Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory database within 4.5 days (on average).

CVE-2021-22885

Possible Information Disclosure / Unintended Method Execution in gem/rails

There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input.

Added on 2021-05-12

CVE-2021-22904

Uncontrolled Resource Consumption in gem/rails

There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.

Added on 2021-05-12

CVE-2021-22902

Uncontrolled Resource Consumption in gem/rails

There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted `Accept` headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.

Added on 2021-05-12

CVE-2021-28359

Cross-site Scripting in pypi/apache-airflow

The `origin` parameter passed to some of the endpoints like `/trigger` is vulnerable to XSS. This is the same issue as CVE-2020-13944 and CVE-2020-17515 but the implemented fix did not fix the issue completely.

Added on 2021-05-12

CVE-2021-21391

Uncontrolled Resource Consumption in npm/@ckeditor/ckeditor5-markdown-gfm

CKEditor 5 provides a WYSIWYG editing solution. A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze.

Added on 2021-05-12

CVE-2021-21391

Uncontrolled Resource Consumption in npm/@ckeditor/ckeditor5-list

CKEditor 5 provides a WYSIWYG editing solution. A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze.

Added on 2021-05-12

CVE-2021-21391

Uncontrolled Resource Consumption in npm/@ckeditor/ckeditor5-paste-from-office

CKEditor 5 provides a WYSIWYG editing solution. A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze.

Added on 2021-05-12

CVE-2021-21391

Uncontrolled Resource Consumption in npm/@ckeditor/ckeditor5-widget

CKEditor 5 provides a WYSIWYG editing solution. A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze.

Added on 2021-05-12

CVE-2021-21391

Uncontrolled Resource Consumption in npm/@ckeditor/ckeditor5-font

CKEditor 5 provides a WYSIWYG editing solution. A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze.

Added on 2021-05-12

CVE-2021-21391

Uncontrolled Resource Consumption in npm/@ckeditor/ckeditor5-engine

CKEditor 5 provides a WYSIWYG editing solution. A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze.

Added on 2021-05-12

CVE-2021-22903

URL Redirection to Untrusted Site (Open Redirect) in gem/rails

This is similar to CVE-2021-22881. Specially crafted `Host` headers in combination with certain `allowed host` formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Added on 2021-05-12

CVE-2021-21391

Uncontrolled Resource Consumption in npm/@ckeditor/ckeditor5-image

CKEditor 5 provides a WYSIWYG editing solution. A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze.

Added on 2021-05-12

CVE-2021-21391

Uncontrolled Resource Consumption in npm/@ckeditor/ckeditor5-media-embed

CKEditor 5 provides a WYSIWYG editing solution. A regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze.

Added on 2021-05-12

CVE-2021-28860

Prototype Pollution in npm/mixme

An attacker can add or alter properties of an object via `__proto__` through the `mutate()` and `merge()` functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).

Added on 2021-05-12

CVE-2020-36319

Information Exposure in maven/com.vaadin/flow-client

Insecure configuration of default ObjectMapper in `com.vaadin:flow-server` may expose sensitive data if the application also uses `@RestController`

Added on 2021-05-10

CVE-2020-36320

Uncontrolled Resource Consumption in maven/com.vaadin/flow-client

Unsafe validation RegEx in `EmailValidator` class in `com.vaadin:vaadin-server` allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

Added on 2021-05-10

CVE-2020-36321

Path Traversal in maven/com.vaadin/flow-client

Improper URL validation in development mode handler in `com.vaadin:flow-server` allows attacker to request arbitrary files stored outside of intended frontend resources folder.

Added on 2021-05-10

CVE-2021-31404

Information Exposure Through Discrepancy in maven/com.vaadin/flow-client

A non-constant-time comparison of CSRF tokens in UIDL request handler in `com.vaadin:flow-server` allows attacker to guess a security token via timing attack.

Added on 2021-05-10

CVE-2021-31403

Information Exposure Through Discrepancy in maven/com.vaadin/flow-client

A non-constant-time comparison of CSRF tokens in UIDL request handler in `com.vaadin:vaadin-server` allows attacker to guess a security token via timing attack.

Added on 2021-05-10

CVE-2021-21429

Files or Directories Accessible to External Parties in maven/org.openapitools/openapi-generator

OpenAPI Generator allows generation of API client libraries, server stubs, documentation and configuration automatically given an OpenAPI Spec. Using `File.createTempFile` in JDK will result in creating and using insecure temporary files that can leave application and system data vulnerable to attacks. OpenAPI Generator maven plug-in creates insecure temporary files during the process.

Added on 2021-05-10

CVE-2021-31405

Uncontrolled Resource Consumption in maven/com.vaadin/flow-client

Unsafe validation RegEx in the `EmailField` component of `com.vaadin:vaadin-text-field-flow` allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

Added on 2021-05-10

CVE-2021-31407

Exposure of Resource to Wrong Sphere in maven/com.vaadin/flow-client

A vulnerability in OSGi integration in `com.vaadin:flow-server` allows attacker to access application classes and resources on the server via crafted HTTP request.

Added on 2021-05-10

CVE-2021-25927

Object Prototype Pollution in npm/safe-flat

A Prototype pollution vulnerability in safe-flat allows an attacker to cause a denial of service and may lead to remote code execution.

Added on 2021-05-10

CVE-2020-36319

Information Exposure in maven/com.vaadin/vaadin-server

Insecure configuration of default `ObjectMapper` in `com.vaadin:flow-server` may expose sensitive data if the application also uses `@RestController`

Added on 2021-05-10

CVE-2021-31404

Information Exposure Through Discrepancy in maven/com.vaadin/vaadin-server

A non-constant-time comparison of CSRF tokens in UIDL request handler in `com.vaadin:flow-server` allows attackers to guess a security token via a timing attack.

Added on 2021-05-10

CVE-2020-36321

Path Traversal in maven/com.vaadin/vaadin-server

Improper URL validation in development mode handler in `com.vaadin:flow-server` allows attacker to request arbitrary files stored outside of intended frontend resources folder.

Added on 2021-05-10

CVE-2021-31405

Uncontrolled Resource Consumption in maven/com.vaadin/vaadin-server

Unsafe validation RegEx in `EmailField` component of `com.vaadin:vaadin-text-field-flow` allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

Added on 2021-05-10

CVE-2021-31408

Insufficient Session Expiration in maven/com.vaadin/vaadin-server

The `Authentication.logout()` helper in `com.vaadin:flow-client` uses an incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

Added on 2021-05-10

CVE-2021-31407

Exposure of Resource to Wrong Sphere in maven/com.vaadin/vaadin-server

A vulnerability in the OSGi integration in `com.vaadin:flow-server` allows attackers to access application classes and resources on the server via crafted HTTP request.

Added on 2021-05-10

CVE-2021-28125

URL Redirection to Untrusted Site (Open Redirect) in pypi/apache-superset

Apache Superset allows for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.

Added on 2021-05-10

CVE-2021-28125

URL Redirection to Untrusted Site (Open Redirect) in pypi/superset

Apache Superset allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.

Added on 2021-05-10

CVE-2021-31406

Information Exposure Through Discrepancy in maven/com.vaadin/vaadin-server

A non-constant-time comparison of CSRF tokens in endpoint request handler in `com.vaadin:flow-server`, and `com.vaadin:fusion-endpoint` allows attacker to guess a security token for Fusion endpoints via timing attack.

Added on 2021-05-10

CVE-2020-36326

Deserialization of Untrusted Data in packagist/phpmailer/phpmailer

PHPMailer allows object injection through `Phar` deserialization via the `addAttachment` with a UNC pathname.

Added on 2021-05-10

CVE-2020-13666

Cross-site Scripting in packagist/drupal/core

A cross-site scripting vulnerability exists in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack.

Added on 2021-05-10

CVE-2020-13666

Cross-site Scripting in packagist/drupal/drupal

A cross-site scripting vulnerability exists in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack.

Added on 2021-05-10

CVE-2021-29442

Missing Authentication for Critical Function in maven/com.alibaba.nacos/nacos-api

Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos, the `ConfigOpsController` lets the user perform management operations like querying the database or even wiping it out. While the `/data/remove` endpoint is properly protected with the `@Secured` annotation, the `/derby` endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql).

Added on 2021-05-10

CVE-2021-29441

Authentication Bypass by Spoofing in maven/com.alibaba.nacos/nacos-api

Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos, when configured to use authentication `-Dnacos.core.auth.enabled=true` it uses the `AuthFilter` servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed. This issue may allow any user to carry out any administrative tasks on the Nacos server.

Added on 2021-05-10

CVE-2021-29482

Loop with Unreachable Exit Condition (Infinite Loop) in go/github.com/ulikunitz/xz

xz is a compression and decompression library focusing on the xz format completely written in Go. The function `readUvarint` used to read the xz container format may not terminate a loop provide malicous input. As a workaround, users can limit the size of the compressed file input to a reasonable size for their use case. The standard library recently had the same issue described in CVE-2020-16845.

Added on 2021-05-10

CVE-2021-31406

Information Exposure Through Discrepancy in maven/com.vaadin/flow-client

A non-constant-time comparison of CSRF tokens in endpoint request handler in `com.vaadin:flow-server`, and `com.vaadin:fusion-endpoint` allows an attacker to guess a security token for Fusion endpoints via timing attack.

Added on 2021-05-10

CVE-2021-31408

Insufficient Session Expiration in maven/com.vaadin/flow-client

`Authentication.logout()` helper in `com.vaadin:flow-client` uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

Added on 2021-05-07

CVE-2020-36319

Information Exposure in maven/com.vaadin/flow-server

Insecure configuration of default ObjectMapper in `com.vaadin:flow-server` may expose sensitive data if the application also uses e.g. `@RestController`

Added on 2021-05-07

CVE-2021-30638

Information Exposure in maven/org.apache.tapestry/tapestry-core

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953.

Added on 2021-05-07

CVE-2021-31404

Information Exposure Through Discrepancy in maven/com.vaadin/flow-server

Non-constant-time comparison of CSRF tokens in UIDL request handler in `com.vaadin:flow-server` allows attacker to guess a security token via timing attack.

Added on 2021-05-07

CVE-2021-31403

Information Exposure Through Discrepancy in maven/com.vaadin/vaadin-server

Non-constant-time comparison of CSRF tokens in UIDL request handler in `com.vaadin:vaadin-server` allows attacker to guess a security token via timing attack

Added on 2021-05-07

CVE-2020-36321

Path Traversal in maven/com.vaadin/flow-server

Improper URL validation in development mode handler in `com.vaadin:flow-server` allows attacker to request arbitrary files stored outside of intended frontend resources folder.

Added on 2021-05-07

CVE-2021-31407

Exposure of Resource to Wrong Sphere in maven/com.vaadin/flow-server

Vulnerability in OSGi integration in `com.vaadin:flow-server` allows attacker to access application classes and resources on the server via crafted HTTP request.

Added on 2021-05-07

CVE-2021-31406

Information Exposure Through Discrepancy in maven/com.vaadin/flow-server

Non-constant-time comparison of CSRF tokens in endpoint request handler in `com.vaadin:flow-server` allows attacker to guess a security token for Fusion endpoints via timing attack.

Added on 2021-05-07

CVE-2020-36320

Uncontrolled Resource Consumption in maven/com.vaadin/vaadin-server

Unsafe validation RegEx in `EmailValidator` class in com.vaadin:vaadin-server allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

Added on 2021-05-07

CVE-2021-31405

Uncontrolled Resource Consumption in maven/com.vaadin/vaadin-text-field-flow

Unsafe validation RegEx in EmailField component in `com.vaadin:vaadin-text-field-flow` allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

Added on 2021-05-07

CVE-2021-28055

Cross-Site Request Forgery (CSRF) in packagist/centreon/centreon

An issue was discovered in Centreon-Web in Centreon Platform The anti-CSRF token generation is predictable, which might allow CSRF attacks that add an admin user.

Added on 2021-05-06

CVE-2021-23364

Uncontrolled Resource Consumption in npm/browserslist

The package browserslist from are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Added on 2021-05-06

CVE-2021-29427

Inclusion of Functionality from Untrusted Control Sphere in maven/org.gradle/gradle-core

In Gradle there is a vulnerability which can lead to information disclosure and/or dependency poisoning.

Added on 2021-05-06

CVE-2021-21388

OS Command Injection in npm/systeminformation

systeminformation is an open source system and OS information library for node.Please upgrade to If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() and other commands. Only allow strings, reject any arrays. String sanitation works as expected.

Added on 2021-05-06

CVE-2021-21431

Improper Input Validation in pypi/sopel-plugins.channelmgnt

sopel-channelmgnt is a channelmgnt plugin for sopel.

Added on 2021-05-05

CVE-2021-31607

Command Injection in pypi/salt

In SaltStack Salt, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).

Added on 2021-05-05

CVE-2021-31408

Insufficient Session Expiration in maven/com.vaadin/flow

`Authentication.logout()` uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

Added on 2021-05-05

CVE-2020-36325

Out-of-bounds Read in conan/jansson

An issue was discovered in Jansson Due to a parsing error in `json_loads`, there's an out-of-bounds read-access bug.

Added on 2021-05-05

CVE-2021-23382

Uncontrolled Resource Consumption in npm/postcss

The package postcss are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`.

Added on 2021-05-05

CVE-2021-26291

Origin Validation Error in maven/org.apache.maven/maven

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository.

Added on 2021-05-05

CVE-2021-29469

Uncontrolled Resource Consumption in npm/redis

When a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. The issue is patched

Added on 2021-05-04

CVE-2021-31671

Cleartext Transmission of Sensitive Information in gem/pgsync

pgsync Syncing the schema with the `--schema-first` and `--schema-only` options is mishandled. For example, the sslmode connection parameter may be lost, which means that SSL would not be used.

Added on 2021-05-04

CVE-2021-20228

Information Exposure in pypi/ansible

A flaw was found in the Ansible Engine, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality.

Added on 2021-05-04

CVE-2021-29443

Information Exposure Through Discrepancy in npm/jose

jose is an npm library providing a number of cryptographic operations.

Added on 2021-05-03

CVE-2021-25928

Prototype Pollution in npm/safe-obj

Prototype pollution vulnerability in `safe-obj` allows an attacker to cause a denial of service and may lead to remote code execution.

Added on 2021-05-03

CVE-2021-23379

Command Injection in npm/portkiller

This affects all versions of package portkiller. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process `exec` function without input sanitization.

Added on 2021-05-03

CVE-2021-31406

Information Exposure Through Discrepancy in maven/com.vaadin/flow

Non-constant-time comparison of CSRF tokens in endpoint request handler allows attacker to guess a security token for Fusion endpoints via timing attack.

Added on 2021-05-03

CVE-2021-31404

Information Exposure Through Discrepancy in maven/com.vaadin/flow

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server (Vaad ) (Vaad ) (Vaad ) (Vaad ) (Vaad ) allows attacker to guess a security token via timing attack.

Added on 2021-05-03

CVE-2021-23376

Command Injection in npm/ffmpegdotjs

This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process `exec` function without input sanitization.

Added on 2021-05-03

CVE-2021-20086

Prototype Pollution in npm/jquery-bbq

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq allows a malicious user to inject properties into `Object.prototype`.

Added on 2021-05-03

CVE-2021-23358

Code Injection in npm/underscore

The package underscore from , from are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Added on 2021-05-03

CVE-2021-31597

Improper Certificate Validation in npm/xmlhttprequest-ssl

The xmlhttprequest-ssl package for Node.js disables SSL certificate validation by default, because `rejectUnauthorized` (when the property exists but is undefined) is considered to be false within the `https.request` function of Node.js. In other words, no certificate is ever rejected.

Added on 2021-05-03

CVE-2021-23368

Uncontrolled Resource Consumption in npm/postcss

The package postcss from are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Added on 2021-05-03

CVE-2021-20085

Prototype Pollution in npm/backbone-query-parameters

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters allows a malicious user to inject properties into Object.prototype.

Added on 2021-05-03

CVE-2021-29445

Information Exposure Through Discrepancy in npm/jose

jose-node-esm-runtime is an npm package which provides a number of cryptographic functions.

Added on 2021-05-03

CVE-2021-29444

Information Exposure Through Discrepancy in npm/jose

jose-browser-runtime is an npm package which provides a number of cryptographic functions.

Added on 2021-05-03

CVE-2021-29446

Information Exposure Through Discrepancy in npm/jose

jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions.

Added on 2021-05-03

CVE-2021-23375

Command Injection in npm/psnode

This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process `exec` function without input sanitization.

Added on 2021-05-03

CVE-2021-20089

Prototype Pollution in npm/purl

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in purl allows a malicious user to inject properties into `Object.prototype`.

Added on 2021-05-03

CVE-2021-20088

Prototype Pollution in npm/mootools-more

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in mootools-more allows a malicious user to inject properties into `Object.prototype`.

Added on 2021-05-03

CVE-2020-23922

Out-of-bounds Read in conan/giflib

An issue was discovered in giflib DumpScreen2RGB in `gif2rgb.c` has a heap-based buffer over-read.

Added on 2021-05-03

CVE-2021-20087

Prototype Pollution in npm/jquery-deparam

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam allows a malicious user to inject properties into `Object.prototype`.

Added on 2021-05-03

CVE-2021-23374

Command Injection in npm/ps-visitor

This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process `exec` function without input sanitization.

Added on 2021-05-03