Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory database within 4.9 days (on average).

CVE-2021-23382

Uncontrolled Resource Consumption in npm/postcss

The package postcss are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`.

Added on 2021-05-05

CVE-2021-31607

Command Injection in pypi/salt

In SaltStack Salt, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).

Added on 2021-05-05

CVE-2021-21431

Improper Input Validation in pypi/sopel-plugins.channelmgnt

sopel-channelmgnt is a channelmgnt plugin for sopel.

Added on 2021-05-05

CVE-2021-26291

Origin Validation Error in maven/org.apache.maven/maven

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository.

Added on 2021-05-05

CVE-2021-31408

Insufficient Session Expiration in maven/com.vaadin/flow

`Authentication.logout()` uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

Added on 2021-05-05

CVE-2020-36325

Out-of-bounds Read in conan/jansson

An issue was discovered in Jansson Due to a parsing error in `json_loads`, there's an out-of-bounds read-access bug.

Added on 2021-05-05

CVE-2021-29469

Uncontrolled Resource Consumption in npm/redis

When a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. The issue is patched

Added on 2021-05-04

CVE-2021-20228

Information Exposure in pypi/ansible

A flaw was found in the Ansible Engine, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality.

Added on 2021-05-04

CVE-2021-31671

Cleartext Transmission of Sensitive Information in gem/pgsync

pgsync Syncing the schema with the `--schema-first` and `--schema-only` options is mishandled. For example, the sslmode connection parameter may be lost, which means that SSL would not be used.

Added on 2021-05-04

CVE-2021-29443

Information Exposure Through Discrepancy in npm/jose

jose is an npm library providing a number of cryptographic operations.

Added on 2021-05-03

CVE-2021-29446

Information Exposure Through Discrepancy in npm/jose

jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions.

Added on 2021-05-03

CVE-2021-29444

Information Exposure Through Discrepancy in npm/jose

jose-browser-runtime is an npm package which provides a number of cryptographic functions.

Added on 2021-05-03

CVE-2021-29445

Information Exposure Through Discrepancy in npm/jose

jose-node-esm-runtime is an npm package which provides a number of cryptographic functions.

Added on 2021-05-03

CVE-2021-23375

Command Injection in npm/psnode

This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process `exec` function without input sanitization.

Added on 2021-05-03

CVE-2021-23358

Code Injection in npm/underscore

The package underscore from , from are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Added on 2021-05-03

CVE-2020-23922

Out-of-bounds Read in conan/giflib

An issue was discovered in giflib DumpScreen2RGB in `gif2rgb.c` has a heap-based buffer over-read.

Added on 2021-05-03

CVE-2021-31406

Information Exposure Through Discrepancy in maven/com.vaadin/flow

Non-constant-time comparison of CSRF tokens in endpoint request handler allows attacker to guess a security token for Fusion endpoints via timing attack.

Added on 2021-05-03

CVE-2021-31404

Information Exposure Through Discrepancy in maven/com.vaadin/flow

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server (Vaad ) (Vaad ) (Vaad ) (Vaad ) (Vaad ) allows attacker to guess a security token via timing attack.

Added on 2021-05-03

CVE-2021-23374

Command Injection in npm/ps-visitor

This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process `exec` function without input sanitization.

Added on 2021-05-03

CVE-2021-20087

Prototype Pollution in npm/jquery-deparam

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam allows a malicious user to inject properties into `Object.prototype`.

Added on 2021-05-03

CVE-2021-31597

Improper Certificate Validation in npm/xmlhttprequest-ssl

The xmlhttprequest-ssl package for Node.js disables SSL certificate validation by default, because `rejectUnauthorized` (when the property exists but is undefined) is considered to be false within the `https.request` function of Node.js. In other words, no certificate is ever rejected.

Added on 2021-05-03

CVE-2021-25928

Prototype Pollution in npm/safe-obj

Prototype pollution vulnerability in `safe-obj` allows an attacker to cause a denial of service and may lead to remote code execution.

Added on 2021-05-03

CVE-2021-23379

Command Injection in npm/portkiller

This affects all versions of package portkiller. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process `exec` function without input sanitization.

Added on 2021-05-03

CVE-2021-20089

Prototype Pollution in npm/purl

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in purl allows a malicious user to inject properties into `Object.prototype`.

Added on 2021-05-03

CVE-2021-23368

Uncontrolled Resource Consumption in npm/postcss

The package postcss from are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Added on 2021-05-03

CVE-2021-20088

Prototype Pollution in npm/mootools-more

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in mootools-more allows a malicious user to inject properties into `Object.prototype`.

Added on 2021-05-03

CVE-2021-20086

Prototype Pollution in npm/jquery-bbq

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq allows a malicious user to inject properties into `Object.prototype`.

Added on 2021-05-03

CVE-2021-20085

Prototype Pollution in npm/backbone-query-parameters

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters allows a malicious user to inject properties into Object.prototype.

Added on 2021-05-03

CVE-2021-23376

Command Injection in npm/ffmpegdotjs

This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process `exec` function without input sanitization.

Added on 2021-05-03

CVE-2021-3163

Cross-site Scripting in npm/quill

A vulnerability in the HTML editor of Slab Quill allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field.

Added on 2021-04-30

CVE-2021-23378

Command Injection in npm/picotts

This affects all versions of package picotts. If attacker-controlled user input is given to the say function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

Added on 2021-04-30

CVE-2021-23371

Uncontrolled Resource Consumption in npm/chrono-node

This affects the package chrono-node; it hangs on a date-like string with lots of embedded spaces.

Added on 2021-04-30

CVE-2021-23377

Command Injection in npm/onion-oled-js

If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the `child_process` `exec` function without input sanitization.

Added on 2021-04-30

CVE-2021-29438

Cross-site Scripting in npm/@nextcloud/dialogs

The Nextcloud dialogs library insufficiently escaped text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. The vulnerability has been patched If you need to display HTML in the toast, explicitly pass the `options.isHTML` config flag.

Added on 2021-04-30

CVE-2021-29452

Improper Privilege Management in npm/a12n-server

A new HAL-Form was added to allow editing users This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change.

Added on 2021-04-30

CVE-2021-23380

Command Injection in npm/roar-pidusage

If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the `child_process` exec function without input sanitization.

Added on 2021-04-30

CVE-2021-23370

Prototype Pollution in npm/swiper

swiper is vulnerable to prototype pollution.

Added on 2021-04-30

CVE-2021-23381

Command Injection in npm/killing

If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

Added on 2021-04-30

CVE-2021-28965

Improper Restriction of XML External Entity Reference in gem/rexml

The REXML gem does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

Added on 2021-04-30

CVE-2021-29435

Cross-Site Request Forgery (CSRF) in gem/trestle-auth

trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account credentials.

Added on 2021-04-30

CVE-2021-30130

Improper Verification of Cryptographic Signature in packagist/phpseclib/phpseclib

phpseclib mishandles RSA PKCS#1 v1.5 signature verification.

Added on 2021-04-30

CVE-2021-28168

Incorrect Permission Assignment for Critical Resource in maven/org.glassfish.jersey.core/jersey-common

Eclipse Jersey to and Eclipse Jersey to contains a local information disclosure vulnerability.

Added on 2021-04-30

CVE-2021-23336

Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) in pypi/Django

When the attacker can separate query parameters using a semicolon (`;`), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Added on 2021-04-30

CVE-2021-29425

Path Traversal in maven/commons-io/commons-io

In Apache Commons IO, When invoking the method `FileNameUtils.normalize` with an improper input string, the result would be the same value, thus possibly providing access to files in the parent directory, but not further above, if the calling code would use the result to construct a path value.

Added on 2021-04-30

CVE-2021-21647

Missing Authorization in maven/io.jenkins.plugins/electricflow

Jenkins CloudBees CD Plugin does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.

Added on 2021-04-30

CVE-2021-29451

Improper Verification of Cryptographic Signature in maven/com.manydesigns/portofino

Portofino is an open source web development framework. Portofino did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming release.

Added on 2021-04-30

CVE-2021-30459

SQL Injection in pypi/django_debug_toolbar

A SQL Injection issue in the SQL Panel in Jazzband Django Debug Toolbar allows attackers to execute SQL statements by changing the raw_sql input field of the SQL explain, analyze, or select form.

Added on 2021-04-30

CVE-2021-29434

Cross-site Scripting in pypi/wagtail

When saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail (for the branch) and Wagtail (for the current branch).

Added on 2021-04-30

CVE-2021-27905

Server-Side Request Forgery (SSRF) in maven/org.apache.solr/solr-core

The `ReplicationHandler` (normally registered at `/replication` under a Solr core) in Apache Solr has a `masterUrl` (also `leaderUrl` alias) parameter that is used to designate another `ReplicationHandler` on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the `shards` parameter.

Added on 2021-04-28

CVE-2020-23915

Out-of-bounds Read in conan/cpp-peglib

A heap-based buffer over-read was discovered in cpp-peglib's `peg::resolve_escape_sequence()` in `peglib.h`.

Added on 2021-04-28

CVE-2021-21392

URL Redirection to Untrusted Site (Open Redirect) in pypi/matrix-synapse

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This could cause Synapse to make requests to internal infrastructure on dual-stack networks. See referenced GitHub security advisory for details and workarounds.

Added on 2021-04-28

CVE-2020-23914

NULL Pointer Dereference in conan/cpp-peglib

A NULL pointer dereference was discovered in cpp-peglib's `peg::AstOptimizer::optimize()` located in `peglib.h`. It allows an attacker to cause a Denial of Service.

Added on 2021-04-28

CVE-2021-28156

Improper Input Validation in go/github.com/hashicorp/consul/acl

HashiCorp Consul Enterprise's audit log can be bypassed by specifically crafted HTTP events. An attacker could maliciously craft valid HTTP requests with specific parameters which cause the HTTP event to be incorrectly excluded from Consul Enterprise’s audit log.

Added on 2021-04-26

CVE-2020-25864

Cross-site Scripting in go/github.com/hashicorp/consul/acl

A vulnerability was identified in Consul and Consul Enterprise such that a specially crafted key-value entry could be used to perform a cross-site scripting (XSS) attack when viewed in Consul KV API’s raw mode.

Added on 2021-04-26

CVE-2021-29429

Insecure Temporary File in maven/org.gradle/gradle-core

In Gradle, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through `TextResourceFactory` are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.

Added on 2021-04-23

CVE-2021-21394

Improper Input Validation in pypi/matrix-synapse

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers. This could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them.

Added on 2021-04-23

CVE-2021-29338

Integer Overflow or Wraparound in conan/openjpeg

Integer Overflow in OpenJPEG allows remote attackers to crash the application, causing a Denial of Service (DoS). This occurs when the attacker uses the command line option `-ImgDir` on a directory that contains files.

Added on 2021-04-23

CVE-2021-29428

Creation of Temporary File With Insecure Permissions in maven/org.gradle/gradle-core

In Gradle, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.

Added on 2021-04-23

CVE-2021-27673

Cross-site Scripting in packagist/tribalsystems/zenario

Cross Site Scripting (XSS) in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "cID" parameter when creating a new HTML component.

Added on 2021-04-23

CVE-2021-27850

Deserialization of Untrusted Data in maven/org.apache.tapestry/tapestry-core

A critical unauthenticated remote code execution vulnerability was found in Apache Tapestry. The vulnerability found is a bypass of the fix for CVE-2019-0195. Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was an ignore filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Unfortunately, the ignore list solution can simply be bypassed by appending a `/` at the end of the URL `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the ignore list check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. `CommonsBeanUtils1` from `ysoserial`).

Added on 2021-04-23

CVE-2021-24028

Release of Invalid Pointer or Reference in conan/thrift

An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects.

Added on 2021-04-23

CVE-2021-24028

Release of Invalid Pointer or Reference in go/github.com/facebook/fbthrift/thrift/lib/go/thrift

An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects.

Added on 2021-04-23

CVE-2021-27672

SQL Injection in packagist/tribalsystems/zenario

SQL Injection in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cID" parameter when creating a new HTML component.

Added on 2021-04-23

CVE-2021-21409

Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) in maven/org.apache.zookeeper/zookeeper

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (`io.netty:netty-codec-http2`), which is used by zookeeper, there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single `Http2HeaderFrame` with the `endStream` set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case.

Added on 2021-04-23

CVE-2021-21393

Improper Input Validation in pypi/matrix-synapse

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers. This could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them.

Added on 2021-04-23