Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory database within 2.6 days (on average).

CVE-2021-3785

Cross-site Scripting in packagist/yourls/yourls

yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2021-09-24

CVE-2021-3783

Cross-site Scripting in packagist/yourls/yourls

yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2021-09-24

CVE-2021-23435

URL Redirection to Untrusted Site (Open Redirect) in gem/clearance

This affects the package clearance The vulnerability can be possible when users are able to set the value of `session[:return_to]`.

Added on 2021-09-24

CVE-2020-28052

Improper Authentication in maven/org.bouncycastle/bcprov-jdk15on

The `OpenBSDBCrypt.checkPassword` utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

Added on 2021-09-24

CVE-2021-3645

Improperly Controlled Modification of Dynamically-Determined Object Attributes in npm/merge

merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Added on 2021-09-24

CVE-2021-40839

Loop with Unreachable Exit Condition (Infinite Loop) in pypi/rencode

The rencode package for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.

Added on 2021-09-24

CVE-2021-3666

Improperly Controlled Modification of Dynamically-Determined Object Attributes in npm/body-parser-xml

body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Added on 2021-09-24

CVE-2021-40347

Inconsistent Interpretation of HTTP Requests in pypi/postorius

An issue was discovered in views/list.py in GNU Mailman Postorius An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place.

Added on 2021-09-24

CVE-2021-23440

Access of Resource Using Incompatible Type (Type Confusion) in npm/set-value

This affects the package set-value A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

Added on 2021-09-24

CVE-2021-39207

Deserialization of Untrusted Data in pypi/parlai

parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets.

Added on 2021-09-24

CVE-2021-24040

Deserialization of Untrusted Data in pypi/parlai

Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks.

Added on 2021-09-24

CVE-2021-38540

Missing Authentication for Critical Function in pypi/apache-airflow

The variable import endpoint was not protected by authentication in Airflow This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution.

Added on 2021-09-22

CVE-2021-33037

Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) in maven/org.apache.tomee/tomee-webapp

Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy.

Added on 2021-09-22

CVE-2021-3449

NULL Pointer Dereference in pypi/mysql-connector-python

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation `ClientHello` message from a client. If a TLSv1.2 renegotiation `ClientHello` omits the `signature_algorithms` extension (where it was present in the initial `ClientHello`), but includes a `signature_algorithms_cert` extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack.

Added on 2021-09-22

CVE-2021-36090

Uncontrolled Resource Consumption in maven/org.apache.drill/drill-common

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Added on 2021-09-22

CVE-2021-33037

Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) in maven/org.apache.tomee/tomee

Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy.

Added on 2021-09-22

CVE-2021-37579

Deserialization of Untrusted Data in maven/org.apache.dubbo/dubbo

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization.

Added on 2021-09-20

CVE-2021-36161

Use of Externally-Controlled Format String in maven/org.apache.dubbo/dubbo

A component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special `toString` method.

Added on 2021-09-20

CVE-2021-28163

Improper Link Resolution Before File Access in maven/org.apache.solr/solr-core

In Eclipse Jetty, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

Added on 2021-09-20

CVE-2021-28163

Improper Link Resolution Before File Access in maven/org.apache.ignite/ignite-core

In Eclipse Jetty, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

Added on 2021-09-20

CVE-2020-27223

Uncontrolled Resource Consumption in maven/org.apache.solr/solr-core

When Jetty handles a request containing multiple `Accept` headers with a large number of `quality` (i.e., `q`) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Added on 2021-09-20

CVE-2021-3121

Improper Validation of Array Index in go/github.com/hashicorp/consul/acl

An issue was discovered in GoGo Protobuf `plugin/unmarshal/unmarshal.go` lacks certain index validation, aka the `skippy peanut butter` issue.

Added on 2021-09-17

CVE-2021-37219

Improper Certificate Validation in go/github.com/hashicorp/consul/acl

HashiCorp Consul and Consul Enterprise's Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation.

Added on 2021-09-17

CVE-2021-38698

Incorrect Authorization in go/github.com/hashicorp/consul/acl

HashiCorp Consul and Consul Enterprise's `Txn.Apply` endpoint allowed services to register proxies for other services, enabling access to service traffic.

Added on 2021-09-17

CVE-2021-25735

Incorrect Authorization in go/k8s.io/kubernetes/pkg/apis/apps/validation

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

Added on 2021-09-17

CVE-2021-25737

URL Redirection to Untrusted Site (Open Redirect) in go/k8s.io/kubernetes/pkg/apis/apps/validation

A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.

Added on 2021-09-17

CVE-2021-25735

Incorrect Authorization in go/github.com/kubernetes/kubelet

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook.Validating Admission Webhook does not observe some previous fields.

Added on 2021-09-17

CVE-2021-32805

URL Redirection to Untrusted Site (Open Redirect) in pypi/Flask-AppBuilder

Flask-AppBuilder is an application development framework, built on top of Flask. an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability. To resolve this issue upgrade to Flask-AppBuilder or above.

Added on 2021-09-16

CVE-2021-36162

Code Injection in maven/org.apache.dubbo/dubbo

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them.

Added on 2021-09-16

CVE-2021-23427

Improper Input Validation in nuget/elFinder.NetCore

This affects all versions of package elFinder.NetCore. The ExtractAsync function within the FileSystem is vulnerable to arbitrary extraction due to insufficient validation.

Added on 2021-09-16

CVE-2021-23428

Improper Input Validation in nuget/elFinder.NetCore

This affects all versions of package elFinder.NetCore. The Path.Combine(...) method is used to create an absolute file path. Due to missing sanitation of the user input and a missing check of the generated path its possible to escape the Files directory via path traversal

Added on 2021-09-16

CVE-2021-39109

Path Traversal in npm/atlasboard

The renderWidgetResource resource in Atlasian Atlasboard allows remote attackers to read arbitrary files via a path traversal vulnerability.

Added on 2021-09-16

CVE-2021-39185

Origin Validation Error in maven/org.http4s/http4s-core_2.12

The original `CORS` implementation and `CORSConfig` are deprecated.

Added on 2021-09-16

CVE-2020-0822

Improper Privilege Management in maven/org.apache.tomcat/tomcat-util

An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations, aka 'Windows Language Pack Installer Elevation of Privilege Vulnerability'. Note this is due to axis2 clustering including a dependency to tomcat which is vulnerable to this issue.

Added on 2021-09-16

CVE-2021-31274

Cross-site Scripting in packagist/librenms/librenms

In LibreNMS, a stored XSS vulnerability was identified in the API Access page due to insufficient sanitization of the $api->description variable. As a result, arbitrary Javascript code can get executed.

Added on 2021-09-16

CVE-2021-39194

Loop with Unreachable Exit Condition (Infinite Loop) in maven/com.charleskorn.kaml/kaml

kaml is an open source implementation of the YAML format with support for kotlinx.This could result in resource starvation and denial of service. This only affects applications that use polymorphic serialization with the default tagged polymorphism style.

Added on 2021-09-16

CVE-2021-39195

Server-Side Request Forgery (SSRF) in npm/misskey-reversi

Misskey is an open source, decentralized microblogging platform. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running.

Added on 2021-09-16

CVE-2021-23439

Cross-site Scripting in npm/file-upload-with-preview

This affects the package file-upload-with-preview A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file).

Added on 2021-09-16

CVE-2021-23426

Prototype Pollution in npm/Proto

This affects all versions of package Proto. It is possible to inject pollute the object property of an application using Proto by leveraging the merge function.

Added on 2021-09-16

CVE-2021-40797

Missing Release of Resource after Effective Lifetime in pypi/neutron

By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.

Added on 2021-09-16

CVE-2021-23404

Cross-Site Request Forgery (CSRF) in pypi/sqlite-web

This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a Cross Site Request Forgery (CSRF) attack.

Added on 2021-09-16

CVE-2021-39199

Cross-site Scripting in npm/remark-html

remark-html is an open source nodejs library which compiles Markdown to HTML. pass `sanitize: true` if you cannot update.

Added on 2021-09-16

CVE-2021-3766

Improperly Controlled Modification of Dynamically-Determined Object Attributes in npm/objection

objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Added on 2021-09-16

CVE-2021-40494

Use of Hard-coded Credentials in pypi/lxdui

A Hardcoded JWT Secret Key in metadata.py in AdaptiveScale LXDUI allows attackers to gain admin access to the host system.

Added on 2021-09-16

CVE-2021-40529

Use of a Broken or Risky Cryptographic Algorithm in conan/botan

The ElGamal implementation in Botan, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

Added on 2021-09-16

CVE-2021-28567

Incorrect Authorization in packagist/magento/community-edition

Magento is vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin console is required for successful exploitation.

Added on 2021-09-16

CVE-2021-36163

Deserialization of Untrusted Data in maven/org.apache.dubbo/dubbo

In Apache Dubbo, users may choose to use the Hessian protocol.

Added on 2021-09-16

CVE-2021-37701

Path Traversal in npm/tar

This npm package has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted.

Added on 2021-09-16

CVE-2021-28566

Information Exposure in packagist/magento/community-edition

Magento is vulnerable to an Information Disclosure vulnerability when uploading a modified png file to a product image. Successful exploitation could lead to the disclosure of document root path by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

Added on 2021-09-16

CVE-2021-39197

Cross-Site Request Forgery (CSRF) in gem/better_errors

better_errors is an open source replacement for the standard Rails error page with more information rich error pages. It is also usable outside of Rails in any Rack app as Rack middleware. better_errors did not implement CSRF protection for its internal requests.

Added on 2021-09-16

CVE-2020-26300

Command Injection in npm/systeminformation

systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation there is a command injection vulnerability. Problem was fixed with a shell string sanitation fix.

Added on 2021-09-16

CVE-2021-36440

Unrestricted Upload of File with Dangerous Type in packagist/showdoc/showdoc

Unrestricted File Upload allows remote attackers to execute arbitrary code via the 'file_url' parameter.

Added on 2021-09-16

CVE-2021-23436

Access of Resource Using Incompatible Type (Type Confusion) in npm/immer

A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition `(p === "__proto__" || p === "constructor")` in `applyPatches_` returns false if `p` is `['__proto__']` (or `['constructor']`). The `===` operator (strict equality operator) returns false if the operands have different type.

Added on 2021-09-13

CVE-2021-3757

Improperly Controlled Modification of Dynamically-Determined Object Attributes in npm/immer

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Added on 2021-09-13

CVE-2021-39192

Improper Privilege Management in npm/ghost

Ghost is a Node.js content management system. An error in the implementation of the limits service allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. As a workaround, disable all non-Administrator accounts to prevent API access. It is highly recommended to regenerate all API keys after patching or applying the workaround.

Added on 2021-09-13

CVE-2020-13929

Improper Authentication in maven/org.apache.zeppelin/zeppelin

An authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user.

Added on 2021-09-13

CVE-2021-27911

Cross-site Scripting in packagist/mautic/core

Mautic is vulnerable to an inline JS XSS attack through the contact's first or last name and triggered when viewing a contact's details page then clicking on the action drop down and hovering over the Campaigns button. Contact first and last name can be populated from different sources such as UI, API, 3rd party syncing, forms, etc.

Added on 2021-09-13

CVE-2021-27910

Cross-site Scripting in packagist/mautic/core

Insufficient sanitization / filtering allows for arbitrary JavaScript Injection in Mautic using the bounce management callback function. An attacker with access to the bounce management callback function (identified with the Mailjet webhook, but it is assumed this will work uniformly across all kinds of webhooks) can inject arbitrary JavaScript Code into the `error` and `error_related_to` parameters of the POST request (`POST /mailer/<product / webhook>/callback`). It is noted that there is no authentication needed to access this function. The JavaScript Code is stored permanently in the web application and executed every time an authenticated user views the details page of a single contact / lead in Mautic. This means, arbitrary code can be executed to, e.g., steal or tamper with information.

Added on 2021-09-13

CVE-2021-27909

Cross-site Scripting in packagist/mautic/core

There is an XSS vulnerability on Mautic's password reset page where a vulnerable parameter `bundle` in the URL could allow an attacker to execute Javascript code. The attacker would be required to convince or trick the target into clicking a password reset URL with the vulnerable parameter utilized.

Added on 2021-09-13

CVE-2021-23438

Access of Resource Using Incompatible Type (Type Confusion) in npm/mpath

This affects the package mpath A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition `ignoreProperties.indexOf(parts[i]) !== -1` returns `-1` if `parts[i]` is `['__proto__']`. This is because the method that has been called if the input is an array is `Array.prototype.indexOf()` and not `String.prototype.indexOf()`. They behave differently depending on the type of the input.

Added on 2021-09-13

CVE-2021-39187

Improper Handling of Exceptional Conditions in npm/parse-server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes if a query request contains an invalid value for the `explain` option. This is due to a bug in the MongoDB Node.js driver which throws an exception that Parse Server cannot catch.

Added on 2021-09-13

CVE-2021-23437

Out-of-bounds Read in pypi/Pillow

The pillow package is vulnerable to Regular Expression Denial of Service (ReDoS) via the `getrgb` function.

Added on 2021-09-13