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the `hostPath` volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved Users are advised to upgrade as soon as possible.

Added on 2022-01-20

CVE-2021-22569

Denial Of Service in maven/com.google.protobuf/protobuf-kotlin

An issue in protobuf-java allowed the interleaving of `com.google.protobuf.UnknownFieldSet` fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Added on 2022-01-19

CVE-2021-35452

Out-of-bounds Read in conan/libde265

An Out-of-bounds Read vulnerability exists in libde265 due to a SEGV in `slice.cc`.

Added on 2022-01-19

CVE-2022-23106

Observable Discrepancy in maven/io.jenkins/configuration-as-code

Jenkins Configuration as Code Plugin used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.

Added on 2022-01-19

CVE-2022-0224

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/dolibarr/dolibarr

dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command

Added on 2022-01-19

CVE-2022-0087

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/keystone

keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2022-01-19

CVE-2021-43297

Deserialization of Untrusted Data in maven/org.apache.dubbo/dubbo

A deserialization vulnerability existed in dubbo hessian-lite and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution.

Added on 2022-01-19

CVE-2022-20612

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.main/jenkins-core

A cross-site request forgery (CSRF) vulnerability in Jenkins allows attackers to trigger build of job without parameters when no security realm is set.

Added on 2022-01-19

CVE-2022-20620

Exposure of Resource to Wrong Sphere in maven/org.jenkins-ci.plugins/ssh-agent

Missing permission checks in Jenkins SSH Agent Plugin allows attackers with `Overall/Read` access to enumerate credentials IDs of credentials stored in Jenkins.

Added on 2022-01-19

CVE-2022-20617

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in maven/org.jenkins-ci.plugins/docker-commons

Jenkins Docker Commons Plugin does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with `Item/Configure` permission or able to control the contents of a previously configured job's SCM repository.

Added on 2022-01-19

CVE-2022-23108

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.jenkins-ci.plugins/badge

Jenkins Badge Plugin does not escape the description and does not check for allowed protocols when creating a badge, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with `Item/Configure` permission.

Added on 2022-01-19

CVE-2022-20615

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.jenkins-ci.plugins/matrix-project

Jenkins Matrix Project Plugin does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with `Agent/Configure` permission.

Added on 2022-01-19

CVE-2021-22569

Denial of Service in maven/com.google.protobuf/protobuf-java

An issue in protobuf-java allowed the interleaving of `com.google.protobuf.UnknownFieldSet` fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Added on 2022-01-17

CVE-2021-22569

Denial of Service in gem/google-protobuf

An issue in protobuf-java (JRuby gem) allowed the interleaving of `com.google.protobuf.UnknownFieldSet` fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Added on 2022-01-16

CVE-2021-43999

Improper Authentication in maven/org.apache.guacamole/guacamole-common

Apache Guacamole do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.

Added on 2022-01-16

CVE-2021-41767

Exposure of Sensitive Information to an Unauthorized Actor in maven/org.apache.guacamole/guacamole-common

Apache Guacamole may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user's active use of that same connection.

Added on 2022-01-16

CVE-2021-44528

URL Redirection to Untrusted Site ('Open Redirect') in gem/rails

A open redirect vulnerability exists in Action Pack that could allow an attacker to craft a `X-Forwarded-Host` headers in combination with certain `allowed host` formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Added on 2022-01-16

CVE-2021-44878

Improper Verification of Cryptographic Signature in maven/org.pac4j/pac4j-saml

Pac4j v5.1 allows (by default) clients to accept and successfully validate ID Tokens with `none` algorithm (i.e., tokens with no signature) which is not secure and violates the OpenID Core Specification. The `none` algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using `none` as the value of `alg` key in the header with an empty signature value.

Added on 2022-01-16

CVE-2022-0179

Incorrect Default Permissions in packagist/snipe/snipe-it

snipe-it is vulnerable to Improper Access Control

Added on 2022-01-16

CVE-2021-46050

Out-of-bounds Write in npm/binaryen

A Stack Overflow vulnerability exists in Binaryen via the printf_common function.

Added on 2022-01-14

CVE-2021-27738

Server-Side Request Forgery (SSRF) in maven/org.apache.kylin/kylin

All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints does not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3

Added on 2022-01-14

CVE-2021-45458

Inadequate Encryption Strength in maven/org.apache.kylin/kylin

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions.

Added on 2022-01-14

CVE-2022-21647, GHSA-w6jr-wj64-mc9x

Deserialization of Untrusted Data in packagist/codeigniter4/framework

CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection. Users are advised to upgrade to v4.1.6 or later. Users unable to upgrade as advised to not use the `old()` function and form_helper nor `RedirectResponse::withInput()` and `redirect()->withInput()`.

Added on 2022-01-14

CVE-2021-45456

Improper Neutralization of Special Elements used in a Command ('Command Injection') in maven/org.apache.kylin/kylin

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kyl

Added on 2022-01-14

CVE-2021-23594

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in npm/realms-shim

All versions of package realms-shim is vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.

Added on 2022-01-14

CVE-2021-23543

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in npm/realms-shim

All versions of package realms-shim is vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.

Added on 2022-01-14

CVE-2021-46054

Reachable Assertion in npm/binaryen

A Denial of Service vulnerability exists in Binaryen due to an assertion abort in wasm::WasmBinaryBuilder::visitRethrow(wasm::Rethrow*).

Added on 2022-01-14

CVE-2021-46048

Reachable Assertion in npm/binaryen

A Denial of Service vulnerability exists in Binaryen due to an assertion abort in wasm::WasmBinaryBuilder::readFunctions.

Added on 2022-01-14

CVE-2021-36774

Exposure of Resource to Wrong Sphere in maven/org.apache.kylin/kylin

Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions.

Added on 2022-01-14

CVE-2021-46055

Reachable Assertion in npm/binaryen

A Denial of Service vulnerability exists in Binaryen due to an assertion abort in wasm::WasmBinaryBuilder::visitRethrow(wasm::Rethrow*).

Added on 2022-01-14

CVE-2021-45457

Insufficiently Protected Credentials in maven/org.apache.kylin/kylin

In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions.

Added on 2022-01-14

CVE-2021-46053

Improper Restriction of Operations within the Bounds of a Memory Buffer in npm/binaryen

A Denial of Service vulnerability exists in Binaryen The program terminates with signal SIGKILL.

Added on 2022-01-14

CVE-2022-21648, GHSA-36m2-8rhx-f36j

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/latte/latte

Latte is an open source template engine for PHP. Users unable to upgrade should not accept template input from untrusted sources.

Added on 2022-01-14

GHSA-7p8f-8hjm-wm92, CVE-2022-21646

Lookup operations do not take into account wildcards in SpiceDB in go/github.com/authzed/spicedb

SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an `exclusion` or within an `intersection` operation will see `Lookup`/`LookupResources` return a resource as "accessible" if it is *not* accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In `v1.3.0`, the wildcard is ignored entirely in lookup's dispatch, resulting in the `banned` wildcard being ignored in the exclusion. contains a patch for this issue. As a workaround, don't make use of wildcards on the right side of intersections or within exclusions.

Added on 2022-01-14

CVE-2021-46163

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nuget/Kentico.Libraries

Kentico Xperience allows XSS via an XML document to the Media Libraries subsystem.

Added on 2022-01-14

GHSA-hx7c-qpfq-xcrp, CVE-2021-44649

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/django-cms

Django CMS does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.

Added on 2022-01-14

CVE-2021-46052

Reachable Assertion in npm/binaryen

A Denial of Service vulnerability exists in Binaryen due to an assertion abort in wasm::Tuple::validate.

Added on 2022-01-14

GHSA-74fj-2j2h-c42q, CVE-2022-0155

Exposure of Private Personal Information to an Unauthorized Actor in npm/follow-redirects

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Added on 2022-01-13

CVE-2021-36738

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.portals.pluto/pluto-container

The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet is vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to of the applicant-mvcbean-cdi-jsp-portlet.war artifact

Added on 2022-01-13

GHSA-hrgx-7j6v-xj82, CVE-2022-0087

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/@keystone-next/auth

keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2022-01-13

GHSA-r478-c2pc-m7gx, CVE-2022-22846

DNS reply verification issue in dnslinb in pypi/dnslib

The dnslib package for Python does not verify that the ID value in a DNS reply matches an ID value in a query.

Added on 2022-01-13

CVE-2021-36737

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.portals.pluto/pluto-container

The input fields of the Apache Pluto UrlTestPortlet is vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to of the v3-demo-portlet.war artifact

Added on 2022-01-13

CVE-2021-40525

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.jamesframework/james

Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.

Added on 2022-01-13

CVE-2021-40111

Loop with Unreachable Exit Condition ('Infinite Loop') in maven/org.jamesframework/james

In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions.This vulnerability had been patched in Apache James and higher. We recommend the upgrade.

Added on 2022-01-13

CVE-2021-38542

Improper Neutralization of Special Elements used in a Command ('Command Injection') in maven/org.jamesframework/james

Apache James prior to release is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information.

Added on 2022-01-13

CVE-2021-40110

Regular expression Denial of Service in maven/org.jamesframework/james

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

Added on 2022-01-13

CVE-2021-23574

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in npm/js-data

All versions of package js-data is vulnerable to Prototype Pollution via the deepFillIn and the set functions.

Added on 2022-01-13

CVE-2021-45452

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in pypi/Django

Storage.save in Django allows directory traversal if crafted filenames are directly passed to it.

Added on 2022-01-13

CVE-2021-45116

Exposure of Resource to Wrong Sphere in pypi/Django

An issue was discovered in Django. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.

Added on 2022-01-13

CVE-2021-34797

Insertion of Sensitive Information into Log File in maven/org.apache.geode/geode-core

Apache Geode is vulnerable to log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords.

Added on 2022-01-13

CVE-2022-21652, GHSA-p523-jrph-qjc6

Insufficient Session Expiration in packagist/shopware/shopware

Shopware is an open source e-commerce software platform.With the session validation was adjusted, so that sessions created prior to the latest password change of a customer account can't be used to login with said account. This also means, that upon a password change, all existing sessions for a given customer account are automatically considered invalid. There is no workaround for this issue.

Added on 2022-01-13

CVE-2021-23568, GHSA-gjm5-83cw-p3p2

Prototype Pollution in extend2 in npm/extend2

The package extend2 is vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.

Added on 2022-01-13

CVE-2022-21651, GHSA-c53v-qmrx-93hg

URL Redirection to Untrusted Site ('Open Redirect') in packagist/shopware/shopware

Shopware is an open source e-commerce software platform. An open redirect vulnerability has been discovered. Users may be arbitrary redirected due to incomplete URL handling in the shopware router. This issue has been resolved There is no workaround and users are advised to upgrade as soon as possible.

Added on 2022-01-13

GHSA-7w54-gp8x-f33m, CVE-2022-21671

Potential exposure of tokens to an Unauthorized Actor in npm/@replit/crosis

@replit/crosis is a JavaScript client that speaks Replit's container protocol. A vulnerability that involves exposure of sensitive information exists When using this library as a way to programmatically communicate with Replit in a standalone fashion, if there are multiple failed attempts to contact Replit through a WebSocket, the library will attempt to communicate using a fallback poll-based proxy. The URL of the proxy has changed, so any communication done to the previous URL could potentially reach a server that is outside of Replit's control and the token used to connect to the Repl could be obtained by an attacker, leading to full compromise of that Repl (not of the account). This was patched by updating the address of the fallback WebSocket polling proxy to the new one. As a workaround, a user may specify the new address for the polling host (`gp-v2.replit.com`) in the `ConnectArgs`. More information about this workaround is available in the GitHub Security Advisory.

Added on 2022-01-13

CVE-2021-43852, GHSA-jx5q-g37m-h5hj

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in packagist/oro/platform

OroPlatform is a PHP Business Application Platform. an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that is vulnerable to Prototype Pollution. This issue has been patched Users unable to upgrade may configure a firewall to drop requests containing next strings: `__proto__`, `constructor[prototype]`, and `constructor.prototype` to mitigate this issue.

Added on 2022-01-13

CVE-2021-41819

Reliance on Cookies without Validation and Integrity Checking in a Security Decision in gem/cgi

CGI::Cookie.parse in Ruby mishandles security prefixes in cookie names. This also affects the CGI gem for Ruby.

Added on 2022-01-13

CVE-2021-31522

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in maven/org.apache.kylin/kylin

Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions.

Added on 2022-01-13

GHSA-qc9x-gjcv-465w, CVE-2022-21668

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pypi/pipenv

pipenv is a Python development workflow tool. Starting with and, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process.

Added on 2022-01-13

GHSA-hrgx-7j6v-xj82, CVE-2022-0087

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/@keystone-6/auth

keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2022-01-13

CVE-2022-21670, GHSA-6vfc-qv3f-vr6c

Uncontrolled Resource Consumption in markdown-it in npm/markdown-it

markdown-it is a Markdown parser. special patterns with length greater than thousand characterss could slow down the parser significantly. Users should upgrade to to receive a patch. There are no known workarounds aside from upgrading.

Added on 2022-01-13

CVE-2021-36739

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.portals.pluto/pluto-container

The "first name" and "last name" fields of the Apache Pluto MVCBean JSP portlet maven archetype is vulnerable to Cross-Site Scripting (XSS) attacks.

Added on 2022-01-13

CVE-2021-46141

Use After Free in conan/uriparser

An issue was discovered in uriparser It performs invalid free operations in uriFreeUriMembers and uriMakeOwner.

Added on 2022-01-13

CVE-2021-45833

Out-of-bounds Write in conan/hdf5

A Stack-based Buffer Overflow Vulnerability exists in HDF5 via the H5D__create_chunk_file_map_hyper function in /hdf5/src/H5Dchunk.c, which causes a Denial of Service (context-dependent).

Added on 2022-01-13

CVE-2021-3842

Inefficient Regular Expression Complexity in pypi/nltk

nltk is vulnerable to Inefficient Regular Expression Complexity

Added on 2022-01-13

CVE-2021-45832

Out-of-bounds Write in conan/hdf5

A Stack-based Buffer Overflow Vulnerability exists in HDF5 at at hdf5/src/H5Eint.c, which causes a Denial of Service (context-dependent).

Added on 2022-01-13

CVE-2021-45830

Out-of-bounds Write in conan/hdf5

A heap-based buffer overflow vulnerability exists in HDF5 via H5F_addr_decode_len in /hdf5/src/H5Fint.c, which could cause a Denial of Service.

Added on 2022-01-13

CVE-2021-46142

Use After Free in conan/uriparser

An issue was discovered in uriparser It performs invalid free operations in uriNormalizeSyntax.

Added on 2022-01-13

CVE-2021-45115

Uncontrolled Resource Consumption in pypi/Django

An issue was discovered in Django. `UserAttributeSimilarityValidator` incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.

Added on 2022-01-13

CVE-2021-45940

Out-of-bounds Write in conan/libbpf

libbpf has a heap-based buffer overflow (4 bytes) in __bpf_object__open (called from bpf_object__open_mem and bpf-object-fuzzer.c).

Added on 2022-01-12

CVE-2021-45941

Out-of-bounds Write in conan/libbpf

libbpf has a heap-based buffer overflow (8 bytes) in __bpf_object__open (called from bpf_object__open_mem and bpf-object-fuzzer.c).

Added on 2022-01-12

CVE-2021-45829

Improper Resource Shutdown or Release in conan/hdf5

HDF5 which causes a Denial of Service.

Added on 2022-01-12

CVE-2021-45943

Out-of-bounds Write in conan/gdal

GDAL has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment).

Added on 2022-01-12

CVE-2021-45931

Out-of-bounds Write in conan/harfbuzz

HarfBuzz has an out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t<hb_bit_set_invertible_t>::set and hb_set_copy).

Added on 2022-01-12

CVE-2021-43861, GHSA-p3rp-vmj9-gv6v

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/mermaid

Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams., malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to to receive a patch. There are no known workarounds aside from upgrading.

Added on 2022-01-12

CVE-2021-43849, GHSA-7vfx-hfvm-rhr8

Reachable Assertion in npm/cordova-plugin-fingerprint-aio

cordova-plugin-fingerprint-aio is a plugin provides a single and simple interface for accessing fingerprint APIs on both Android 6+ and iOS. The exported activity `de.niklasmerz.cordova.biometric.BiometricActivity` can cause the app to crash. This vulnerability occurred because the activity didn't handle the case where it is requested with invalid or empty data which results in a crash. Any third party app can constantly call this activity with no permission. A 3rd party app/attacker using event listener can continually stop the app from working and make the victim unable to open it. of the cordova-plugin-fingerprint-aio does not export the activity anymore and is no longer vulnerable. If you want to fix older versions change the attribute android:exported in plugin.xml to false. Please upgrade to as soon as possible.

Added on 2022-01-12

CVE-2021-45958

Out-of-bounds Write in pypi/ujson

UltraJSON (aka ujson) has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode).

Added on 2022-01-12

CVE-2021-45942

Out-of-bounds Write in conan/openexr

OpenEXR has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

Added on 2022-01-12

CVE-2021-43045, GHSA-868x-rg4c-cjqg

Allocation of Resources Without Limits or Throttling in Apache Avro in nuget/Apache.Avro

A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro and prior versions. Users should update to which addresses this issue.

Added on 2022-01-11

GHSA-mf27-wg66-m8f5, CVE-2020-35210

Uncontrolled Resource Consumption in maven/io.atomix/atomix

A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages.

Added on 2022-01-11

GHSA-6qj8-c27w-rp33, CVE-2019-17557

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.syncope.client/syncope-client-enduser

It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.

Added on 2022-01-11

GHSA-2fqw-684c-pvp7, CVE-2020-35213

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in maven/io.atomix/atomix

An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node.

Added on 2022-01-11

GHSA-4jhc-wjr3-pwh2, CVE-2020-35211

An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node. in maven/io.atomix/atomix

An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node in a target cluster via manipulation of the variable terms in RaftContext.

Added on 2022-01-11

GHSA-m4h3-7mc2-v295, CVE-2020-35214

An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations. in maven/io.atomix/atomix

An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations.

Added on 2022-01-11

GHSA-3qp6-m7hp-jrwf, CVE-2021-36739

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.portals.pluto/pluto-portal

The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.

Added on 2022-01-11

GHSA-jg6j-jrxv-2hh9, CVE-2021-36738

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.portals.pluto/pluto-portal

The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact

Added on 2022-01-11

GHSA-x588-g38j-f672, CVE-2021-36737

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.portals.pluto/pluto-portal

The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifact

Added on 2022-01-11

GHSA-g7p8-r2ch-4rmf, CVE-2020-35215

Exposure of Resource to Wrong Sphere in maven/io.atomix/atomix

An issue in Atomix v3.1.5 allows attackers to access sensitive information when a malicious Atomix node queries distributed variable primitives which contain the entire primitive lists that ONOS nodes use to share important states.

Added on 2022-01-11

GHSA-7fr2-94h7-ccg2, CVE-2020-35209

An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information. in maven/io.atomix/atomix

An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information.

Added on 2022-01-11

GHSA-wc6f-cjcp-cc33, CVE-2020-1952

Improper Certificate Validation in maven/org.apache.iotdb/iotdb-parent

An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. When starting IoTDB, the JMX port 31999 is exposed with no certification.Then, clients could execute code remotely.

Added on 2022-01-11

GHSA-5q7q-qqw2-hjq7, CVE-2021-43853

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nuget/AjaxNetProfessional

Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details.

Added on 2022-01-11

GHSA-7rpj-hg47-cx62, CVE-2021-23463

Improper Restriction of XML External Entity Reference in maven/com.h2database/h2

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

Added on 2022-01-11

GHSA-2h63-qp69-fwvw, CVE-2020-11987

Server-Side Request Forgery (SSRF) in maven/org.apache.xmlgraphics/batik-ttf2svg

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Added on 2022-01-11

GHSA-5chj-xprr-7qqx, CVE-2020-9447

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/com.googlecode.gwtupload/gwtupload

There is an XSS (cross-site scripting) vulnerability in GwtUpload 1.0.3 in the file upload functionality. Someone can upload a file with a malicious filename, which contains JavaScript code, which would result in XSS. Cross-site scripting enables attackers to steal data, change the appearance of a website, and perform other malicious activities like phishing or drive-by hacking.

Added on 2022-01-11

GHSA-2h63-qp69-fwvw, CVE-2020-11987

Server-Side Request Forgery (SSRF) in maven/org.apache.xmlgraphics/batik-util

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Added on 2022-01-11

GHSA-hjgm-f7vx-m5g7, CVE-2020-1964

Deserialization of Untrusted Data in maven/org.apache.heron/heron-simulator

It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).

Added on 2022-01-11

GHSA-8h56-v53h-5hhj, CVE-2020-10204

Improper Input Validation in maven/org.sonatype.nexus/nexus-core

Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution.

Added on 2022-01-11

CVE-2021-41817, GHSA-qg54-694p-wgpp

Regular expression denial of service vulnerability (ReDoS) in date in gem/date

Date includes a ReDoS vulnerability.

Added on 2022-01-11

GHSA-2h63-qp69-fwvw, CVE-2020-11987

Server-Side Request Forgery (SSRF) in maven/org.apache.xmlgraphics/batik-xml

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Added on 2022-01-11

GHSA-9x9j-836w-8f55, CVE-2020-1026

Improper Verification of Cryptographic Signature in npm/msrcrypto

A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library’s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server’s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid. The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka 'MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability'.

Added on 2022-01-11

GHSA-59j4-wjwp-mw9m, CVE-2020-13936

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in maven/org.apache.velocity/velocity-engine-parent

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Added on 2022-01-11

GHSA-q7q9-w24q-cpgh, CVE-2020-1936

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.ambari/ambari

A cross-site scripting issue was found in Apache Ambari Views. This was addressed in Apache Ambari 2.7.4.

Added on 2022-01-11

GHSA-c69w-jj56-834w, CVE-2021-44549

Improper Certificate Validation in maven/org.apache.sling/org.apache.sling.commons.messaging.mail

Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429

Added on 2022-01-11

GHSA-f7xw-46vh-5jw2, CVE-2021-4132

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/remdex/livehelperchat

livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2022-01-11

GHSA-rpg7-q4cv-p466, CVE-2021-4123

Cross-Site Request Forgery (CSRF) in packagist/remdex/livehelperchat

livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)

Added on 2022-01-11

GHSA-pccr-q7v9-5f27, CVE-2021-44548

Improper Input Validation in maven/org.apache.solr/solr-parent

An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.

Added on 2022-01-11

GHSA-hx77-5p88-f92r, CVE-2021-4131

Cross-Site Request Forgery (CSRF) in packagist/remdex/livehelperchat

livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)

Added on 2022-01-11

GHSA-gc67-crq6-hgh5, CVE-2021-41561

Improper Input Validation in maven/rg.apache.parquet/parquet

Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files. This issue affects Apache Parquet-MR version 1.9.0 and later versions.

Added on 2022-01-11

GHSA-vc89-hccf-rq55, CVE-2022-21653

Hash collision in typelevel jawn in maven/org.typelevel/jawn-parser

Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.

Added on 2022-01-11

GHSA-xg6r-5gx4-qxjm, CVE-2021-3977

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/hillelcoren/invoice-ninja

invoiceninja is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2022-01-11

GHSA-xhw6-hjc9-679m, CVE-2021-44878

Token validation bypass in Pac4j in maven/org.pac4j/pac4j-core

Pac4j v5.1 and earlier allows (by default) clients to accept and successfully validate ID Tokens with "none" algorithm (i.e., tokens with no signature) which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.

Added on 2022-01-11

GHSA-r58x-wjg8-63m9, CVE-2021-40110

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in maven/org.apache.james/james-server

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

Added on 2022-01-11

GHSA-84wg-rgp8-2hg4, CVE-2021-38542

Command Injection in Apache James in maven/org.apache.james/james-server

Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information.

Added on 2022-01-11

GHSA-wrxc-mr2w-cjpv, CVE-2020-11529

URL Redirection to Untrusted Site ('Open Redirect') in packagist/grav

Common/Grav.php in Grav before 1.7 has an Open Redirect. This is partially fixed in 1.6.23 and still present in 1.6.x.

Added on 2022-01-11

GHSA-3cf2-x423-x582, CVE-2021-4024

Origin Validation Error in go/github.com/containers/podman/v3

A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.

Added on 2022-01-11

GHSA-9423-6c93-gpp8, CVE-2020-7667

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go/github.com/sassoftware/go-rpmutils/cpio

In package github.com/sassoftware/go-rpmutils/cpio before version 0.1.0, the CPIO extraction functionality doesn't sanitize the paths of the archived files for leading and non-leading ".." which leads in file extraction outside of the current directory. Note: the fixing commit was applied to all affected versions which were re-released.

Added on 2022-01-11

GHSA-fqgw-6qj5-8hmp, CVE-2021-40111

Infinite Loop in Apache James in maven/org.apache.james/james-server

In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade.

Added on 2022-01-11

GHSA-88jf-7rch-32qc, CVE-2020-7668

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go/github.com/unknwon/cae/tz

In all versions of the package github.com/unknwon/cae/tz, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.

Added on 2022-01-11

GHSA-vpx7-vm66-qx8r, CVE-2020-7664

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go/github.com/unknwon/cae/zip

In all versions of the package github.com/unknwon/cae/zip, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.

Added on 2022-01-11

GHSA-4w23-c97g-fq5v, CVE-2021-4130

Cross-Site Request Forgery (CSRF) in packagist/snipe-it

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

Added on 2022-01-11

GHSA-5r5w-h76p-m726, CVE-2021-42583

Use of a Broken or Risky Cryptographic Algorithm in Max Mazurov Maddy in go/github.com/foxcpp/maddy

A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information.

Added on 2022-01-11

CVE-2022-22293

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/dolibarr/dolibarr

admin/limits.php in Dolibarr allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.

Added on 2022-01-11

GHSA-8cvr-4rrf-f244, CVE-2021-3909

Uncontrolled Resource Consumption in go/github.com/cloudflare/cfrpki/cmd/octorpki

OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.

Added on 2022-01-11

GHSA-cqh2-vc2f-q4fh, CVE-2021-3907

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go/github.com/cloudflare/cfrpki/cmd/octorpki

OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.

Added on 2022-01-11

GHSA-2hfj-cxw7-g45p, CVE-2021-39183

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go/github.com/owncast/owncast

Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player.

Added on 2022-01-11

GHSA-jcxc-rh6w-wf49, CVE-2021-23772

Improper Link Resolution Before File Access ('Link Following') in go/github.com/kataras/iris/v12

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.

Added on 2022-01-11

CVE-2021-43858, GHSA-j6jc-jqqc-p6cx

Improper Privilege Management in go/github.com/minio/minio

MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.

Added on 2022-01-11

GHSA-cv25-3gmg-c6m8, CVE-2021-25994

Injection in UserFrosting in packagist/userfrosting/userfrosting

In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection. By luring a victim application user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account.

Added on 2022-01-11

GHSA-ghhm-xrwp-75m9, CVE-2021-4194

bookstack is vulnerable to Improper Access Control in packagist/ssddanbrown/bookstack

bookstack is vulnerable to Improper Access Control

Added on 2022-01-11

GHSA-6vvh-5794-vpmj, CVE-2020-35216

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in maven/io.atomix/atomix

An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages.

Added on 2022-01-11

GHSA-w6rp-4vj7-v2m8, CVE-2022-22111

Missing Authorization in packagist/bottelet/flarepoint

In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highest privileged user in the application.

Added on 2022-01-11

GHSA-jr37-66pj-36v7, CVE-2022-22109

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/bottelet/flarepoint

In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” page to view all the tasks.

Added on 2022-01-11

GHSA-44gv-fgcj-w546, CVE-2022-22107

Missing Authorization in packagist/bottelet/flarepoint

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.

Added on 2022-01-11

GHSA-frxp-xxx8-hrg6, CVE-2022-22108

Missing Authorization in packagist/bottelet/flarepoint

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information.

Added on 2022-01-11

GHSA-96v6-hrwg-p378, CVE-2022-22110

Weak Password Requirements in packagist/bottelet/flarepoint

In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users’ passwords with minimal to no computational effort.

Added on 2022-01-11

GHSA-86wf-436m-h424, CVE-2019-10196

Improper Initialization in npm/http-proxy-agent

A flaw was found in http-proxy-agent, It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.

Added on 2022-01-11

GHSA-cxg7-84wp-8pcq, CVE-2021-4117

yetiforcecrm is vulnerable to Business Logic Errors in packagist/yetiforce/yetiforce-crm

yetiforcecrm is vulnerable to Business Logic Errors

Added on 2022-01-11

GHSA-fwh7-v4gf-xv7w, CVE-2021-4116

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/yetiforce/yetiforce-crm

yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2022-01-11

GHSA-7v7w-f7c6-f829, CVE-2021-4111

yetiforcecrm is vulnerable to Business Logic Errors in packagist/yetiforce/yetiforce-crm

yetiforcecrm is vulnerable to Business Logic Errors

Added on 2022-01-11

GHSA-j85f-xw9x-ffwp, CVE-2021-4121

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/yetiforce/yetiforce-crm

yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2022-01-11

CVE-2021-43862, GHSA-x9r5-jxvq-4387

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in npm/jquery.terminal

jQuery Terminal Emulator is a plugin for creating command line interpreters in your applications.As a workaround, the user can use formatting that wrap whole user input and its no op. The code for this workaround is available in the GitHub Security Advisory. The fix will only work when user of the library is not using different formatters (e.g. to highlight code in different way).

Added on 2022-01-11

GHSA-49rv-g7w5-m8xx, CVE-2017-18635

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/@novnc/novnc

An XSS vulnerability was discovered in noVNC in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.

Added on 2022-01-11

GHSA-9c5c-5j4h-8q2c, CVE-2021-4119

Improper Access Control in packagist/ssddanbrown/bookstack

bookstack is vulnerable to Improper Access Control

Added on 2022-01-11

CVE-2022-0079

Generation of Error Message Containing Sensitive Information in packagist/showdoc/showdoc

showdoc is vulnerable to Generation of Error Message Containing Sensitive Information

Added on 2022-01-11

CVE-2021-41236, GHSA-qv7g-j98v-8pp7

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/oro/platform

OroPlatform is a PHP Business Application Platform.An attacker must have permission to create or edit an email template. For successful payload, execution the attacked user must preview a vulnerable email template. There are no workarounds that address this vulnerability. Users are advised to upgrade as soon as is possible.

Added on 2022-01-10

CVE-2021-4139

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/pimcore/pimcore

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2022-01-10

CVE-2021-45895

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/netgen/tagsbundle

Netgen Tags Bundle allows XSS in the Tags Admin interface.

Added on 2022-01-10

CVE-2021-45945

Out-of-bounds Write in conan/uwebsockets

uWebSockets has an out-of-bounds write in std::__1::pair<unsigned int, void*> uWS::HttpParser::fenceAndConsumePostPadded<0 (called from uWS::HttpParser::consumePostPadded and std::__1::__function::__func<LLVMFuzzerTestOneInput::$_0, std::__1::allocator<LL).

Added on 2022-01-10

CVE-2021-45948

Out-of-bounds Write in conan/assimp

Open Asset Import Library (aka assimp) has a heap-based buffer overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper).

Added on 2022-01-10

CVE-2022-0086

Server-Side Request Forgery (SSRF) in npm/uppy

uppy is vulnerable to Server-Side Request Forgery (SSRF)

Added on 2022-01-10

CVE-2021-43839, GHSA-f854-hpxv-cw9r

Always-Incorrect Control Flow Implementation in go/github.com/tharsis/evmos

Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are no tested workarounds. All validator node operators are recommended to upgrade to Cronos v0.6.5 at their earliest possible convenience.

Added on 2022-01-10

CVE-2021-4024

Exposure of Sensitive Information to an Unauthorized Actor in go/github.com/containers/podman

A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.

Added on 2022-01-10

GHSA-9236-8w7q-rmrv, CVE-2021-4162

Cross-Site Request Forgery (CSRF) in pypi/archivy

archivy is vulnerable to Cross-Site Request Forgery (CSRF)

Added on 2022-01-10

CVE-2021-44548

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.apache.solr/solr-core

An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr This issue only affects Windows.

Added on 2022-01-10

GHSA-8rh6-h94m-vj54, CVE-2021-41500

Incorrect Comparison in pypi/cvxopt

Incomplete string comparison vulnerability exits in cvxopt.org cvxop in APIs (cvxopt.cholmod.diag, cvxopt.cholmod.getfactor, cvxopt.cholmod.solve, cvxopt.cholmod.spsolve), which allows attackers to conduct Denial of Service attacks by construct fake Capsule objects.

Added on 2022-01-10

CVE-2021-23727, GHSA-q4xr-rc97-m4xx

OS Command Injection in celery in pypi/celery

This affects the package celery It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

Added on 2022-01-10

GHSA-x7gm-rfgv-w973, CVE-2020-15225

Incorrect Conversion between Numeric Types in pypi/django-filter

django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. + applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.

Added on 2022-01-10

CVE-2021-43853, GHSA-5q7q-qqw2-hjq7

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nuget/AjaxPro.2

Ajax.Releases are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details.

Added on 2022-01-10

CVE-2021-45890

Improper Authentication in maven/com.nexblocks.authguard/authguard

basic/BasicAuthProvider.java in AuthGuard allows authentication via an inactive identifier.

Added on 2022-01-10

CVE-2021-43857, GHSA-9w7f-m4j4-j3xw

Code Injection in pypi/gerapy

Gerapy is a distributed crawler management framework. Gerapy is vulnerable to remote code execution.

Added on 2022-01-10