Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory Database within 2.1 days (on average).

GHSA-94mm-g2mv-8p7r, CVE-2023-25672

NULL Pointer Dereference in pypi/tensorflow

TensorFlow is an open source platform for machine learning. The function `tf.raw_ops.LookupTableImportV2` cannot handle scalars in the `values` parameter and gives an NPE. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

CVE-2023-28424, GHSA-gc2x-86p3-mxg2

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in go/github.com/gentoo/soko

Soko if the code that powers packages.gentoo.org. Prior to version 1.0.2, the two package search handlers, `Search` and `SearchFeed`, implemented in `pkg/app/handler/packages/search.go`, are affected by a SQL injection via the `q` parameter. As a result, unauthenticated attackers can execute arbitrary SQL queries on `https://packages.gentoo.org/`. It was also demonstrated that primitive was enough to gain code execution in the context of the PostgreSQL container. The issue was addressed in commit `4fa6e4b619c0362728955b6ec56eab0e0cbf1e23y` of version 1.0.2 using prepared statements to interpolate user-controlled data in SQL queries.

Added on 2023-03-27

GHSA-g8xm-p2h4-v6jp, CVE-2021-3684

OpenShift Assisted Installer leaks image pull secrets as plaintext in installation logs in go/github.com/openshift/assisted-installer

A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the registry as the associated user.

Added on 2023-03-27

GHSA-wp72-7hj9-5265, CVE-2023-1176

Absolute Path Traversal in pypi/mlflow

Absolute Path Traversal in GitHub repository mlflow/mlflow

Added on 2023-03-27

GHSA-xg73-94fp-g449, CVE-2023-1177

Path Traversal: '\..\filename' in pypi/mlflow

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.

Added on 2023-03-27

GHSA-7jvm-xxmr-v5cw, CVE-2023-25662

Integer Overflow or Wraparound in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 is vulnerable to integer overflow in EditDistance. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-7x4v-9gxg-9hwj, CVE-2023-25675

Incorrect Comparison in pypi/tensorflow-cpu

TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, `tf.raw_ops.Bincount` segfaults when given a parameter `weights` that is neither the same shape as parameter `arr` nor a length-0 tensor. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-68v3-g9cm-rmm6, CVE-2023-25658

Out-of-bounds Read in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, an out-of-bounds read is in GRUBlockCellGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-j5w9-hmfh-4cr6, CVE-2023-25671

Out-of-bounds Write in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. There is out-of-bounds access due to mismatched integer type sizes. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-gf97-q72m-7579, CVE-2023-25674

NULL Pointer Dereference in pypi/tensorflow-cpu

TensorFlow is an open source machine learning platform. Versions prior to 2.12.0 and 2.11.1 have a null pointer error in RandomShuffle with XLA enabled. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-qjqc-vqcf-5qvj, CVE-2023-25660

NULL Pointer Dereference in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when the parameter `summarize` of `tf.raw_ops.Print` is zero, the new method `SummarizeArray<bool>` will reference to a nullptr, leading to a seg fault. A fix is included in TensorFlow version 2.12 and version 2.11.1.

Added on 2023-03-27

GHSA-49rq-hwc3-x77w, CVE-2023-25670

NULL Pointer Dereference in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a null point error in QuantizedMatMulWithBiasAndDequantize with MKL enabled. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-6hg6-5c2q-7rcr, CVE-2023-25664

Heap-based Buffer Overflow in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-5w96-866f-6rm8, CVE-2023-27579

Incorrect Comparison in pypi/tensorflow-cpu

TensorFlow is an end-to-end open source platform for machine learning. Constructing a tflite model with a paramater `filter_input_channel` of less than 1 gives a FPE. This issue has been patched in version 2.12. TensorFlow will also cherrypick the fix commit on TensorFlow 2.11.1.

Added on 2023-03-27

GHSA-gwvm-vrp4-4pp5, CVE-2023-28444

Insertion of Sensitive Information into Externally-Accessible File or Directory in npm/angular-server-side-configuration

angular-server-side-configuration helps configure an angular application at runtime on the server or in a docker container via environment variables. angular-server-side-configuration detects used environment variables in TypeScript (.ts) files during build time of an Angular CLI project. The detected environment variables are written to a ngssc.json file in the output directory. During deployment of an Angular based app, the environment variables based on the variables from ngssc.json are inserted into the apps index.html (or defined index file). With version 15.0.0 the environment variable detection was widened to the entire project, relative to the angular.json file from the Angular CLI. In a monorepo setup, this could lead to environment variables intended for a backend/service to be detected and written to the ngssc.json, which would then be populated and exposed via index.html. This has NO IMPACT, in a plain Angular project that has no backend component. This vulnerability has been mitigated in version 15.1.0, by adding an option `searchPattern` which restricts the detection file range by default. As a workaround, manually edit or create ngssc.json or run script after ngssc.json generation.

Added on 2023-03-27

GHSA-558h-mq8x-7q9g, CVE-2023-25665

NULL Pointer Dereference in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when `SparseSparseMaximum` is given invalid sparse tensors as inputs, it can give a null pointer error. A fix is included in TensorFlow version 2.12 and version 2.11.1.

Added on 2023-03-27

GHSA-64jg-wjww-7c5w, CVE-2023-25663

NULL Pointer Dereference in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when `ctx->step_containter()` is a null ptr, the Lookup function will be executed with a null pointer. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-gw97-ff7c-9v96, CVE-2023-25668

Heap-based Buffer Overflow in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

Added on 2023-03-27

GHSA-rcf8-g8jv-vg6p, CVE-2023-25669

Incorrect Comparison in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the stride and window size are not positive for `tf.raw_ops.AvgPoolGrad`, it can give a floating point exception. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-948f-j464-rfj2, CVE-2022-40208

Moodle may allow students to bypass sequential navigation during a quiz attempt in packagist/moodle/moodle

In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.

Added on 2023-03-27

GHSA-f637-vh3r-vfh2, CVE-2023-25666

Incorrect Comparison in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a floating point exception in AudioSpectrogram. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-6wfh-89q8-44jq, CVE-2023-25676

NULL Pointer Dereference in pypi/tensorflow-cpu

TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, `tf.raw_ops.ParallelConcat` segfaults with a nullptr dereference when given a parameter `shape` with rank that is not greater than zero. A fix is available in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-fqm2-gh8w-gr68, CVE-2023-25667

Integer Overflow or Wraparound in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, integer overflow occurs when `2^31 <= num_frames * height * width * channels < 2^32`, for example Full HD screencast of at least 346 frames. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-94mm-g2mv-8p7r, CVE-2023-25672

NULL Pointer Dereference in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. The function `tf.raw_ops.LookupTableImportV2` cannot handle scalars in the `values` parameter and gives an NPE. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-f49c-87jh-g47q, CVE-2023-25801

Double Free in pypi/tensorflow-cpu

TensorFlow is an open source machine learning platform. Prior to versions 2.12.0 and 2.11.1, `nn_ops.fractional_avg_pool_v2` and `nn_ops.fractional_max_pool_v2` require the first and fourth elements of their parameter `pooling_ratio` to be equal to 1.0, as pooling on batch and channel dimensions is not supported. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-93vr-9q9m-pj8p, CVE-2023-25659

Out-of-bounds Read in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the parameter `indices` for `DynamicStitch` does not match the shape of the parameter `data`, it can trigger an stack OOB read. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-647v-r7qq-24fh, CVE-2023-25673

Incorrect Comparison in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a Floating Point Exception in TensorListSplit with XLA. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-7jvm-xxmr-v5cw, CVE-2023-25662

Integer Overflow or Wraparound in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 is vulnerable to integer overflow in EditDistance. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-7x4v-9gxg-9hwj, CVE-2023-25675

Incorrect Comparison in pypi/tensorflow-gpu

TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, `tf.raw_ops.Bincount` segfaults when given a parameter `weights` that is neither the same shape as parameter `arr` nor a length-0 tensor. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-68v3-g9cm-rmm6, CVE-2023-25658

Out-of-bounds Read in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, an out-of-bounds read is in GRUBlockCellGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-gf97-q72m-7579, CVE-2023-25674

NULL Pointer Dereference in pypi/tensorflow-gpu

TensorFlow is an open source machine learning platform. Versions prior to 2.12.0 and 2.11.1 have a null pointer error in RandomShuffle with XLA enabled. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-qjqc-vqcf-5qvj, CVE-2023-25660

NULL Pointer Dereference in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when the parameter `summarize` of `tf.raw_ops.Print` is zero, the new method `SummarizeArray<bool>` will reference to a nullptr, leading to a seg fault. A fix is included in TensorFlow version 2.12 and version 2.11.1.

Added on 2023-03-27

GHSA-49rq-hwc3-x77w, CVE-2023-25670

NULL Pointer Dereference in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a null point error in QuantizedMatMulWithBiasAndDequantize with MKL enabled. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-6hg6-5c2q-7rcr, CVE-2023-25664

Heap-based Buffer Overflow in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-5w96-866f-6rm8, CVE-2023-27579

Incorrect Comparison in pypi/tensorflow-gpu

TensorFlow is an end-to-end open source platform for machine learning. Constructing a tflite model with a paramater `filter_input_channel` of less than 1 gives a FPE. This issue has been patched in version 2.12. TensorFlow will also cherrypick the fix commit on TensorFlow 2.11.1.

Added on 2023-03-27

GHSA-558h-mq8x-7q9g, CVE-2023-25665

NULL Pointer Dereference in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when `SparseSparseMaximum` is given invalid sparse tensors as inputs, it can give a null pointer error. A fix is included in TensorFlow version 2.12 and version 2.11.1.

Added on 2023-03-27

GHSA-64jg-wjww-7c5w, CVE-2023-25663

NULL Pointer Dereference in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when `ctx->step_containter()` is a null ptr, the Lookup function will be executed with a null pointer. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-gw97-ff7c-9v96, CVE-2023-25668

Heap-based Buffer Overflow in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

Added on 2023-03-27

GHSA-rcf8-g8jv-vg6p, CVE-2023-25669

Incorrect Comparison in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the stride and window size are not positive for `tf.raw_ops.AvgPoolGrad`, it can give a floating point exception. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-f637-vh3r-vfh2, CVE-2023-25666

Incorrect Comparison in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a floating point exception in AudioSpectrogram. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-6wfh-89q8-44jq, CVE-2023-25676

NULL Pointer Dereference in pypi/tensorflow-gpu

TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, `tf.raw_ops.ParallelConcat` segfaults with a nullptr dereference when given a parameter `shape` with rank that is not greater than zero. A fix is available in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-fqm2-gh8w-gr68, CVE-2023-25667

Integer Overflow or Wraparound in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, integer overflow occurs when `2^31 <= num_frames * height * width * channels < 2^32`, for example Full HD screencast of at least 346 frames. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-94mm-g2mv-8p7r, CVE-2023-25672

NULL Pointer Dereference in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. The function `tf.raw_ops.LookupTableImportV2` cannot handle scalars in the `values` parameter and gives an NPE. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-f49c-87jh-g47q, CVE-2023-25801

Double Free in pypi/tensorflow-gpu

TensorFlow is an open source machine learning platform. Prior to versions 2.12.0 and 2.11.1, `nn_ops.fractional_avg_pool_v2` and `nn_ops.fractional_max_pool_v2` require the first and fourth elements of their parameter `pooling_ratio` to be equal to 1.0, as pooling on batch and channel dimensions is not supported. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-93vr-9q9m-pj8p, CVE-2023-25659

Out-of-bounds Read in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the parameter `indices` for `DynamicStitch` does not match the shape of the parameter `data`, it can trigger an stack OOB read. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-647v-r7qq-24fh, CVE-2023-25673

Incorrect Comparison in pypi/tensorflow

TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a Floating Point Exception in TensorListSplit with XLA. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-93vr-9q9m-pj8p, CVE-2023-25659

Out-of-bounds Read in pypi/tensorflow

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the parameter `indices` for `DynamicStitch` does not match the shape of the parameter `data`, it can trigger an stack OOB read. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-f49c-87jh-g47q, CVE-2023-25801

Double Free in pypi/tensorflow

TensorFlow is an open source machine learning platform. Prior to versions 2.12.0 and 2.11.1, `nn_ops.fractional_avg_pool_v2` and `nn_ops.fractional_max_pool_v2` require the first and fourth elements of their parameter `pooling_ratio` to be equal to 1.0, as pooling on batch and channel dimensions is not supported. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-647v-r7qq-24fh, CVE-2023-25673

Incorrect Comparison in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a Floating Point Exception in TensorListSplit with XLA. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-fqm2-gh8w-gr68, CVE-2023-25667

Integer Overflow or Wraparound in pypi/tensorflow

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, integer overflow occurs when `2^31 <= num_frames * height * width * channels < 2^32`, for example Full HD screencast of at least 346 frames. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-6wfh-89q8-44jq, CVE-2023-25676

NULL Pointer Dereference in pypi/tensorflow

TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, `tf.raw_ops.ParallelConcat` segfaults with a nullptr dereference when given a parameter `shape` with rank that is not greater than zero. A fix is available in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-f637-vh3r-vfh2, CVE-2023-25666

Incorrect Comparison in pypi/tensorflow

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a floating point exception in AudioSpectrogram. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-rcf8-g8jv-vg6p, CVE-2023-25669

Incorrect Comparison in pypi/tensorflow

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the stride and window size are not positive for `tf.raw_ops.AvgPoolGrad`, it can give a floating point exception. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-gw97-ff7c-9v96, CVE-2023-25668

Heap-based Buffer Overflow in pypi/tensorflow

TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

Added on 2023-03-27

GHSA-64jg-wjww-7c5w, CVE-2023-25663

NULL Pointer Dereference in pypi/tensorflow

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when `ctx->step_containter()` is a null ptr, the Lookup function will be executed with a null pointer. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-558h-mq8x-7q9g, CVE-2023-25665

NULL Pointer Dereference in pypi/tensorflow

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when `SparseSparseMaximum` is given invalid sparse tensors as inputs, it can give a null pointer error. A fix is included in TensorFlow version 2.12 and version 2.11.1.

Added on 2023-03-27

GHSA-5w96-866f-6rm8, CVE-2023-27579

Incorrect Comparison in pypi/tensorflow

TensorFlow is an end-to-end open source platform for machine learning. Constructing a tflite model with a paramater `filter_input_channel` of less than 1 gives a FPE. This issue has been patched in version 2.12. TensorFlow will also cherrypick the fix commit on TensorFlow 2.11.1.

Added on 2023-03-27

GHSA-6hg6-5c2q-7rcr, CVE-2023-25664

Heap-based Buffer Overflow in pypi/tensorflow

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-49rq-hwc3-x77w, CVE-2023-25670

NULL Pointer Dereference in pypi/tensorflow

TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a null point error in QuantizedMatMulWithBiasAndDequantize with MKL enabled. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-qjqc-vqcf-5qvj, CVE-2023-25660

NULL Pointer Dereference in pypi/tensorflow

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when the parameter `summarize` of `tf.raw_ops.Print` is zero, the new method `SummarizeArray<bool>` will reference to a nullptr, leading to a seg fault. A fix is included in TensorFlow version 2.12 and version 2.11.1.

Added on 2023-03-27

GHSA-gf97-q72m-7579, CVE-2023-25674

NULL Pointer Dereference in pypi/tensorflow

TensorFlow is an open source machine learning platform. Versions prior to 2.12.0 and 2.11.1 have a null pointer error in RandomShuffle with XLA enabled. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-j5w9-hmfh-4cr6, CVE-2023-25671

Out-of-bounds Write in pypi/tensorflow

TensorFlow is an open source platform for machine learning. There is out-of-bounds access due to mismatched integer type sizes. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-7jvm-xxmr-v5cw, CVE-2023-25662

Integer Overflow or Wraparound in pypi/tensorflow

TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 is vulnerable to integer overflow in EditDistance. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Added on 2023-03-27

GHSA-7x4v-9gxg-9hwj, CVE-2023-25675

Incorrect Comparison in pypi/tensorflow

TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, `tf.raw_ops.Bincount` segfaults when given a parameter `weights` that is neither the same shape as parameter `arr` nor a length-0 tensor. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-68v3-g9cm-rmm6, CVE-2023-25658

Out-of-bounds Read in pypi/tensorflow

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, an out-of-bounds read is in GRUBlockCellGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Added on 2023-03-27

GHSA-qrrg-gw7w-vp76, CVE-2023-1410

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go/github.com/grafana/grafana

Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.

Added on 2023-03-24

GHSA-w4x6-6w3r-9h2m, CVE-2022-3146

tripleo-ansible may disclose important configuration details from an OpenStack deployment in pypi/tripleo-ansible

A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information disclosure of important configuration details from the OpenStack deployment.

Added on 2023-03-24

GHSA-7x96-2w32-w3gw, CVE-2022-3101

tripleo-ansible may disclose important configuration details from an OpenStack deployment in pypi/tripleo-ansible

A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of important configuration details from the OpenStack deployment.

Added on 2023-03-24

GHSA-frjg-g767-7363, CVE-2023-26114

code-server vulnerable to Missing Origin Validation in WebSockets in npm/code-server

Versions of the package code-server before 4.10.1 is vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.

Added on 2023-03-24

GHSA-2q5c-qw9c-fmvq, CVE-2022-41354

Argo CD authenticated but unauthorized users may enumerate Application names via the API in go/github.com/argoproj/argo-cd

### Impact All versions of Argo CD starting with v0.5.0 is vulnerable to an information disclosure bug allowing unauthorized users to enumerate application names by inspecting API error messages. An attacker could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges (social engineering). Many Argo CD API endpoints accept an application name as the only parameter. Since Argo CD RBAC requires both the application name and its configured project name (and, if apps-in-any-namespace is enabled, the application's namespace), Argo CD fetches the requested application before performing the RBAC check. If the application does not exist, the API returns a "not found". If the application does exist, and the user does not have access, the API returns an "unauthorized" error. By trial and error, an attacker can infer which applications exist and which do not. Note that application resources are not fetched for API calls from _unauthenticated_ users. If your Argo CD instance is accessible from the public internet, unauthenticated users will not be able to cause Argo CD to make Kubernetes API calls. The patch changes API behavior to return "unauthorized" both when the application is missing and when the user is not authorized to access it. **This change in API behavior may impact API clients.** Check your code to make sure it will handle the new API behavior properly. ### Patches A patch for this vulnerability has been released in the following Argo CD versions: * v2.6.7 * v2.5.16 * v2.4.28 ### Workarounds There are no workarounds besides upgrading. ### Credits Thank you to bean.zhang of HIT-IDS ChunkL Team who discovered the issue and reported it confidentially according to our [guidelines](https://github.com/argoproj/argo-cd/blob/master/SECURITY.md#reporting-a-vulnerability). ### For more information * Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions) * Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd

Added on 2023-03-24

GHSA-56r9-72vx-q989, CVE-2023-28330

Moodle arbitrary file read vulnerability in packagist/moodle/moodle

Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.

Added on 2023-03-24

GHSA-2q5c-qw9c-fmvq, CVE-2022-41354

Argo CD authenticated but unauthorized users may enumerate Application names via the API in go/github.com/argoproj/argo-cd/v2

### Impact All versions of Argo CD starting with v0.5.0 is vulnerable to an information disclosure bug allowing unauthorized users to enumerate application names by inspecting API error messages. An attacker could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges (social engineering). Many Argo CD API endpoints accept an application name as the only parameter. Since Argo CD RBAC requires both the application name and its configured project name (and, if apps-in-any-namespace is enabled, the application's namespace), Argo CD fetches the requested application before performing the RBAC check. If the application does not exist, the API returns a "not found". If the application does exist, and the user does not have access, the API returns an "unauthorized" error. By trial and error, an attacker can infer which applications exist and which do not. Note that application resources are not fetched for API calls from _unauthenticated_ users. If your Argo CD instance is accessible from the public internet, unauthenticated users will not be able to cause Argo CD to make Kubernetes API calls. The patch changes API behavior to return "unauthorized" both when the application is missing and when the user is not authorized to access it. **This change in API behavior may impact API clients.** Check your code to make sure it will handle the new API behavior properly. ### Patches A patch for this vulnerability has been released in the following Argo CD versions: * v2.6.7 * v2.5.16 * v2.4.28 ### Workarounds There are no workarounds besides upgrading. ### Credits Thank you to bean.zhang of HIT-IDS ChunkL Team who discovered the issue and reported it confidentially according to our [guidelines](https://github.com/argoproj/argo-cd/blob/master/SECURITY.md#reporting-a-vulnerability). ### For more information * Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions) * Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd

Added on 2023-03-24

CVE-2023-26484, GHSA-cp96-jpmq-xrr2

Incorrect Authorization in go/github.com/kubevirt/kubevirt

KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs. This can be misused to lure-in system-level-privileged components which can, for instance, read all secrets on the cluster, or can exec into pods on other nodes. This way, a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster. The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node. No patches are available as of time of publication. As a workaround, gatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node.

Added on 2023-03-24

GHSA-hh52-g5c4-wprh, CVE-2023-28334

Moodle may allow authenticated users to enumerate other user's names via learning plans page in packagist/moodle/moodle

Authenticated users were able to enumerate other users' names via the learning plans page.

Added on 2023-03-24

GHSA-77jm-f3vj-xvx2, CVE-2023-28331

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/moodle/moodle

Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk.

Added on 2023-03-24

GHSA-vfgq-g5x8-g595, CVE-2023-28436

Improper Privilege Management in go/tailscale.com

Tailscale is software for using Wireguard and multi-factor authentication (MFA). A vulnerability identified in the implementation of Tailscale SSH starting in version 1.34.0 and prior to prior to 1.38.2 in FreeBSD allows commands to be run with a higher privilege group ID than that specified in Tailscale SSH access rules. A difference in the behavior of the FreeBSD `setgroups` system call from POSIX meant that the Tailscale client running on a FreeBSD-based operating system does not appropriately restrict groups on the host when using Tailscale SSH. When accessing a FreeBSD host over Tailscale SSH, the egid of the tailscaled process was used instead of that of the user specified in Tailscale SSH access rules. Tailscale SSH commands may have been run with a higher privilege group ID than that specified in Tailscale SSH access rules if they met all of the following criteria: the destination node was a FreeBSD device with Tailscale SSH enabled; Tailscale SSH access rules permitted access for non-root users; and a non-interactive SSH session was used. Affected users should upgrade to version 1.38.2 to remediate the issue.

Added on 2023-03-24

CVE-2022-48367, GHSA-5x4f-7xgq-r42x

Incorrect Authorization in packagist/ezsystems/ezplatform-kernel

An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled.

Added on 2023-03-24

GHSA-mfvg-qwcw-qvc8, CVE-2023-25655

Unrestricted Upload of File with Dangerous Type in packagist/baserproject/basercms

baserCMS is a Content Management system. Prior to version 4.7.5, any file may be uploaded on the management system of baserCMS. Version 4.7.5 contains a patch.

Added on 2023-03-24

GHSA-h4cc-fxpp-pgw9, CVE-2023-25654

Unrestricted Upload of File with Dangerous Type in packagist/baserproject/basercms

baserCMS is a Content Management system. Prior to version 4.7.5, there is a Remote Code Execution (RCE) Vulnerability in the management system of baserCMS. Version 4.7.5 contains a patch.

Added on 2023-03-24

GHSA-72w2-j52c-7682, CVE-2023-28329

Moodle SQL Injection vulnerability in packagist/moodle/moodle

Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).

Added on 2023-03-24

GHSA-564r-hj7v-mcr5, CVE-2023-20861

Spring Framework vulnerable to denial of service via specially crafted SpEL expression in maven/org.springframework/spring-core

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Added on 2023-03-24

GHSA-fvx4-8h2x-gm9q, CVE-2023-27094

Hippo4j privilege escalation issue in maven/cn.hippo4j/hippo4j-all

An issue found in OpenGoofy Hippo4j v.1.4.3 allows attackers to escalate privileges via the ThreadPoolController of the tenant Management module.

Added on 2023-03-24

GHSA-9f45-9qrw-pp4v, CVE-2023-28332

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/moodle/moodle

If the algebra filter was enabled but not functional (eg the necessary binaries were missing from the server), it presented an XSS risk.

Added on 2023-03-24

CVE-2023-1495

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in maven/com.rebuild/rebuild

A vulnerability classified as critical was found in Rebuild up to 3.2.3. Affected by this vulnerability is the function queryListOfConfig of the file /admin/robot/approval/list. The manipulation of the argument q leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is c9474f84e5f376dd2ade2078e3039961a9425da7. It is recommended to apply a patch to fix this issue. The identifier VDB-223381 was assigned to this vulnerability.

Added on 2023-03-24

GHSA-r47r-87p9-8jh3, CVE-2023-20859

Spring Vault vulnerable to insertion of sensitive information into a log file in maven/org.springframework.vault/spring-vault-core

In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.

Added on 2023-03-24

GHSA-493p-pfq6-5258, CVE-2023-1370

json-smart Uncontrolled Recursion vulnerabilty in maven/net.minidev/json-smart

[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

Added on 2023-03-24

GHSA-wxmq-v9gx-75pg, CVE-2023-28335

Cross-Site Request Forgery (CSRF) in packagist/moodle/moodle

The link to reset all templates of a database activity does not include the necessary token to prevent a CSRF risk.

Added on 2023-03-24

GHSA-4pqp-69m3-f8pp, CVE-2023-24788

NotrinosERP vulnerable to SQL Injection in packagist/notrinos/notrinos-erp

RESERVED NotrinosERP v0.7 was discovered to contain a SQL injection vulnerability via the OrderNumber parameter at /NotrinosERP/sales/customer_delivery.php.

Added on 2023-03-24

GHSA-8vg2-wf3q-mwv7, CVE-2023-28443

Insertion of Sensitive Information into Log File in npm/directus

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3.

Added on 2023-03-24

GHSA-vj5p-fp42-774p, CVE-2023-1402

Moodle may display roles to users who don't have access to them in packagist/moodle/moodle

The course participation report required additional checks to prevent roles being displayed which the user does not have access to view.

Added on 2023-03-24

GHSA-prjm-2fj2-787f, CVE-2023-28336

Moodle may allow teachers to access the names of users they could not otherwise access in packagist/moodle/moodle

Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.

Added on 2023-03-24

GHSA-q2x3-2f9g-h559, CVE-2023-28333

Moodle's Mustache pix helper contained a potential Mustache injection risk if combined with user input in packagist/moodle/moodle

The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This does not appear to be implemented/exploitable anywhere in the core Moodle LMS).

Added on 2023-03-24

GHSA-55m9-hm92-xm8j, CVE-2022-45004

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go/github.com/gophish/gophish

Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page.

Added on 2023-03-23

GHSA-vf7q-g2pv-jxvx, CVE-2023-28438

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/pimcore/pimcore

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually.

Added on 2023-03-23

GHSA-jxr6-7qg5-8wv6, CVE-2023-0870

OpenNMS Meridian and Horizon vulnerable to Cross-Site Request Forgery in maven/org.opennms/opennms-webapp

A form can be manipulated with cross-site request forgery in multiple versions of OpenNMS Meridian and Horizon. This can potentially allow an attacker to gain access to confidential information and compromise integrity. The solution is to upgrade to Meridian 2023.1.1 or Horizon 31.0.6 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

Added on 2023-03-23

GHSA-q6g2-g7f3-rr83, CVE-2023-1436

Jettison vulnerable to infinite recursion in maven/org.codehaus.jettison/jettison

An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

Added on 2023-03-23

GHSA-2c9m-w27f-53rm, CVE-2023-28708

Unprotected Transport of Credentials in maven/org.apache.tomcat/tomcat-catalina

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 does not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Added on 2023-03-23

GHSA-5mqj-xc49-246p, CVE-2023-28119

Allocation of Resources Without Limits or Throttling in go/github.com/crewjam/saml

The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of `flate.NewReader` does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process. This issue is patched in version 0.4.13.

Added on 2023-03-23

CVE-2023-1578, GHSA-42c3-wvww-gcqj

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/pimcore/pimcore

SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.19.

Added on 2023-03-23

GHSA-7mjv-x3jf-545x, CVE-2023-1314

cloudflared's Installer has Local Privilege Escalation Vulnerability in go/github.com/cloudflare/cloudflared

A vulnerability has been discovered in cloudflared's installer (<= 2023.3.0) for Windows 32-bits devices that allows a local attacker with no administrative permissions to escalate their privileges on the affected device. This vulnerability exists because the MSI installer used by cloudflared relied on a world-writable directory. An attacker with local access to the device (without Administrator rights) can use symbolic links to trick the MSI installer into deleting files in locations that the attacker would otherwise have no access to. By creating a symlink from the world-writable directory to the target file, the attacker can manipulate the MSI installer's repair functionality to delete the target file during the repair process. Exploitation of this vulnerability could allow an attacker to delete important system files or replace them with malicious files, potentially leading to the affected device being compromised. The cloudflared client itself is not affected by this vulnerability, only the installer for 32-bit Windows devices.

Added on 2023-03-22

GHSA-3x8x-79m2-3w2w, CVE-2021-46877

jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode in maven/com.fasterxml.jackson.core/jackson-databind

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

Added on 2023-03-22

GHSA-rwrx-x2hw-9h5w, CVE-2023-26513

Excessive Iteration in maven/org.apache.sling/org.apache.sling.resourcemerger

Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2.

Added on 2023-03-22

CVE-2023-1517, GHSA-42x8-2v53-pqmj

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/pimcore/pimcore

Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.19.

Added on 2023-03-22

CVE-2023-28429, GHSA-rcg9-hrhx-6q69

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/pimcore/pimcore

Pimcore is an open source data and experience management platform. Versions prior to 10.5.19 have an unsecured tooltip field in DataObject class definition. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 10.5.19 or, as a workaround, apply the patch manually.

Added on 2023-03-22

GHSA-ch9g-x9j7-rcgp, CVE-2023-1496

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go/github.com/imgproxy/imgproxy/v3

Cross-site Scripting (XSS) - Reflected in GitHub repository imgproxy/imgproxy prior to 3.14.0.

Added on 2023-03-22

CVE-2023-27586, GHSA-rwmf-w63j-p7gv

Server-Side Request Forgery (SSRF) in pypi/CairoSVG

CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default.

Added on 2023-03-22

CVE-2023-1515, GHSA-66cm-c7ch-5j8q

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/pimcore/pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19.

Added on 2023-03-22

CVE-2023-28609, GHSA-pmhg-cmjc-3875

Ansible Semaphore mishandles authentication in go/github.com/ansible-semaphore/semaphore

api/auth.go in Ansible Semaphore before 2.8.89 mishandles authentication.

Added on 2023-03-22

GHSA-xrqq-wqh4-5hg2, CVE-2023-28426

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/enshrined/svg-sanitize

savg-sanitizer is a PHP SVG/XML Sanitizer. A bypass has been found in versions prior to 0.16.0 that allows an attacker to upload an SVG with persistent cross-site scripting. HTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn't seeing them as DOM elements. This issue is fixed in version 0.16.0. Any data within a CDATA node will now be sanitised using HTMLPurifier. The maintainers have also removed many of the HTML and MathML elements from the allowed element list, as without ForiegnObject, they're not legal within the SVG context. There are no known workarounds.

Added on 2023-03-22

CVE-2023-1545, GHSA-ppxm-q2h4-v7mm

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/nilsteampassnet/teampass

SQL Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.

Added on 2023-03-22

CVE-2023-26113, GHSA-47pj-q2vm-46xc

Collection.js vulnerable to Prototype Pollution in npm/collection.js

Versions of the package collection.js before 6.8.1 is vulnerable to Prototype Pollution via the extend function in Collection.js/dist/node/iterators/extend.js.

Added on 2023-03-22

GHSA-83qr-c7m9-wmgw, CVE-2023-1535

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go/github.com/answerdev/answer

Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.7.

Added on 2023-03-22

GHSA-g44v-6qfm-f6ch, CVE-2023-1539

Guessable CAPTCHA in go/github.com/answerdev/answer

Guessable CAPTCHA in GitHub repository answerdev/answer prior to 1.0.6.

Added on 2023-03-22

GHSA-r95w-7cpx-h5mx, CVE-2023-1542

Answer vulnerable to Business Logic Errors in go/github.com/answerdev/answer

Business Logic Errors in GitHub repository answerdev/answer prior to 1.0.6.

Added on 2023-03-22

CVE-2023-27087, GHSA-jhjm-5xjg-mpqp

Xuxueli xxl-job allows attacker to obtain sensitive information via the pageList parameter in maven/com.xuxueli/xxl-job

Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to obtain sensitive information via the pageList parameter.

Added on 2023-03-22

CVE-2023-28118, GHSA-c24f-2j3g-rg48

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') in maven/com.charleskorn.kaml/kaml

kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. There are no known workarounds.

Added on 2023-03-22

GHSA-hwj7-frgj-7829, CVE-2023-1537

Authentication Bypass by Capture-replay in go/github.com/answerdev/answer

Authentication Bypass by Capture-replay in GitHub repository answerdev/answer prior to 1.0.6.

Added on 2023-03-22

GHSA-h2wg-83fc-xvm9, CVE-2023-1541

Answer vulnerable to Business Logic Errors in go/github.com/answerdev/answer

Business Logic Errors in GitHub repository answerdev/answer prior to 1.0.6.

Added on 2023-03-22

GHSA-xvfj-84vc-hrmf, CVE-2023-1536

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go/github.com/answerdev/answer

Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.7.

Added on 2023-03-22

GHSA-h384-ph77-3699, CVE-2018-25082

Improper Restriction of XML External Entity Reference in pypi/weixin-python

A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The name of the patch is e54abadc777715b6dcb545c13214d1dea63df6c9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223403.

Added on 2023-03-22

GHSA-7g53-jj25-jhgr, CVE-2023-24776

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in packagist/funadmin/funadmin

Funadmin v3.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component \controller\Addon.php.

Added on 2023-03-22

GHSA-79hx-g43v-xfmr, CVE-2023-1543

Insufficient Session Expiration in go/github.com/answerdev/answer

Insufficient Session Expiration in GitHub repository answerdev/answer prior to 1.0.6.

Added on 2023-03-22

GHSA-6x5v-cxpp-pc5x, CVE-2023-1540

Observable Response Discrepancy in go/github.com/answerdev/answer

Observable Response Discrepancy in GitHub repository answerdev/answer prior to 1.0.6.

Added on 2023-03-22

GHSA-rvjp-8qj4-8p29, CVE-2023-1538

Observable Timing Discrepancy in go/github.com/answerdev/answer

Observable Timing Discrepancy in GitHub repository answerdev/answer prior to 1.0.6.

Added on 2023-03-22

CVE-2023-27589, GHSA-9wfv-wmf7-6753

Improper Access Control in go/github.com/minio/minio

Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`.

Added on 2023-03-22

CVE-2023-27102

NULL Pointer Dereference in conan/libde265

Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segment_header at decctx.cc.

Added on 2023-03-21

GHSA-w6pv-c757-6rgr, CVE-2021-39880

apollo_upload_server has Denial of Service vulnerability in gem/apollo_upload_server

A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware.

Added on 2023-03-20

CVE-2023-1463, GHSA-86jq-pwgx-6vrq

Improper Authorization in packagist/nilsteampassnet/teampass

Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.

Added on 2023-03-20

CVE-2023-28109, GHSA-vq59-5x26-h639

Authorization Bypass Through User-Controlled Key in go/github.com/play-with-docker/play-with-docker

Play With Docker is a browser-based Docker playground. Versions 0.0.2 and prior is vulnerable to domain hijacking. Because CORS configuration was not correct, an attacker could use `play-with-docker.com` as an example and set the origin header in an http request as `evil-play-with-docker.com`. The domain would echo in response header, which successfully bypassed the CORS policy and retrieved basic user information. This issue has been fixed in commit ed82247c9ab7990ad76ec2bf1498c2b2830b6f1a. There are no known workarounds.

Added on 2023-03-20

CVE-2023-27103

Out-of-bounds Write in conan/libde265

Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc.

Added on 2023-03-20

CVE-2023-28106, GHSA-x5j3-mq9g-8jc8

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/pimcore/pimcore

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, an attacker can use cross-site scripting to send a malicious script to an unsuspecting user. Users may upgrade to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually.

Added on 2023-03-20

GHSA-gq6w-q6wh-jggc, CVE-2023-28115

Deserialization of Untrusted Data in packagist/knplabs/knp-snappy

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.

Added on 2023-03-20

CVE-2023-27583, GHSA-82wq-gmw8-g87v

Use of Hard-coded Credentials in go/github.com/px-org/PanIndex

PanIndex is a network disk directory index. In Panindex prior to version 3.1.3, a hard-coded JWT key `PanIndex` is used. An attacker can use the hard-coded JWT key to sign JWT token and perform any actions as a user with admin privileges. Version 3.1.3 has a patch for the issue. As a workaround, one may change the JWT key in the source code before compiling the project.

Added on 2023-03-20

CVE-2023-28108, GHSA-xc9p-r5qj-8xm9

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/pimcore/pimcore

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the DAO class. Users should update to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually.

Added on 2023-03-20

GHSA-8fg8-jh2h-f2hc, CVE-2023-27594

Improper Authorization in go/github.com/cilium/cilium

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which Cilium is running. As a consequence, network policies for that cluster might be bypassed, depending on the specific network policies enabled. This issue only manifests when Cilium is routing IPv6 traffic and NodePorts are used to route traffic to pods. IPv6 and endpoint routes are both disabled by default. The problem has been fixed and is available on versions 1.11.15, 1.12.8, and 1.13.1. As a workaround, disable IPv6 routing.

Added on 2023-03-20

GHSA-4hc4-pgfx-3mrx, CVE-2023-27593

Incorrect Default Permissions in go/github.com/cilium/cilium

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod. By replacing the CNI binary with their own malicious binary and waiting for the creation of a new pod on the node, the attacker can gain access to the underlying node. The issue has been fixed and the fix is available on versions 1.11.15, 1.12.8, and 1.13.1. Some workarounds are available. Kubernetes RBAC should be used to deny users and service accounts `exec` access to Cilium agent pods. In cases where a user requires `exec` access to Cilium agent pods, but should not have access to the underlying node, no workaround is possible.

Added on 2023-03-20

GHSA-r5x6-w42p-jhpp, CVE-2023-27595

Improper Handling of Exceptional Conditions in go/github.com/cilium/cilium

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In version 1.13.0, when Cilium is started, there is a short period when Cilium eBPF programs are not attached to the host. During this period, the host does not implement any of Cilium's featureset. This can cause disruption to newly established connections during this period due to the lack of Load Balancing, or can cause Network Policy bypass due to the lack of Network Policy enforcement during the window. This vulnerability impacts any Cilium-managed endpoints on the node (such as Kubernetes Pods), as well as the host network namespace (including Host Firewall). This vulnerability is fixed in Cilium 1.13.1 or later. Cilium releases 1.12.x, 1.11.x, and earlier are not affected. There are no known workarounds.

Added on 2023-03-20

CVE-2023-27494, GHSA-9c6g-qpgj-rvxw

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/streamlit

Streamlit, software for turning data scripts into web applications, had a cross-site scripting (XSS) vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit app(s) were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to a Streamlit app. The attacker could then trick the user into visiting the malicious URL and, if successful, the server would render the malicious javascript payload as-is, leading to XSS. Version 0.81.0 contains a patch for this vulnerability.

Added on 2023-03-20

CVE-2023-27577, GHSA-vhm8-wwrf-3gcw

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in packagist/flarum/flarum

flarum is a forum software package for building communities. In versions prior to 1.7.0 an admin account which has already been compromised by an attacker may use a vulnerability in the `LESS` parser which can be exploited to read sensitive files on the server through the use of path traversal techniques. An attacker can achieve this by providing an absolute path to a sensitive file in the custom `LESS` setting, which the `LESS` parser will then read. For example, an attacker could use the following code to read the contents of the `/etc/passwd` file on a linux machine. The scope of what files is vulnerable will depend on the permissions given to the running flarum process. The vulnerability has been addressed in version `1.7`. Users should upgrade to this version to mitigate the vulnerability. Users unable to upgrade may mitigate the vulnerability by ensuring that their admin accounts are secured with strong passwords and follow other best practices for account security. Additionally, users can limit the exposure of sensitive files on the server by implementing appropriate file permissions and access controls at the operating system level.

Added on 2023-03-17

GHSA-pqg3-xfx2-fmqp, CVE-2023-27905

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.jenkins-ci/update-center2

Jenkins update-center2 3.13 and 3.14 renders the required Jenkins core version on plugin download index pages without sanitization, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a plugin for hosting.

Added on 2023-03-17

GHSA-cp96-jpmq-xrr2, CVE-2023-26484

Incorrect Authorization in go/kubevirt.io/kubevirt

KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs. This can be misused to lure-in system-level-privileged components which can, for instance, read all secrets on the cluster, or can exec into pods on other nodes. This way, a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster. The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node. No patches are available as of time of publication. As a workaround, gatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node.

Added on 2023-03-17

GHSA-xg89-vvwp-9c27, CVE-2023-27095

Exposure of Sensitive Information in OpenGoofy Hippo4j in maven/cn.hippo4j/hippo4j-core

Insecure Permissions vulnerability found in OpenGoofy Hippo4j v.1.4.3 allows attacker toescalate privileges via the AddUser method of the UserController function in Tenant Management module.

Added on 2023-03-17

CVE-2023-25695, GHSA-h6g5-wqqr-3mw3

Generation of Error Message Containing Sensitive Information in pypi/apache-airflow

Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2.

Added on 2023-03-17

GHSA-p4g9-c9qr-wmg5, CVE-2017-20182

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/django-ajax-utilities

A vulnerability was found in Mobile Vikings Django AJAX Utilities up to 1.2.1 and classified as problematic. This issue affects the function Pagination of the file django_ajax/static/ajax-utilities/js/pagination.js of the component Backslash Handler. The manipulation of the argument url leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 329eb1dd1580ca1f9d4f95bc69939833226515c9. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-222611.

Added on 2023-03-17

CVE-2023-27899

Incorrect Authorization in maven/org.jenkins-ci.main/jenkins-core

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution.

Added on 2023-03-17

GHSA-2rq5-699j-x7p6, CVE-2023-25345

Arbitrary local file read vulnerability during template rendering in npm/swig-templates

Directory traversal vulnerability in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to read arbitrary files via the include or extends tags.

Added on 2023-03-17

GHSA-4grc-q4fj-45p8, CVE-2023-0100

Improper Input Validation In Eclipse BIRT in maven/org.eclipse.birt/org.eclipse.birt.report.viewer

In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.com/report.rptdesign). If the host indicated in the __report parameter matched the HTTP Host header value, the report would be retrieved. However, the Host header can be tampered with on some configurations where no virtual hosts are put in place (e.g. in the default configuration of Apache Tomcat) or when the default host points to the BIRT server. This vulnerability was patched on Eclipse BIRT 4.13.

Added on 2023-03-17

CVE-2023-28155, GHSA-p8p7-x288-28g6

Server-Side Request Forgery in Request in npm/request

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Added on 2023-03-17

GHSA-2rq5-699j-x7p6, CVE-2023-25345

Arbitrary local file read vulnerability during template rendering in npm/swig

Directory traversal vulnerability in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to read arbitrary files via the include or extends tags.

Added on 2023-03-17

CVE-2023-27901

Allocation of Resources Without Limits or Throttling in maven/org.jenkins-ci.main/jenkins-core

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.

Added on 2023-03-17

CVE-2023-1429, GHSA-3223-w774-99fq

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/pimcore/pimcore

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19.

Added on 2023-03-17

CVE-2023-28105, GHSA-5g39-ppwg-6xx8

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go/github.com/dablelv/go-huge-util/zip

go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds.

Added on 2023-03-17

CVE-2023-27900

Allocation of Resources Without Limits or Throttling in maven/org.jenkins-ci.main/jenkins-core

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service.

Added on 2023-03-17

CVE-2023-27898

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.jenkins-ci.main/jenkins-core

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.

Added on 2023-03-17

CVE-2023-27902

Improper Access Control in maven/org.jenkins-ci.main/jenkins-core

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which allows attackers with Item/Workspace permission to access their contents.

Added on 2023-03-17

GHSA-36f2-fcrx-fp4j, CVE-2021-29456

URL Redirection to Untrusted Site ('Open Redirect') in go/github.com/authelia/authelia/v4

Utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any domain. The URL of the intended redirect should always be checked for safety prior to forwarding the user. Other endpoints of the web application already do this, they check both that the domain is using the HTTPS protocol and that it exists on a domain associated with the application. An attacker is able to use this unintended functionality to redirect users to malicious sites. This particular security issue allows the attacker to make a phishing attempt seem much more trustworthy to a user of the web application as the initial site before redirection is familiar to them, as well as the actual URL which they have theoretically visited frequently.

Added on 2023-03-17

CVE-2023-28104, GHSA-67g8-c724-8mp3

Allocation of Resources Without Limits or Throttling in packagist/silverstripe/graphql

`silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affects websites with particularly large/complex graphql schemas. Users should upgrade to `silverstripe/graphql` 4.2.3 or 4.1.2 to remedy the vulnerability.

Added on 2023-03-17

GHSA-pf59-j7c2-rh6x, CVE-2020-13597

Exposure of Sensitive Information to an Unauthorized Actor in go/github.com/projectcalico/calico

Clusters using Calico (version 3.14.0 and below), Calico Enterprise (version 2.8.2 and below), may be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege is able to reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default, allowing the attacker to redirect full or partial network traffic from the node to the compromised pod.

Added on 2023-03-17

GHSA-66m4-gc8h-hpjx, CVE-2022-48366

Timing attack in eZ Platform Ibexa in packagist/ezsystems/ezplatform-kernel

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack.

Added on 2023-03-16

GHSA-c737-jhwr-fqxj, CVE-2021-46875

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/ezsystems/ezplatform-kernel

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An XSS attack can occur because JavaScript code can be uploaded in a .html or .js file.

Added on 2023-03-16

CVE-2022-48365, GHSA-8h83-chh2-fchp, GHSA-99r3-xmmq-7q7g, GHSA-qq2j-9pf8-g58c

Company admin role gives excessive privileges in eZ Platform Ibexa in packagist/ezsystems/ezplatform-kernel

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges.

Added on 2023-03-16

CVE-2022-48367, GHSA-5x4f-7xgq-r42x, GHSA-h5v2-wrhp-5v35

Access control issue in ezsystems/ezpublish-kernel in packagist/ezsystems/ezpublish-kernel

An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled.

Added on 2023-03-16

GHSA-66m4-gc8h-hpjx, CVE-2022-48366

Timing attack in eZ Platform Ibexa in packagist/ezsystems/ezpublish-kernel

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack.

Added on 2023-03-16

GHSA-c737-jhwr-fqxj, CVE-2021-46875

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/ezsystems/ezpublish-kernel

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An XSS attack can occur because JavaScript code can be uploaded in a .html or .js file.

Added on 2023-03-16

CVE-2023-27904

Generation of Error Message Containing Sensitive Information in maven/org.jenkins-ci.main/jenkins-core

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers.

Added on 2023-03-16

CVE-2022-48365, GHSA-8h83-chh2-fchp, GHSA-99r3-xmmq-7q7g, GHSA-qq2j-9pf8-g58c

Company admin role gives excessive privileges in eZ Platform Ibexa in packagist/ezsystems/ezpublish-kernel

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges.

Added on 2023-03-16

CVE-2023-27903

Incorrect Authorization in maven/org.jenkins-ci.main/jenkins-core

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used.

Added on 2023-03-16

GHSA-89p3-9j8c-fqh4, CVE-2021-46876

User account enumeration in eZ Publish Ibexa Kernel in packagist/ezsystems/ezpublish-kernel

An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can be abused to determine account existence.

Added on 2023-03-16

CVE-2023-1286

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/pimcore/pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19.

Added on 2023-03-16

CVE-2023-25573, GHSA-mcwr-j9vm-5g8h

Missing Authorization in maven/io.metersphere/metersphere

metersphere is an open source continuous testing platform. In affected versions an improper access control vulnerability exists in `/api/jmeter/download/files`, which allows any user to download any file without authentication. This issue may expose all files available to the running process. This issue has been addressed in version 1.20.20 lts and 2.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Added on 2023-03-16

CVE-2023-26464

Deserialization of Untrusted Data in maven/log4j/log4j

** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Added on 2023-03-16

GHSA-c5vj-f36q-p9vg, CVE-2023-27580

Use of Password Hash With Insufficient Computational Effort in packagist/codeigniter4/shield

CodeIgniter Shield provides authentication and authorization for the CodeIgniter 4 PHP framework. An improper implementation was found in the password storage process. All hashed passwords stored in Shield v1.0.0-beta.3 or earlier are easier to crack than expected due to the vulnerability. Therefore, they should be removed as soon as possible. If an attacker gets (1) the user's hashed password by Shield, and (2) the hashed password (SHA-384 hash without salt) from somewhere, the attacker may easily crack the user's password. Upgrade to Shield v1.0.0-beta.4 or later to fix this issue. After upgrading, all users’ hashed passwords should be updated (saved to the database). There are no known workarounds.

Added on 2023-03-16

GHSA-r76w-3wwq-jv6v, CVE-2023-27891

Insufficient Session Expiration in pypi/pretix

rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.

Added on 2023-03-16

CVE-2023-27577, GHSA-vhm8-wwrf-3gcw

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in packagist/flarum/core

flarum is a forum software package for building communities. In versions prior to 1.7.0 an admin account which has already been compromised by an attacker may use a vulnerability in the `LESS` parser which can be exploited to read sensitive files on the server through the use of path traversal techniques. An attacker can achieve this by providing an absolute path to a sensitive file in the custom `LESS` setting, which the `LESS` parser will then read. For example, an attacker could use the following code to read the contents of the `/etc/passwd` file on a linux machine. The scope of what files is vulnerable will depend on the permissions given to the running flarum process. The vulnerability has been addressed in version `1.7`. Users should upgrade to this version to mitigate the vulnerability. Users unable to upgrade may mitigate the vulnerability by ensuring that their admin accounts are secured with strong passwords and follow other best practices for account security. Additionally, users can limit the exposure of sensitive files on the server by implementing appropriate file permissions and access controls at the operating system level.

Added on 2023-03-16

GHSA-3g43-x7qr-96ph, CVE-2023-25170

Cross-Site Request Forgery (CSRF) in packagist/prestashop/prestashop

PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1.

Added on 2023-03-16

CVE-2023-25814, GHSA-fwc3-5h55-mh2j

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/io.metersphere/metersphere

metersphere is an open source continuous testing platform. In versions prior to 2.7.1 a user who has permission to create a resource file through UI operations is able to append a path to their submission query which will be read by the system and displayed to the user. This allows a users of the system to read arbitrary files on the filesystem of the server so long as the server process itself has permission to read the requested files. This issue has been addressed in version 2.7.1. All users are advised to upgrade. There are no known workarounds for this issue.

Added on 2023-03-16

GHSA-v43v-pv95-jc55, CVE-2023-24775

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/funadmin/funadmin

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\Member.php.

Added on 2023-03-16

GHSA-4g76-w3xw-2x6w, CVE-2023-27582

Authentication Bypass by Primary Weakness in go/github.com/foxcpp/maddy

maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username. maddy 0.6.3 includes the fix for the bug. There are no known workarounds.

Added on 2023-03-16

GHSA-5gp5-vxj6-4257, CVE-2022-4134

Inclusion of Functionality from Untrusted Control Sphere in pypi/glance

A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images.

Added on 2023-03-16

CVE-2023-0845

NULL Pointer Dereference in go/github.com/hashicorp/consul

Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.

Added on 2023-03-16

CVE-2023-0845

NULL Pointer Dereference in go/github.com/hashicorp/consul/acl

Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.

Added on 2023-03-16

GHSA-rqm8-q8j9-662f, CVE-2023-1299

Nomad Job Submitter Privilege Escalation Using Workload Identity in go/github.com/hashicorp/nomad

HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1.

Added on 2023-03-16

CVE-2023-27490, GHSA-7r7x-4c4q-c4qf

Session Fixation in npm/next-auth

NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during a compromised OAuth session where a session code is erroneously generated. This issue has been addressed in version 4.20.1. Users are advised to upgrade. Users unable to upgrade may using Advanced Initialization, manually check the callback request for state, pkce, and nonce against the provider configuration to prevent this issue. See the linked GHSA for details.

Added on 2023-03-16

GHSA-7pmh-8qjj-4q36, CVE-2023-24780

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/funadmin/funadmin

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/columns.

Added on 2023-03-16

CVE-2023-26109

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in npm/node-bluetooth-serial-port

All versions of the package node-bluetooth-serial-port is vulnerable to Buffer Overflow via the findSerialPortChannel method due to improper user input length validation.

Added on 2023-03-16

CVE-2023-28154, GHSA-hc6q-2mpp-qw7j

Cross-realm object access in Webpack 5 in npm/webpack

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Added on 2023-03-16

CVE-2023-27477, GHSA-xm67-587q-r2vw

Off-by-one Error in conan/wasmtime

wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and some of the selected indices are greater than 16. There is an off-by-one error in the calculation of the mask to the `pshufb` instruction which causes incorrect results to be returned if lanes are selected from the second vector. This codegen bug has been fixed in Wasmtiem 6.0.1, 5.0.1, and 4.0.1. Users are recommended to upgrade to these updated versions. If upgrading is not an option for you at this time, you can avoid this miscompilation by disabling the Wasm simd proposal. Additionally the bug is only present on x86_64 hosts. Other platforms such as AArch64 and s390x are not affected.

Added on 2023-03-16

CVE-2023-26489, GHSA-ff4p-7xrq-q5r8

Out-of-bounds Read in conan/wasmtime

wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generator, Cranelift, has a bug on x86_64 targets where address-mode computation mistakenly would calculate a 35-bit effective address instead of WebAssembly's defined 33-bit effective address. This bug means that, with default codegen settings, a wasm-controlled load/store operation could read/write addresses up to 35 bits away from the base of linear memory. Due to this bug, however, addresses up to `0xffffffff * 8 + 0x7ffffffc = 36507222004 = ~34G` bytes away from the base of linear memory are possible from guest code. This means that the virtual memory 6G away from the base of linear memory up to ~34G away can be read/written by a malicious module. A guest module can, without the knowledge of the embedder, read/write memory in this region. The memory may belong to other WebAssembly instances when using the pooling allocator, for example. Affected embedders are recommended to analyze preexisting wasm modules to see if they're affected by the incorrect codegen rules and possibly correlate that with an anomalous number of traps during historical execution to locate possibly suspicious modules. The specific bug in Cranelift's x86_64 backend is that a WebAssembly address which is left-shifted by a constant amount from 1 to 3 will get folded into x86_64's addressing modes which perform shifts. For example `(i32.load (i32.shl (local.get 0) (i32.const 3)))` loads from the WebAssembly address `$local0 << 3`. When translated to Cranelift the `$local0 << 3` computation, a 32-bit value, is zero-extended to a 64-bit value and then added to the base address of linear memory. Cranelift would generate an instruction of the form `movl (%base, %local0, 8), %dst` which calculates `%base + %local0 << 3`. The bug here, however, is that the address computation happens with 64-bit values, where the `$local0 << 3` computation was supposed to be truncated to a a 32-bit value. This means that `%local0`, which can use up to 32-bits for an address, gets 3 extra bits of address space to be accessible via this `movl` instruction. The fix in Cranelift is to remove the erroneous lowering rules in the backend which handle these zero-extended expression. The above example is then translated to `movl %local0, %temp; shl $3, %temp; movl (%base, %temp), %dst` which correctly truncates the intermediate computation of `%local0 << 3` to 32-bits inside the `%temp` register which is then added to the `%base` value. Wasmtime version 4.0.1, 5.0.1, and 6.0.1 have been released and have all been patched to no longer contain the erroneous lowering rules. While updating Wasmtime is recommended, there are a number of possible workarounds that embedders can employ to mitigate this issue if updating is not possible. Note that none of these workarounds are on-by-default and require explicit configuration: 1. The `Config::static_memory_maximum_size(0)` option can be used to force all accesses to linear memory to be explicitly bounds-checked. This will perform a bounds check separately from the address-mode computation which correctly calculates the effective address of a load/store. Note that this can have a large impact on the execution performance of WebAssembly modules. 2. The `Config::static_memory_guard_size(1 << 36)` option can be used to greatly increase the guard pages placed after linear memory. This will guarantee that memory accesses up-to-34G away are guaranteed to be semantically correct by reserving unmapped memory for the instance. Note that this reserves a very large amount of virtual memory per-instances and can greatly reduce the maximum number of concurrent instances being run. 3. If using a non-x86_64 host is possible, then that will also work around this bug. This bug does not affect Wasmtime's or Cranelift's AArch64 backend, for example.

Added on 2023-03-16

CVE-2023-27483, GHSA-vfvj-3m3g-m532

Uncontrolled Resource Consumption in go/github.com/crossplane/crossplane-runtime

crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. An out of memory panic vulnerability has been discovered in affected versions. Applications that use the `Paved` type's `SetValue` method with user provided input without proper validation might use excessive amounts of memory and cause an out of memory panic. In the fieldpath package, the Paved.SetValue method sets a value on the Paved object according to the provided path, without any validation. This allows setting values in slices at any provided index, which grows the target array up to the requested index, the index is currently capped at max uint32 (4294967295) given how indexes are parsed, but that is still an unnecessarily large value. If callers are not validating paths' indexes on their own, which most probably are not going to do, given that the input is parsed directly in the SetValue method, this could allow users to consume arbitrary amounts of memory. Applications that do not use the `Paved` type's `SetValue` method are not affected. This issue has been addressed in versions 0.16.1 and 0.19.2. Users are advised to upgrade. Users unable to upgrade can parse and validate the path before passing it to the `SetValue` method of the `Paved` type, constraining the index size as deemed appropriate.

Added on 2023-03-16

GHSA-m8wf-wmwh-jw2m, CVE-2023-24773

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/funadmin/funadmin

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/list.

Added on 2023-03-16

GHSA-qhq8-2f3m-gxvp, CVE-2023-24782

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/funadmin/funadmin

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/edit.

Added on 2023-03-16

GHSA-vhrv-9f9g-rfrx, CVE-2023-24781

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/funadmin/funadmin

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\MemberLevel.php.

Added on 2023-03-16

GHSA-pvp6-53r9-8vxh, CVE-2023-24777

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/funadmin/funadmin

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/list.

Added on 2023-03-16

GHSA-9qvw-fhj2-xqmv, CVE-2023-1367

Improper Control of Generation of Code ('Code Injection') in packagist/alextselegidis/easyappointments

Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

Added on 2023-03-16

CVE-2023-26491, GHSA-32gr-4cq6-5w5q

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/rsshub

RSSHub is an open source and extensible RSS feed generator. When the URL parameters contain certain special characters, it returns an error page that does not properly handle XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the deliberately constructed URL are affected. This vulnerability was fixed in version c910c4d28717fb860fbe064736641f379fab2c91. Please upgrade to this or a later version, there are no known workarounds.

Added on 2023-03-15

CVE-2022-4904

Improper Input Validation in conan/c-ares

A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.

Added on 2023-03-15