Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory Database within 1.1 days (on average).

GHSA-58rj-w2qf-qjg7, CVE-2022-42095

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/backdrop/backdrop

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content.

Added on 2022-11-24

GHSA-562r-vg33-8x8h, CVE-2022-41946

Insecure Temporary File in maven/org.postgresql/postgresql

pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.

Added on 2022-11-24

GHSA-5jph-wrq7-v9hf, CVE-2022-4044

Denial of service in Mattermost in go/github.com/mattermost/mattermost-server

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages.

Added on 2022-11-24

GHSA-v42f-hq78-8c5m, CVE-2022-4045

Denial of service in Mattermost in go/github.com/mattermost/mattermost-server

A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data.

Added on 2022-11-24

GHSA-8v23-w4w5-w83c, CVE-2022-45149

Cross-Site Request Forgery (CSRF) in packagist/moodle/moodle

A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website. This flaw allows an attacker to perform cross-site request forgery attacks.

Added on 2022-11-24

GHSA-wqg7-mx6p-2rw3, CVE-2022-45462

Improper Neutralization of Special Elements used in a Command ('Command Injection') in maven/org.apache.dolphinscheduler/dolphinscheduler-alert-plugins

Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher

Added on 2022-11-24

CVE-2022-43685

Improper Authentication in pypi/ckan

CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.

Added on 2022-11-24

GHSA-4262-wr7p-gpcj, CVE-2019-6804

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.rundeck/rundeck

An XSS issue was discovered on the Job Edit page in Rundeck Community Edition before 3.0.13, related to assets/javascripts/workflowStepEditorKO.js and views/execution/_wfitemEdit.gsp.

Added on 2022-11-23

CVE-2022-41894, GHSA-h6q3-vv32-2cq5

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in pypi/tensorflow

TensorFlow is an open source platform for machine learning. The reference kernel of the `CONV_3D_TRANSPOSE` TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result. Instead of `data_ptr += num_channels;` it should be `data_ptr += output_num_channels;` as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels. An attacker can craft a model with a specific number of input channels. It is then possible to write specific values through the bias of the layer outside the bounds of the buffer. This attack only works if the reference kernel resolver is used in the interpreter. We have patched the issue in GitHub commit 72c0bdcb25305b0b36842d746cc61d72658d2941. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-23

GHSA-cm43-f2pv-6v68, CVE-2022-41131

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pypi/apache-airflow

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed).

Added on 2022-11-23

GHSA-45r6-j3cc-6mxx, CVE-2022-40954

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pypi/apache-airflow

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed).

Added on 2022-11-23

GHSA-7wqf-h36w-47mc, CVE-2022-38649

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pypi/apache-airflow

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.

Added on 2022-11-23

GHSA-9fc5-q25c-r2wr, CVE-2014-4172

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in packagist/jasig/phpcas

A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java.

Added on 2022-11-23

GHSA-7qm4-p377-fr2r, CVE-2017-15709

Exposure of Sensitive Information to an Unauthorized Actor in maven/org.apache.activemq/activemq-parent

When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 it was found that certain system details (such as the OS and kernel version) are exposed as plain text.

Added on 2022-11-23

GHSA-w73q-mc9g-j56x, CVE-2018-1000817

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.grails.plugins/asset-pipeline

Asset Pipeline Grails Plugin Asset-pipeline plugin version Prior to 2.14.1.1, 2.15.1 and 3.0.6 contains a Incorrect Access Control vulnerability in Applications deployed in Jetty that can result in Download .class files and any arbitrary file. This attack appear to be exploitable via Specially crafted GET request containing directory traversal from assets-pipeline context. This vulnerability appears to have been fixed in 2.14.1.1 (for Grails 2.x), 2.15.1 (for Grails 3 and Java 7) and 3.0.6 (for Grails 3 and Java 8).

Added on 2022-11-23

GHSA-g7wm-22m6-5774, CVE-2018-17605

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.grails.plugins/asset-pipeline

An issue was discovered in the Asset Pipeline plugin before 3.0.4 for Grails. An attacker can perform directory traversal via a crafted request when a servlet-based application is executed in Jetty, because there is a classloader vulnerability that can allow a reverse file traversal route in AssetPipelineFilter.groovy or AssetPipelineFilterCore.groovy.

Added on 2022-11-23

CVE-2021-33621

Interpretation Conflict in gem/cgi

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

Added on 2022-11-23

GHSA-9fc5-q25c-r2wr, CVE-2014-4172

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in maven/org.jasig.cas/cas-client

A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java.

Added on 2022-11-23

GHSA-wx2w-8pqw-vp4g, CVE-2019-20528

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.igniterealtime.openfire/xmppserver

Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter.

Added on 2022-11-23

GHSA-jphj-5g3m-w7x6, CVE-2018-11688

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.igniterealtime.openfire/parent

Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Added on 2022-11-23

GHSA-59h8-h34r-q9cv, CVE-2019-18393

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.igniterealtime.openfire/parent

PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability.

Added on 2022-11-23

GHSA-mfjw-x4q4-69p9, CVE-2019-18394

Server-Side Request Forgery (SSRF) in maven/org.igniterealtime.openfire/parent

A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests.

Added on 2022-11-23

GHSA-5cg5-7vw6-jw4r, CVE-2019-20526

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.igniterealtime.openfire/parent

Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter.

Added on 2022-11-23

GHSA-5gmf-8gh2-hhfp, CVE-2017-1000245

Insufficiently Protected Credentials in maven/org.jenkins-ci.plugins/ssh

The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol. User passwords and passphrases for encrypted SSH keys are stored in plaintext in a configuration file.

Added on 2022-11-23

GHSA-22c6-3h88-26m3, CVE-2019-20527

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.igniterealtime.openfire/parent

Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter.

Added on 2022-11-23

GHSA-h2mq-p9r5-wh94, CVE-2019-20525

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.igniterealtime.openfire/parent

Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter.

Added on 2022-11-23

GHSA-v3h2-4j2r-wqj8, CVE-2017-15911

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.igniterealtime.openfire/parent

The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.

Added on 2022-11-23

GHSA-v4mq-p756-p4f5, CVE-2018-13864

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/com.typesafe.play/play_2.12

A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests.

Added on 2022-11-23

GHSA-pj45-8vhc-mh2f, CVE-2017-1000402

Improper Input Validation in maven/org.jenkins-ci.plugins/swarm-client

Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.

Added on 2022-11-23

GHSA-rp7f-fhm8-9hpf, CVE-2022-33012

Account Takeover Through Password Reset Poisoning in packagist/microweber/microweber

Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack.

Added on 2022-11-23

GHSA-g9cp-9fw3-56cf, CVE-2022-42097

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/backdrop/backdrop

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment.' .

Added on 2022-11-23

GHSA-hgjr-xwj3-jfvw, CVE-2016-9606

Improper Input Validation in maven/org.jboss.resteasy/resteasy-bom

JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions.

Added on 2022-11-23

GHSA-vcvg-g8p2-3hqr, CVE-2022-42094

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/backdrop/backdrop

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content.

Added on 2022-11-23

GHSA-rmf2-pwfq-h75j, CVE-2022-40189

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pypi/apache-airflow

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.

Added on 2022-11-23

GHSA-hffx-r282-w2g9, CVE-2022-42123

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/com.liferay.portal/release.portal.bom

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.

Added on 2022-11-22

GHSA-g8jw-8vpv-pv5q, CVE-2022-42096

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/backdrop/backdrop

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post content.

Added on 2022-11-22

GHSA-p88w-fhxw-xvcc, CVE-2022-41936

Exposure of Private Personal Information to an Unauthorized Actor in maven/org.xwiki.platform/xwiki-platform-rest-server

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the `modifications` rest endpoint (comments and page names etc). Users should upgrade to XWiki 14.6+, 14.4.3+, or 13.10.8+. Older versions have not been patched. There are no known workarounds.

Added on 2022-11-22

GHSA-q6jp-gcww-8v2j, CVE-2022-41937

Missing Authorization in maven/org.xwiki.platform/xwiki-platform-filter-ui

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The application allows anyone with view access to modify any page of the wiki by importing a crafted XAR package. The problem has been patched in XWiki 14.6RC1, 14.6 and 13.10.8. As a workaround, setting the right of the page Filter.WebHome and making sure only the main wiki administrators can view the application installed on main wiki or edit the page and apply the changed described in commit fb49b4f.

Added on 2022-11-22

GHSA-8847-xvjw-9g43, CVE-2022-45397

Improper Restriction of XML External Entity Reference in maven/org.jenkins-ci/update-center2

Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Added on 2022-11-22

GHSA-f3hw-3h74-wr98, CVE-2022-4068

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/librenms/librenms

A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an attacker with a low privilege user to execute arbitrary JavaScript in the context of an admin's account.

Added on 2022-11-22

GHSA-g8hp-rc67-jf96, CVE-2022-42125

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/com.liferay.portal/release.portal.bom

Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module.

Added on 2022-11-22

GHSA-v535-pc6r-77qh, CVE-2022-45385

Missing Authorization in maven/org.jenkins-ci.plugins/dockerhub-notification

A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

Added on 2022-11-22

GHSA-cx84-43xc-3gm2, CVE-2022-42131

Improper Certificate Validation in maven/com.liferay.portal/release.portal.bom

Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3.

Added on 2022-11-22

GHSA-5x9h-p2gx-35mg, CVE-2022-42127

Incorrect Default Permissions in maven/com.liferay.portal/release.portal.bom

The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page.

Added on 2022-11-22

GHSA-642h-mx8q-47p2, CVE-2022-42126

Missing permissions check in Liferay Portal in maven/com.liferay.portal/release.portal.bom

The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.

Added on 2022-11-22

GHSA-wgqm-qp44-cg6x, CVE-2022-42128

Incorrect Default Permissions in maven/com.liferay.portal/release.portal.bom

The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API.

Added on 2022-11-22

GHSA-mxvq-cv4x-p3jw, CVE-2022-42130

Incorrect Default Permissions in maven/com.liferay.portal/release.portal.bom

The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries.

Added on 2022-11-22

GHSA-g6x4-57hp-j4xm, CVE-2022-42129

Authorization Bypass Through User-Controlled Key in maven/com.liferay.portal/release.portal.bom

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.

Added on 2022-11-22

GHSA-vjj4-qwcm-552h, CVE-2022-42124

Inefficient Regular Expression Complexity in Liferay Portal in maven/com.liferay.portal/release.portal.bom

ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype.

Added on 2022-11-22

CVE-2022-3561

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/librenms/librenms

Cross-site Scripting (XSS) - Generic in GitHub repository librenms/librenms prior to 22.10.0.

Added on 2022-11-22

GHSA-fhw8-8j55-vwgq, CVE-2022-45047

Deserialization of Untrusted Data in maven/org.apache.sshd/sshd-common

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

Added on 2022-11-22

CVE-2022-4067

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/librenms/librenms

Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 22.10.0.

Added on 2022-11-22

GHSA-hw4f-g7wh-xp52, CVE-2022-45393

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/delete-log-plugin

A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs.

Added on 2022-11-22

GHSA-4wfh-48v4-3r84, CVE-2022-45470

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.apache.hama/hama-core

** UNSUPPORTED WHEN ASSIGNED ** missing input validation in Apache Hama may cause information disclosure through path traversal and XSS. Since Apache Hama is EOL, we do not expect these issues to be fixed.

Added on 2022-11-22

GHSA-298r-5c48-7q2r, CVE-2022-45380

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.jenkins-ci.plugins/junit

Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Added on 2022-11-22

GHSA-3g9q-cmgv-g4p6, CVE-2022-45381

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.jenkins-ci.plugins/pipeline-utility-steps

Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.

Added on 2022-11-22

GHSA-j923-26c2-qq9p, CVE-2022-45387

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.jenkins-ci.plugins/bart

Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability.

Added on 2022-11-22

GHSA-4598-wcg8-x56g, CVE-2022-45386

Improper Restriction of XML External Entity Reference in maven/org.jenkins-ci.plugins/violations

Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Added on 2022-11-22

GHSA-24hp-84jp-8wgm, CVE-2022-45398

Cross-Site Request Forgery (CSRF) in maven/org.zeroturnaround/cluster-stats

A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.

Added on 2022-11-22

GHSA-w8wg-62wf-62gm, CVE-2022-45399

Missing Authorization in maven/org.zeroturnaround/cluster-stats

A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.

Added on 2022-11-22

GHSA-h4wx-78p9-fwxw, CVE-2022-45396

Improper Restriction of XML External Entity Reference in maven/com.thalesgroup.hudson.plugins/sourcemonitor

Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Added on 2022-11-22

GHSA-3cxx-3f53-m92c, CVE-2022-43686

Uncontrolled Resource Consumption in packagist/concrete5/concrete5

In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load).

Added on 2022-11-22

GHSA-vq39-q549-g786, CVE-2022-43967

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/concrete5/concrete5

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

Added on 2022-11-22

CVE-2022-4069

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/librenms/librenms

Cross-site Scripting (XSS) - Generic in GitHub repository librenms/librenms prior to 22.10.0.

Added on 2022-11-22

GHSA-q3hq-hm5h-qrx3, CVE-2022-43691

Cleartext Transmission of Sensitive Information in packagist/concrete5/concrete5

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.

Added on 2022-11-22

GHSA-jfmc-3975-fv5f, CVE-2022-43694

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/concrete5/concrete5

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output.

Added on 2022-11-22

GHSA-wcjj-qm5v-j4pc, CVE-2022-45384

Insufficiently Protected Credentials in maven/org.jenkins-ci.main/reverse-proxy-auth-plugin

Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

Added on 2022-11-22

GHSA-vj5r-mmp4-3hrx, CVE-2022-38666

Improper Certificate Validation in maven/org.jenkins-ci.main/cavisson-ns-nd-integration

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features.

Added on 2022-11-22

GHSA-9pqq-h9qv-28fp, CVE-2022-45388

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.jenkins-ci.main/config-rotator

Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on the Jenkins controller file system.

Added on 2022-11-22

GHSA-chcg-gh9p-96c5, CVE-2022-45401

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.jenkins-ci.main/associated-files-plugin

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Added on 2022-11-22

CVE-2022-3562

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/librenms/librenms

Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 22.10.0.

Added on 2022-11-22

CVE-2022-4070

Insufficient Session Expiration in packagist/librenms/librenms

Insufficient Session Expiration in GitHub repository librenms/librenms prior to 22.10.0.

Added on 2022-11-22

GHSA-f3gj-hvv4-f57v, CVE-2022-45395

Improper Restriction of XML External Entity Reference in maven/com.thalesgroup.jenkins-ci.plugins/cccc

Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Added on 2022-11-22

GHSA-68m8-v89j-7j2p, CVE-2022-45146

Garbage collection issue in BC-FJA in Java 13 and later in maven/org.bouncycastle/bc-fips

An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss. NOTE: FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11.

Added on 2022-11-22

GHSA-44xv-v98g-v79f, CVE-2022-38146

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/silverstripe/admin

Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3).

Added on 2022-11-22

GHSA-rr8h-f97q-8p9c, CVE-2022-38148

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/silverstripe/framework

Silverstripe silverstripe/framework through 4.11 allows SQL Injection.

Added on 2022-11-22

GHSA-xgq8-jq9w-77r5, CVE-2022-40309

Apache Archiva subject to arbitrary directory deletion by users. in maven/org.apache.archiva/archiva-common

Users with write permissions to a repository can delete arbitrary directories.

Added on 2022-11-22

GHSA-x9wp-gfrr-p5rp, CVE-2022-45389

Missing Authorization in maven/com.cloudbees.jenkins.plugins/xpdev

A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.

Added on 2022-11-22

GHSA-9jc5-9wh5-mc36, CVE-2022-43688

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/concrete5/concrete5

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

Added on 2022-11-22

GHSA-rg6w-c352-p8pg, CVE-2022-43692

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/concrete5/concrete5

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

Added on 2022-11-22

GHSA-4696-g7jj-xg2h, CVE-2022-38216

Integer Overflow or Wraparound in maven/com.mapbox.mapboxsdk/mapbox-android-core

An integer overflow exists in Mapbox's closed source gl-native library prior to version 10.6.1, which is bundled with multiple Mapbox products including open source libraries. The overflow is caused by large image height and width values when creating a new Image and allows for out-of-bounds writes, potentially crashing the Mapbox process.

Added on 2022-11-22

GHSA-83w4-x5w9-hf4h, CVE-2022-43183

Server-Side Request Forgery (SSRF) in maven/com.xuxueli/xxl-job-core

XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java.

Added on 2022-11-22

GHSA-pp3f-xrw5-q5j4, CVE-2022-41920

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go/github.com/duke-git/lancet/v2/fileutil

Lancet is a general utility library for the go programming language. Affected versions are subject to a ZipSlip issue when using the fileutil package to unzip files. This issue has been addressed and a fix will be included in versions 2.1.10 and 1.3.4. Users are advised to upgrade. There are no known workarounds for this issue.

Added on 2022-11-22

GHSA-8538-25v4-25pg, CVE-2022-45400

Improper Restriction of XML External Entity Reference in maven/org.jvnet.hudson.plugins/japex

Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Added on 2022-11-22

GHSA-r7qp-cfhv-p84w, CVE-2022-41940

Uncaught Exception in npm/engine.io

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.

Added on 2022-11-22

GHSA-4696-g7jj-xg2h, CVE-2022-38216

Integer Overflow or Wraparound in npm/@mapbox/mapbox-maps-android

An integer overflow exists in Mapbox's closed source gl-native library prior to version 10.6.1, which is bundled with multiple Mapbox products including open source libraries. The overflow is caused by large image height and width values when creating a new Image and allows for out-of-bounds writes, potentially crashing the Mapbox process.

Added on 2022-11-22

GHSA-m53v-5x5x-5m2p, CVE-2022-43687

Session Fixation in packagist/concrete5/concrete5

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

Added on 2022-11-22

GHSA-8782-xgh5-r7mv, CVE-2022-43968

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/concrete5/concrete5

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

Added on 2022-11-22

GHSA-q48r-xg9h-78m8, CVE-2022-43689

Improper Restriction of XML External Entity Reference in packagist/concrete5/concrete5

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.

Added on 2022-11-22

GHSA-3vwm-fc87-mq6h, CVE-2022-45391

Improper Certificate Validation in maven/io.jenkins.plugins/cavisson-ns-nd-integration

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.

Added on 2022-11-22

GHSA-x2w2-5552-fjv6, CVE-2022-45392

Plaintext Storage of a Password in maven/io.jenkins.plugins/cavisson-ns-nd-integration

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.

Added on 2022-11-22

GHSA-h6q3-vv32-2cq5, CVE-2022-41894

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in pypi/tflite

TensorFlow is an open source platform for machine learning. The reference kernel of the `CONV_3D_TRANSPOSE` TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result. Instead of `data_ptr += num_channels;` it should be `data_ptr += output_num_channels;` as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels. An attacker can craft a model with a specific number of input channels. It is then possible to write specific values through the bias of the layer outside the bounds of the buffer. This attack only works if the reference kernel resolver is used in the interpreter. We have patched the issue in GitHub commit 72c0bdcb25305b0b36842d746cc61d72658d2941. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41885, GHSA-762h-vpvw-3rcx

Incorrect Calculation of Buffer Size in pypi/tensorflow

TensorFlow is an open source platform for machine learning. When `tf.raw_ops.FusedResizeAndPadConv2D` is given a large tensor shape, it overflows. We have patched the issue in GitHub commit d66e1d568275e6a2947de97dca7a102a211e01ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41901, GHSA-g9fm-r5mm-rf9f

Improper Input Validation in pypi/tensorflow

TensorFlow is an open source platform for machine learning. An input `sparse_matrix` that is not a matrix with a shape with rank 0 will trigger a `CHECK` fail in `tf.raw_ops.SparseMatrixNNZ`. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41911, GHSA-pf36-r9c6-h97j

Incorrect Type Conversion or Cast in pypi/tensorflow

TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a `const char*` array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from `char` to `bool` are undefined if the `char` is not `0` or `1`, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit `1be74370327`. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41897, GHSA-f2w8-jw48-fr7j

Out-of-bounds Read in pypi/tensorflow

TensorFlow is an open source platform for machine learning. If `FractionMaxPoolGrad` is given outsize inputs `row_pooling_sequence` and `col_pooling_sequence`, TensorFlow will crash. We have patched the issue in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41898, GHSA-hq7g-wwwp-q46h

Improper Input Validation in pypi/tensorflow

TensorFlow is an open source platform for machine learning. If `SparseFillEmptyRowsGrad` is given empty inputs, TensorFlow will crash. We have patched the issue in GitHub commit af4a6a3c8b95022c351edae94560acc61253a1b8. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41889, GHSA-xxcj-rhqg-m46g

NULL Pointer Dereference in pypi/tensorflow

TensorFlow is an open source platform for machine learning. If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a `nullptr`, which is not caught. An example can be seen in `tf.compat.v1.extract_volume_patches` by passing in quantized tensors as input `ksizes`. We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41890, GHSA-h246-cgh4-7475

Incorrect Type Conversion or Cast in pypi/tensorflow

TensorFlow is an open source platform for machine learning. If `BCast::ToShape` is given input larger than an `int32`, it will crash, despite being supposed to handle up to an `int64`. An example can be seen in `tf.experimental.numpy.outer` by passing in large input to the input `b`. We have patched the issue in GitHub commit 8310bf8dd188ff780e7fc53245058215a05bdbe5. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41899, GHSA-27rc-728f-x5w2

Improper Input Validation in pypi/tensorflow

TensorFlow is an open source platform for machine learning. Inputs `dense_features` or `example_state_data` not of rank 2 will trigger a `CHECK` fail in `SdcaOptimizer`. We have patched the issue in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1b0babfa. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41893, GHSA-67pf-62xr-q35m

Reachable Assertion in pypi/tensorflow

TensorFlow is an open source platform for machine learning. If `tf.raw_ops.TensorListResize` is given a nonscalar value for input `size`, it results `CHECK` fail which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41895, GHSA-gq2j-cr96-gvqx

Out-of-bounds Read in pypi/tensorflow

TensorFlow is an open source platform for machine learning. If `MirrorPadGrad` is given outsize input `paddings`, TensorFlow will give a heap OOB error. We have patched the issue in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41883, GHSA-w58w-79xv-6vcj

Out-of-bounds Read in pypi/tensorflow

TensorFlow is an open source platform for machine learning. When ops that have specified input sizes receive a differing number of inputs, the executor will crash. We have patched the issue in GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41886, GHSA-54pp-c6pp-7fpx

Incorrect Calculation of Buffer Size in pypi/tensorflow

TensorFlow is an open source platform for machine learning. When `tf.raw_ops.ImageProjectiveTransformV2` is given a large output shape, it overflows. We have patched the issue in GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41908, GHSA-mv77-9g28-cwg3

Improper Input Validation in pypi/tensorflow

TensorFlow is an open source platform for machine learning. An input `token` that is not a UTF-8 bytestring will trigger a `CHECK` fail in `tf.raw_ops.PyFunc`. We have patched the issue in GitHub commit 9f03a9d3bafe902c1e6beb105b2f24172f238645. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-q56r-mw39-944g, CVE-2022-43690

Improper Authentication in packagist/concrete5/concrete5

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

Added on 2022-11-22

CVE-2022-41896, GHSA-rmg2-f698-wq35

Improper Input Validation in pypi/tensorflow

TensorFlow is an open source platform for machine learning. If `ThreadUnsafeUnigramCandidateSampler` is given input `filterbank_channel_count` greater than the allowed max size, TensorFlow will crash. We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-8w5g-3wcv-9g2j, CVE-2022-41880

Out-of-bounds Read in pypi/tensorflow

TensorFlow is an open source platform for machine learning. When the `BaseCandidateSamplerOp` function receives a value in `true_classes` larger than `range_max`, a heap oob read occurs. We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41900, GHSA-xvwp-h6jv-7472

Out-of-bounds Write in pypi/tensorflow

TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.

Added on 2022-11-22

CVE-2022-41907, GHSA-368v-7v32-52fx

Incorrect Calculation of Buffer Size in pypi/tensorflow

TensorFlow is an open source platform for machine learning. When `tf.raw_ops.ResizeNearestNeighborGrad` is given a large `size` input, it overflows. We have patched the issue in GitHub commit 00c821af032ba9e5f5fa3fe14690c8d28a657624. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41887, GHSA-8fvv-46hw-vpg3

Incorrect Calculation of Buffer Size in pypi/tensorflow

TensorFlow is an open source platform for machine learning. `tf.keras.losses.poisson` receives a `y_pred` and `y_true` that are passed through `functor::mul` in `BinaryOp`. If the resulting dimensions overflow an `int32`, TensorFlow will crash due to a size mismatch during broadcast assignment. We have patched the issue in GitHub commit c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1 and 2.9.3, as these are also affected and still in supported range. However, we will not cherrypick this commit into TensorFlow 2.8.x, as it depends on Eigen behavior that changed between 2.8 and 2.9.

Added on 2022-11-22

CVE-2022-41884, GHSA-jq6x-99hj-q636

Always-Incorrect Control Flow Implementation in pypi/tensorflow

TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. We have patched the issue in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41891, GHSA-66vq-54fq-6jvv

Improper Input Validation in pypi/tensorflow

TensorFlow is an open source platform for machine learning. If `tf.raw_ops.TensorListConcat` is given `element_shape=[]`, it results segmentation fault which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit fc33f3dc4c14051a83eec6535b608abe1d355fde. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41909, GHSA-rjx6-v474-2ch9

Improper Input Validation in pypi/tensorflow

TensorFlow is an open source platform for machine learning. An input `encoded` that is not a valid `CompositeTensorVariant` tensor will trigger a segfault in `tf.raw_ops.CompositeTensorVariantToComponents`. We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

CVE-2022-41888, GHSA-6x99-gv2v-q76v

Improper Input Validation in pypi/tensorflow

TensorFlow is an open source platform for machine learning. When running on GPU, `tf.image.generate_bounding_box_proposals` receives a `scores` input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-762h-vpvw-3rcx, CVE-2022-41885

Incorrect Calculation of Buffer Size in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. When `tf.raw_ops.FusedResizeAndPadConv2D` is given a large tensor shape, it overflows. We have patched the issue in GitHub commit d66e1d568275e6a2947de97dca7a102a211e01ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-g9fm-r5mm-rf9f, CVE-2022-41901

Improper Input Validation in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. An input `sparse_matrix` that is not a matrix with a shape with rank 0 will trigger a `CHECK` fail in `tf.raw_ops.SparseMatrixNNZ`. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-pf36-r9c6-h97j, CVE-2022-41911

Incorrect Type Conversion or Cast in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a `const char*` array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from `char` to `bool` are undefined if the `char` is not `0` or `1`, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit `1be74370327`. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-f2w8-jw48-fr7j, CVE-2022-41897

Out-of-bounds Read in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. If `FractionMaxPoolGrad` is given outsize inputs `row_pooling_sequence` and `col_pooling_sequence`, TensorFlow will crash. We have patched the issue in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-hq7g-wwwp-q46h, CVE-2022-41898

Improper Input Validation in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. If `SparseFillEmptyRowsGrad` is given empty inputs, TensorFlow will crash. We have patched the issue in GitHub commit af4a6a3c8b95022c351edae94560acc61253a1b8. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-xxcj-rhqg-m46g, CVE-2022-41889

NULL Pointer Dereference in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a `nullptr`, which is not caught. An example can be seen in `tf.compat.v1.extract_volume_patches` by passing in quantized tensors as input `ksizes`. We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-h246-cgh4-7475, CVE-2022-41890

Incorrect Type Conversion or Cast in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. If `BCast::ToShape` is given input larger than an `int32`, it will crash, despite being supposed to handle up to an `int64`. An example can be seen in `tf.experimental.numpy.outer` by passing in large input to the input `b`. We have patched the issue in GitHub commit 8310bf8dd188ff780e7fc53245058215a05bdbe5. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-27rc-728f-x5w2, CVE-2022-41899

Improper Input Validation in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. Inputs `dense_features` or `example_state_data` not of rank 2 will trigger a `CHECK` fail in `SdcaOptimizer`. We have patched the issue in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1b0babfa. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-67pf-62xr-q35m, CVE-2022-41893

Reachable Assertion in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. If `tf.raw_ops.TensorListResize` is given a nonscalar value for input `size`, it results `CHECK` fail which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-gq2j-cr96-gvqx, CVE-2022-41895

Out-of-bounds Read in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. If `MirrorPadGrad` is given outsize input `paddings`, TensorFlow will give a heap OOB error. We have patched the issue in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-w58w-79xv-6vcj, CVE-2022-41883

Out-of-bounds Read in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. When ops that have specified input sizes receive a differing number of inputs, the executor will crash. We have patched the issue in GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-54pp-c6pp-7fpx, CVE-2022-41886

Incorrect Calculation of Buffer Size in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. When `tf.raw_ops.ImageProjectiveTransformV2` is given a large output shape, it overflows. We have patched the issue in GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-mv77-9g28-cwg3, CVE-2022-41908

Improper Input Validation in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. An input `token` that is not a UTF-8 bytestring will trigger a `CHECK` fail in `tf.raw_ops.PyFunc`. We have patched the issue in GitHub commit 9f03a9d3bafe902c1e6beb105b2f24172f238645. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-rmg2-f698-wq35, CVE-2022-41896

Improper Input Validation in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. If `ThreadUnsafeUnigramCandidateSampler` is given input `filterbank_channel_count` greater than the allowed max size, TensorFlow will crash. We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-8w5g-3wcv-9g2j, CVE-2022-41880

Out-of-bounds Read in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. When the `BaseCandidateSamplerOp` function receives a value in `true_classes` larger than `range_max`, a heap oob read occurs. We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-xvwp-h6jv-7472, CVE-2022-41900

Out-of-bounds Write in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.

Added on 2022-11-22

GHSA-368v-7v32-52fx, CVE-2022-41907

Incorrect Calculation of Buffer Size in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. When `tf.raw_ops.ResizeNearestNeighborGrad` is given a large `size` input, it overflows. We have patched the issue in GitHub commit 00c821af032ba9e5f5fa3fe14690c8d28a657624. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-8fvv-46hw-vpg3, CVE-2022-41887

Incorrect Calculation of Buffer Size in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. `tf.keras.losses.poisson` receives a `y_pred` and `y_true` that are passed through `functor::mul` in `BinaryOp`. If the resulting dimensions overflow an `int32`, TensorFlow will crash due to a size mismatch during broadcast assignment. We have patched the issue in GitHub commit c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1 and 2.9.3, as these are also affected and still in supported range. However, we will not cherrypick this commit into TensorFlow 2.8.x, as it depends on Eigen behavior that changed between 2.8 and 2.9.

Added on 2022-11-22

GHSA-jq6x-99hj-q636, CVE-2022-41884

Always-Incorrect Control Flow Implementation in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. We have patched the issue in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-66vq-54fq-6jvv, CVE-2022-41891

Improper Input Validation in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. If `tf.raw_ops.TensorListConcat` is given `element_shape=[]`, it results segmentation fault which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit fc33f3dc4c14051a83eec6535b608abe1d355fde. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-rjx6-v474-2ch9, CVE-2022-41909

Improper Input Validation in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. An input `encoded` that is not a valid `CompositeTensorVariant` tensor will trigger a segfault in `tf.raw_ops.CompositeTensorVariantToComponents`. We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-6x99-gv2v-q76v, CVE-2022-41888

Improper Input Validation in pypi/tensorflow-gpu

TensorFlow is an open source platform for machine learning. When running on GPU, `tf.image.generate_bounding_box_proposals` receives a `scores` input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-762h-vpvw-3rcx, CVE-2022-41885

Incorrect Calculation of Buffer Size in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. When `tf.raw_ops.FusedResizeAndPadConv2D` is given a large tensor shape, it overflows. We have patched the issue in GitHub commit d66e1d568275e6a2947de97dca7a102a211e01ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-g9fm-r5mm-rf9f, CVE-2022-41901

Improper Input Validation in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. An input `sparse_matrix` that is not a matrix with a shape with rank 0 will trigger a `CHECK` fail in `tf.raw_ops.SparseMatrixNNZ`. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-pf36-r9c6-h97j, CVE-2022-41911

Incorrect Type Conversion or Cast in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a `const char*` array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from `char` to `bool` are undefined if the `char` is not `0` or `1`, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit `1be74370327`. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-f2w8-jw48-fr7j, CVE-2022-41897

Out-of-bounds Read in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. If `FractionMaxPoolGrad` is given outsize inputs `row_pooling_sequence` and `col_pooling_sequence`, TensorFlow will crash. We have patched the issue in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-hq7g-wwwp-q46h, CVE-2022-41898

Improper Input Validation in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. If `SparseFillEmptyRowsGrad` is given empty inputs, TensorFlow will crash. We have patched the issue in GitHub commit af4a6a3c8b95022c351edae94560acc61253a1b8. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-xxcj-rhqg-m46g, CVE-2022-41889

NULL Pointer Dereference in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a `nullptr`, which is not caught. An example can be seen in `tf.compat.v1.extract_volume_patches` by passing in quantized tensors as input `ksizes`. We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-h246-cgh4-7475, CVE-2022-41890

Incorrect Type Conversion or Cast in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. If `BCast::ToShape` is given input larger than an `int32`, it will crash, despite being supposed to handle up to an `int64`. An example can be seen in `tf.experimental.numpy.outer` by passing in large input to the input `b`. We have patched the issue in GitHub commit 8310bf8dd188ff780e7fc53245058215a05bdbe5. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-27rc-728f-x5w2, CVE-2022-41899

Improper Input Validation in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. Inputs `dense_features` or `example_state_data` not of rank 2 will trigger a `CHECK` fail in `SdcaOptimizer`. We have patched the issue in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1b0babfa. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-67pf-62xr-q35m, CVE-2022-41893

Reachable Assertion in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. If `tf.raw_ops.TensorListResize` is given a nonscalar value for input `size`, it results `CHECK` fail which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-gq2j-cr96-gvqx, CVE-2022-41895

Out-of-bounds Read in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. If `MirrorPadGrad` is given outsize input `paddings`, TensorFlow will give a heap OOB error. We have patched the issue in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-w58w-79xv-6vcj, CVE-2022-41883

Out-of-bounds Read in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. When ops that have specified input sizes receive a differing number of inputs, the executor will crash. We have patched the issue in GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-54pp-c6pp-7fpx, CVE-2022-41886

Incorrect Calculation of Buffer Size in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. When `tf.raw_ops.ImageProjectiveTransformV2` is given a large output shape, it overflows. We have patched the issue in GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-mv77-9g28-cwg3, CVE-2022-41908

Improper Input Validation in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. An input `token` that is not a UTF-8 bytestring will trigger a `CHECK` fail in `tf.raw_ops.PyFunc`. We have patched the issue in GitHub commit 9f03a9d3bafe902c1e6beb105b2f24172f238645. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-rmg2-f698-wq35, CVE-2022-41896

Improper Input Validation in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. If `ThreadUnsafeUnigramCandidateSampler` is given input `filterbank_channel_count` greater than the allowed max size, TensorFlow will crash. We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-8w5g-3wcv-9g2j, CVE-2022-41880

Out-of-bounds Read in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. When the `BaseCandidateSamplerOp` function receives a value in `true_classes` larger than `range_max`, a heap oob read occurs. We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-xvwp-h6jv-7472, CVE-2022-41900

Out-of-bounds Write in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.

Added on 2022-11-22

GHSA-368v-7v32-52fx, CVE-2022-41907

Incorrect Calculation of Buffer Size in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. When `tf.raw_ops.ResizeNearestNeighborGrad` is given a large `size` input, it overflows. We have patched the issue in GitHub commit 00c821af032ba9e5f5fa3fe14690c8d28a657624. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-8fvv-46hw-vpg3, CVE-2022-41887

Incorrect Calculation of Buffer Size in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. `tf.keras.losses.poisson` receives a `y_pred` and `y_true` that are passed through `functor::mul` in `BinaryOp`. If the resulting dimensions overflow an `int32`, TensorFlow will crash due to a size mismatch during broadcast assignment. We have patched the issue in GitHub commit c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1 and 2.9.3, as these are also affected and still in supported range. However, we will not cherrypick this commit into TensorFlow 2.8.x, as it depends on Eigen behavior that changed between 2.8 and 2.9.

Added on 2022-11-22

GHSA-jq6x-99hj-q636, CVE-2022-41884

Always-Incorrect Control Flow Implementation in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. We have patched the issue in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-66vq-54fq-6jvv, CVE-2022-41891

Improper Input Validation in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. If `tf.raw_ops.TensorListConcat` is given `element_shape=[]`, it results segmentation fault which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit fc33f3dc4c14051a83eec6535b608abe1d355fde. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-rjx6-v474-2ch9, CVE-2022-41909

Improper Input Validation in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. An input `encoded` that is not a valid `CompositeTensorVariant` tensor will trigger a segfault in `tf.raw_ops.CompositeTensorVariantToComponents`. We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-6x99-gv2v-q76v, CVE-2022-41888

Improper Input Validation in pypi/tensorflow-cpu

TensorFlow is an open source platform for machine learning. When running on GPU, `tf.image.generate_bounding_box_proposals` receives a `scores` input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Added on 2022-11-22

GHSA-4vrc-q7m6-vq7w, CVE-2022-44244

Improper Authentication in pypi/Lin-CMS

An authentication bypass in Lin-CMS v0.2.1 allows attackers to escalate privileges to Super Administrator.

Added on 2022-11-22

CVE-2022-43171

Out-of-bounds Write in conan/lief

A heap buffer overflow in the LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind function of LIEF v0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted MachO file.

Added on 2022-11-22

GHSA-7x4w-j98p-854x, CVE-2022-41938

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/flarum/core

Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after `v1.5` and was not noticed. This allowed an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or renaming one. The XSS attack occurs after a visitor opens the relevant discussion page. All communities running Flarum from `v1.5.0` to `v1.6.1` are impacted. The vulnerability has been fixed and published as flarum/core `v1.6.2`. All communities running Flarum from `v1.5.0` to `v1.6.1` have to upgrade as soon as possible to v1.6.2. There are no known workarounds for this issue.

Added on 2022-11-22

GHSA-3xg8-cc8f-9wv2, CVE-2022-4064

Unsanitized input leading to code injection in Dalli in gem/dalli

A vulnerability was found in Dalli. It has been classified as problematic. Affected is the function self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb of the component Meta Protocol Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The name of the patch is 48d594dae55934476fec61789e7a7c3700e0f50d. It is recommended to apply a patch to fix this issue. VDB-214026 is the identifier assigned to this vulnerability.

Added on 2022-11-22

GHSA-hf94-8mx5-2vvj, CVE-2022-4105

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/kiwitcms

A stored XSS in a kiwi Test Plan can run malicious javascript which could be chained with an HTML injection to perform a UI redressing attack (clickjacking) and an HTML injection which disables the use of the history page.

Added on 2022-11-22

CVE-2022-4093, GHSA-gjg7-qfvp-9hm4

SQL injection in Dolibarr in packagist/dolibarr/dolibarr

SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected

Added on 2022-11-22

GHSA-h8hf-hxx6-5g6v, CVE-2022-45382

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.jenkins-ci.plugins/naginator

Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names.

Added on 2022-11-22

CVE-2021-4240

Insufficient Entropy in packagist/phpservermon/phpservermon

A vulnerability, which was classified as problematic, was found in phpservermon. This affects the function generatePasswordResetToken of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been disclosed to the public and may be used. The name of the patch is 3daa804d5f56c55b3ae13bfac368bb84ec632193. It is recommended to apply a patch to fix this issue. The identifier VDB-213717 was assigned to this vulnerability.

Added on 2022-11-21

GHSA-94qm-99qc-qwqj, CVE-2022-3362

Insufficient Session Expiration in pypi/rdiffweb

Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0.

Added on 2022-11-21

CVE-2021-4241

Insufficient Entropy in packagist/phpservermon/phpservermon

A vulnerability, which was classified as problematic, was found in phpservermon. Affected is the function setUserLoggedIn of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been disclosed to the public and may be used. The name of the patch is bb10a5f3c68527c58073258cb12446782d223bc3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-213744.

Added on 2022-11-21

CVE-2022-43138

Improper Privilege Management in packagist/dolibarr/dolibarr

Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API.

Added on 2022-11-21

CVE-2022-41918, GHSA-wmx7-x4jp-9jgg

Incorrect Authorization in gem/opensearch

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.

Added on 2022-11-21

CVE-2022-4014

Cross-Site Request Forgery (CSRF) in packagist/feehi/feehicms

A vulnerability, which was classified as problematic, has been found in FeehiCMS. Affected by this issue is some unknown functionality of the component Post My Comment Tab. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The identifier of this vulnerability is VDB-213788.

Added on 2022-11-21

CVE-2022-41917, GHSA-w3rx-m34v-wrqx

Exposure of Sensitive Information to an Unauthorized Actor in gem/opensearch

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue in the implementation of this feature allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of potentially impacted files is limited to text files with read permissions allowed in the Java Security Manager policy configuration. OpenSearch version 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to upgrade. There are no known workarounds for this issue.

Added on 2022-11-21

CVE-2022-45384

Insufficiently Protected Credentials in maven/org.jenkins-ci.plugins/reverse-proxy-auth-plugin

Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

Added on 2022-11-21

CVE-2022-45383

Incorrect Default Permissions in maven/org.jenkins-ci.plugins/support-core

An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission.

Added on 2022-11-21

CVE-2022-45379

Inadequate Encryption Strength in maven/org.jenkins-ci.plugins/script-security

Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.

Added on 2022-11-21

CVE-2022-45047

Deserialization of Untrusted Data in maven/org.apache.sshd/sshd

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

Added on 2022-11-21

CVE-2022-3516

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/librenms/librenms

Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 22.10.0.

Added on 2022-11-21

GHSA-m5xf-x7q6-3rm7, CVE-2022-39383

Server-Side Request Forgery (SSRF) in go/github.com/oam-dev/kubevela

KubeVela is an open source application delivery platform. Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. Users who're using v1.6, please update the v1.6.1. Users who're using v1.5, please update the v1.5.8. There are no known workarounds for this issue.

Added on 2022-11-21

CVE-2022-3525

Deserialization of Untrusted Data in packagist/librenms/librenms

Deserialization of Untrusted Data in GitHub repository librenms/librenms prior to 22.10.0.

Added on 2022-11-21

GHSA-789v-h9hw-38pg, CVE-2022-45378

Improper Authentication in maven/soap/soap

** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Added on 2022-11-21

CVE-2022-3920

Missing Authorization in go/github.com/hashicorp/consul

HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.

Added on 2022-11-21

CVE-2022-3920

Missing Authorization in go/github.com/hashicorp/consul/acl

HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.

Added on 2022-11-21

CVE-2022-43183

Server-Side Request Forgery (SSRF) in maven/com.xuxueli/xxl-job

XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java.

Added on 2022-11-21

GHSA-hc82-w9v8-83pr, CVE-2022-39389

Improper Input Validation in go/github.com/lightningnetwork/lnd

Lightning Network Daemon (lnd) is an implementation of a lightning bitcoin overlay network node. All lnd nodes before version `v0.15.4` is vulnerable to a block parsing bug that can cause a node to enter a degraded state once encountered. In this degraded state, nodes can continue to make payments and forward HTLCs, and close out channels. Opening channels is prohibited, and also on chain transaction events will be undetected. This can cause loss of funds if a CSV expiry is researched during a breach attempt or a CLTV delta expires forgetting the funds in the HTLC. A patch is available in `lnd` version 0.15.4. Users are advised to upgrade. Users unable to upgrade may use the `lncli updatechanpolicy` RPC call to increase their CLTV value to a very high amount or increase their fee policies. This will prevent nodes from routing through your node, meaning that no pending HTLCs can be present.

Added on 2022-11-21

CVE-2022-39395, GHSA-5m7g-pj8w-7593, GHSA-xf39-98m2-889v, GHSA-2w78-ffv6-p46w

Improper Privilege Management in go/github.com/go-vela/server

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker's `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.

Added on 2022-11-21

CVE-2022-41878, GHSA-xprv-wvh7-qqqx

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in npm/parse-server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the `requestKeywordDenylist` option. This issue is fixed in versions 4.10.19, and 5.3.2. If upgrade is not possible, the following Workarounds may be applied: Configure your firewall to only allow trusted servers to make request to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature.

Added on 2022-11-18

CVE-2022-39393, GHSA-wh6w-3828-g9qf

Improper Removal of Sensitive Information Before Storage or Transfer in nuget/Wasmtime

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2. Other mitigations include disabling the pooling allocator and disabling the `memory-init-cow`.

Added on 2022-11-18

CVE-2022-27949

Exposure of Sensitive Information to an Unauthorized Actor in pypi/apache-airflow

A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.

Added on 2022-11-18

CVE-2022-39395, GHSA-5m7g-pj8w-7593, GHSA-xf39-98m2-889v, GHSA-2w78-ffv6-p46w

Improper Privilege Management in go/github.com/go-vela/worker

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker's `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.

Added on 2022-11-18

CVE-2022-39394, GHSA-h84q-m8rr-3v9q

Out-of-bounds Write in nuget/Wasmtime

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's C API implementation where the definition of the `wasmtime_trap_code` does not match its declared signature in the `wasmtime/trap.h` header file. This discrepancy causes the function implementation to perform a 4-byte write into a 1-byte buffer provided by the caller. This can lead to three zero bytes being written beyond the 1-byte location provided by the caller. This bug has been patched and users should upgrade to Wasmtime 2.0.2. This bug can be worked around by providing a 4-byte buffer casted to a 1-byte buffer when calling `wasmtime_trap_code`. Users of the `wasmtime` crate are not affected by this issue, only users of the C API function `wasmtime_trap_code` are affected.

Added on 2022-11-18

CVE-2022-44071

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/tribalsystems/zenario

Zenario CMS 9.3.57186 is is vulnerable to Cross Site Scripting (XSS) via profile.

Added on 2022-11-18

CVE-2022-44073

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/tribalsystems/zenario

Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via svg,Users & Contacts.

Added on 2022-11-18

CVE-2022-44069

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/tribalsystems/zenario

Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via the Nest library module.

Added on 2022-11-18

CVE-2022-44070

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/tribalsystems/zenario

Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via News articles.

Added on 2022-11-18

CVE-2022-40309

Improper Access Control in maven/org.apache.archiva/archiva-webapp

Users with write permissions to a repository can delete arbitrary directories.

Added on 2022-11-18

CVE-2022-40308

Improper Access Control in maven/org.apache.archiva/archiva-webapp

If anonymous read enabled, it's possible to read the database file directly without logging in.

Added on 2022-11-18

CVE-2022-39368, GHSA-p72g-cgh9-ghjg

Improper Resource Shutdown or Release in maven/org.eclipse.californium/californium-core

Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services. In versions prior to 3.7.0, and 2.7.4, Californium is vulnerable to a Denial of Service. Failing handshakes don't cleanup counters for throttling, causing the threshold to be reached without being released again. This results in permanently dropping records. The issue was reported for certificate based handshakes, but may also affect PSK based handshakes. It generally affects client and server as well. This issue is patched in version 3.7.0 and 2.7.4. There are no known workarounds. main: commit 726bac57659410da463dcf404b3e79a7312ac0b9 2.7.x: commit 5648a0c27c2c2667c98419254557a14bac2b1f3f

Added on 2022-11-18

GHSA-fjw4-39pg-vf4f, CVE-2019-0226

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.apache.karaf.config/org.apache.karaf.config.core

Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf version before 4.2.5 is impacted. User should upgrade to Apache Karaf 4.2.5 or later.

Added on 2022-11-18

GHSA-f96g-24cg-f24w, CVE-2016-11024

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in maven/org.odata4j/odata4j-parent

odata4j 0.7.0 allows ExecuteJPQLQueryCommand.java SQL injection. NOTE: this product is apparently discontinued.

Added on 2022-11-18

GHSA-2382-qx5h-rvqh, CVE-2016-11023

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in maven/org.odata4j/odata4j-parent

odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection. NOTE: this product is apparently discontinued.

Added on 2022-11-18

CVE-2022-39392, GHSA-44mr-8vmm-wjhg

Out-of-bounds Write in nuget/Wasmtime

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration, the virtual memory mapping for WebAssembly memories does not meet the compiler-required configuration requirements for safely executing WebAssembly modules. Wasmtime's default settings require virtual memory page faults to indicate that wasm reads/writes are out-of-bounds, but the pooling allocator's configuration would not create an appropriate virtual memory mapping for this meaning out-of-bounds reads/writes can successfully read/write memory unrelated to the wasm sandbox within range of the base address of the memory mapping created by the pooling allocator. This bug is not applicable with the default settings of the `wasmtime` crate. This bug can only be triggered by setting `InstanceLimits::memory_pages` to zero. This is expected to be a very rare configuration since this means that wasm modules cannot allocate any pages of linear memory. All wasm modules produced by all current toolchains are highly likely to use linear memory, so it's expected to be unlikely that this configuration is set to zero by any production embedding of Wasmtime. This bug has been patched and users should upgrade to Wasmtime 2.0.2. This bug can be worked around by increasing the `memory_pages` allotment when configuring the pooling allocator to a value greater than zero. If an embedding wishes to still prevent memory from actually being used then the `Store::limiter` method can be used to dynamically disallow growth of memory beyond 0 bytes large. Note that the default `memory_pages` value is greater than zero.

Added on 2022-11-18

CVE-2022-45198

Improper Handling of Highly Compressed Data (Data Amplification) in pypi/Pillow

Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).

Added on 2022-11-18

GHSA-g2qw-6vrr-v6pq, CVE-2022-45136

Deserialization of Untrusted Data in maven/org.apache.jena/jena-sdb

** UNSUPPORTED WHEN ASSIGNED ** Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of attack. As a result an application using Apache Jena SDB can be subject to RCE when connected to a malicious database server. Apache Jena SDB has been EOL since December 2020 and users should migrate to alternative options e.g. Apache Jena TDB 2.

Added on 2022-11-18

CVE-2022-45402

URL Redirection to Untrusted Site ('Open Redirect') in pypi/apache-airflow

In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint.

Added on 2022-11-18

CVE-2022-41854

Out-of-bounds Write in maven/org.yaml/snakeyaml

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Added on 2022-11-18

CVE-2022-41905, GHSA-xx6g-jj35-pxjv

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/wsgidav

WsgiDAV is a generic and extendable WebDAV server based on WSGI. Implementations using this library with directory browsing enabled may be susceptible to Cross Site Scripting (XSS) attacks. This issue has been patched, users can upgrade to version 4.1.0. As a workaround, set `dir_browser.enable = False` in the configuration.

Added on 2022-11-18

CVE-2022-39392, GHSA-44mr-8vmm-wjhg

Out-of-bounds Write in pypi/wasmtime

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration, the virtual memory mapping for WebAssembly memories does not meet the compiler-required configuration requirements for safely executing WebAssembly modules. Wasmtime's default settings require virtual memory page faults to indicate that wasm reads/writes are out-of-bounds, but the pooling allocator's configuration would not create an appropriate virtual memory mapping for this meaning out-of-bounds reads/writes can successfully read/write memory unrelated to the wasm sandbox within range of the base address of the memory mapping created by the pooling allocator. This bug is not applicable with the default settings of the `wasmtime` crate. This bug can only be triggered by setting `InstanceLimits::memory_pages` to zero. This is expected to be a very rare configuration since this means that wasm modules cannot allocate any pages of linear memory. All wasm modules produced by all current toolchains are highly likely to use linear memory, so it's expected to be unlikely that this configuration is set to zero by any production embedding of Wasmtime. This bug has been patched and users should upgrade to Wasmtime 2.0.2. This bug can be worked around by increasing the `memory_pages` allotment when configuring the pooling allocator to a value greater than zero. If an embedding wishes to still prevent memory from actually being used then the `Store::limiter` method can be used to dynamically disallow growth of memory beyond 0 bytes large. Note that the default `memory_pages` value is greater than zero.

Added on 2022-11-18

GHSA-w8fp-3gwq-gxpw, CVE-2022-43693

Cross-Site Request Forgery (CSRF) in packagist/concrete5/concrete5

Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.

Added on 2022-11-18

CVE-2022-39394, GHSA-h84q-m8rr-3v9q

Out-of-bounds Write in pypi/wasmtime

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's C API implementation where the definition of the `wasmtime_trap_code` does not match its declared signature in the `wasmtime/trap.h` header file. This discrepancy causes the function implementation to perform a 4-byte write into a 1-byte buffer provided by the caller. This can lead to three zero bytes being written beyond the 1-byte location provided by the caller. This bug has been patched and users should upgrade to Wasmtime 2.0.2. This bug can be worked around by providing a 4-byte buffer casted to a 1-byte buffer when calling `wasmtime_trap_code`. Users of the `wasmtime` crate are not affected by this issue, only users of the C API function `wasmtime_trap_code` are affected.

Added on 2022-11-18

CVE-2022-3975, GHSA-x45f-j34v-75xm

Improper Neutralization in packagist/nukeviet/nukeviet

A vulnerability, which was classified as problematic, has been found in NukeViet CMS. Affected by this issue is the function filterAttr of the file `vendor/vinades/nukeviet/Core/Request.php` of the component Data URL Handler. The manipulation of the argument attrSubSet leads to cross site scripting. The attack may be launched remotely. Upgrading to version 4.5 is able to address this issue. The name of the patch is 0b3197fad950bb3383e83039a8ee4c9509b3ce02. It is recommended to upgrade the affected component. VDB-213554 is the identifier assigned to this vulnerability.

Added on 2022-11-18

CVE-2022-39393, GHSA-wh6w-3828-g9qf

Improper Removal of Sensitive Information Before Storage or Transfer in pypi/wasmtime

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2. Other mitigations include disabling the pooling allocator and disabling the `memory-init-cow`.

Added on 2022-11-18

GHSA-h896-mx9x-g32g, CVE-2019-0188

Improper Restriction of XML External Entity Reference in maven/org.apache.camel/camel-xmljson

Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.

Added on 2022-11-18

CVE-2022-41879, GHSA-93vw-8fm5-p2jf

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in npm/parse-server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. This issue has been patched in versions 5.3.3 and 4.10.20. There are no known workarounds.

Added on 2022-11-18

CVE-2022-39393, GHSA-wh6w-3828-g9qf

Improper Removal of Sensitive Information Before Storage or Transfer in go/github.com/bytecodealliance/wasmtime-go

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2. Other mitigations include disabling the pooling allocator and disabling the `memory-init-cow`.

Added on 2022-11-18

GHSA-ffwf-47x2-jpr8, CVE-2022-3971

Improper Neutralization in npm/matrix-appservice-irc

A vulnerability was found in matrix-appservice-irc up to 0.35.1. It has been declared as critical. This vulnerability affects unknown code of the file src/datastore/postgres/PgDataStore.ts. The manipulation of the argument roomIds leads to sql injection. Upgrading to version 0.36.0 is able to address this issue. The name of the patch is 179313a37f06b298150edba3e2b0e5a73c1415e7. It is recommended to upgrade the affected component. VDB-213550 is the identifier assigned to this vulnerability.

Added on 2022-11-18

CVE-2022-3978, GHSA-5gwx-wf9g-r5mx

Incorrect Authorization in npm/nodebb

A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this issue. The name of the patch is 2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-213555.

Added on 2022-11-18

CVE-2022-3970

Integer Overflow or Wraparound in conan/libtiff

A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.

Added on 2022-11-18

CVE-2022-39393, GHSA-wh6w-3828-g9qf

Improper Removal of Sensitive Information Before Storage or Transfer in conan/wasmtime

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2. Other mitigations include disabling the pooling allocator and disabling the `memory-init-cow`.

Added on 2022-11-18

CVE-2022-40127

Improper Control of Generation of Code ('Code Injection') in pypi/apache-airflow

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter.

Added on 2022-11-18

CVE-2022-39394, GHSA-h84q-m8rr-3v9q

Out-of-bounds Write in conan/wasmtime

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's C API implementation where the definition of the `wasmtime_trap_code` does not match its declared signature in the `wasmtime/trap.h` header file. This discrepancy causes the function implementation to perform a 4-byte write into a 1-byte buffer provided by the caller. This can lead to three zero bytes being written beyond the 1-byte location provided by the caller. This bug has been patched and users should upgrade to Wasmtime 2.0.2. This bug can be worked around by providing a 4-byte buffer casted to a 1-byte buffer when calling `wasmtime_trap_code`. Users of the `wasmtime` crate are not affected by this issue, only users of the C API function `wasmtime_trap_code` are affected.

Added on 2022-11-17

CVE-2022-39392, GHSA-44mr-8vmm-wjhg

Out-of-bounds Write in conan/wasmtime

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration, the virtual memory mapping for WebAssembly memories does not meet the compiler-required configuration requirements for safely executing WebAssembly modules. Wasmtime's default settings require virtual memory page faults to indicate that wasm reads/writes are out-of-bounds, but the pooling allocator's configuration would not create an appropriate virtual memory mapping for this meaning out-of-bounds reads/writes can successfully read/write memory unrelated to the wasm sandbox within range of the base address of the memory mapping created by the pooling allocator. This bug is not applicable with the default settings of the `wasmtime` crate. This bug can only be triggered by setting `InstanceLimits::memory_pages` to zero. This is expected to be a very rare configuration since this means that wasm modules cannot allocate any pages of linear memory. All wasm modules produced by all current toolchains are highly likely to use linear memory, so it's expected to be unlikely that this configuration is set to zero by any production embedding of Wasmtime. This bug has been patched and users should upgrade to Wasmtime 2.0.2. This bug can be worked around by increasing the `memory_pages` allotment when configuring the pooling allocator to a value greater than zero. If an embedding wishes to still prevent memory from actually being used then the `Store::limiter` method can be used to dynamically disallow growth of memory beyond 0 bytes large. Note that the default `memory_pages` value is greater than zero.

Added on 2022-11-17

CVE-2022-39392, GHSA-44mr-8vmm-wjhg

Out-of-bounds Write in go/github.com/bytecodealliance/wasmtime-go

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration, the virtual memory mapping for WebAssembly memories does not meet the compiler-required configuration requirements for safely executing WebAssembly modules. Wasmtime's default settings require virtual memory page faults to indicate that wasm reads/writes are out-of-bounds, but the pooling allocator's configuration would not create an appropriate virtual memory mapping for this meaning out-of-bounds reads/writes can successfully read/write memory unrelated to the wasm sandbox within range of the base address of the memory mapping created by the pooling allocator. This bug is not applicable with the default settings of the `wasmtime` crate. This bug can only be triggered by setting `InstanceLimits::memory_pages` to zero. This is expected to be a very rare configuration since this means that wasm modules cannot allocate any pages of linear memory. All wasm modules produced by all current toolchains are highly likely to use linear memory, so it's expected to be unlikely that this configuration is set to zero by any production embedding of Wasmtime. This bug has been patched and users should upgrade to Wasmtime 2.0.2. This bug can be worked around by increasing the `memory_pages` allotment when configuring the pooling allocator to a value greater than zero. If an embedding wishes to still prevent memory from actually being used then the `Store::limiter` method can be used to dynamically disallow growth of memory beyond 0 bytes large. Note that the default `memory_pages` value is greater than zero.

Added on 2022-11-17

CVE-2022-3952

Exposure of Resource to Wrong Sphere in maven/com.manydesigns/portofino

A vulnerability has been found in ManyDesigns Portofino 5.3.2 and classified as problematic. Affected by this vulnerability is the function createTempDir of the file WarFileLauncher.java. The manipulation leads to creation of temporary file in directory with insecure permissions. Upgrading to version 5.3.3 is able to address this issue. The name of the patch is 94653cb357806c9cf24d8d294e6afea33f8f0775. It is recommended to upgrade the affected component. The identifier VDB-213457 was assigned to this vulnerability.

Added on 2022-11-17

CVE-2022-39388, GHSA-6c6p-h79f-g6p4

Incorrect Authorization in go/github.com/istio/istio

Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue. There are no known workarounds.

Added on 2022-11-17

GHSA-jr77-8gx4-h5qh, CVE-2022-41719

MessagePack for Golang subject to DoS via Unmarshal panic in go/github.com/shamaton/msgpack/v2

Unmarshal can panic on some inputs, possibly allowing for denial of service attacks.

Added on 2022-11-17

CVE-2022-41719

Invalid Input Validation in go/github.com/shamaton/msgpack

Unmarshal can panic on some inputs, possibly allowing for denial of service attacks.

Added on 2022-11-17

CVE-2022-39394, GHSA-h84q-m8rr-3v9q

Out-of-bounds Write in go/github.com/bytecodealliance/wasmtime-go

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's C API implementation where the definition of the `wasmtime_trap_code` does not match its declared signature in the `wasmtime/trap.h` header file. This discrepancy causes the function implementation to perform a 4-byte write into a 1-byte buffer provided by the caller. This can lead to three zero bytes being written beyond the 1-byte location provided by the caller. This bug has been patched and users should upgrade to Wasmtime 2.0.2. This bug can be worked around by providing a 4-byte buffer casted to a 1-byte buffer when calling `wasmtime_trap_code`. Users of the `wasmtime` crate are not affected by this issue, only users of the C API function `wasmtime_trap_code` are affected.

Added on 2022-11-17

GHSA-4wrc-f8pq-fpqp, CVE-2016-1000027

Deserialization of Untrusted Data in maven/org.springframework/spring-web

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

Added on 2022-11-15

CVE-2022-45199, GHSA-q4mp-jvh2-76fj

Pillow subject to DoS via SAMPLESPERPIXEL tag in pypi/Pillow

Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL. A large value in the SAMPLESPERPIXEL tag could lead to a memory and runtime DoS in `TiffImagePlugin.py` when setting up the context for image decoding.

Added on 2022-11-15