Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory database within 2.7 days (on average).

CVE-2020-27850

Cross-site Scripting in packagist/wp-premium/gravityforms

A stored Cross-Site Scripting (XSS) vulnerability in forms import feature in Rocketgenius Gravity Forms allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role (Administrator, Editor, `etc.).`

Added on 2021-01-22

CVE-2020-27851

Cross-site Scripting in packagist/wp-premium/gravityforms

Multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features in an additional paid add-on of Rocketgenius Gravity Forms allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privileged role (Administrator, Editor, `etc.).`

Added on 2021-01-22

CVE-2021-3007

Deserialization of Untrusted Data in packagist/laminas/laminas-http

Laminas Project laminas-http has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the `__destruct` method of the `Zend\Http\Response\Stream` class in `Stream.php`.

Added on 2021-01-22

CVE-2020-27852

Cross-site Scripting in packagist/wp-premium/gravityforms

A stored Cross-Site Scripting (XSS) vulnerability in the survey feature in Rocketgenius Gravity Forms allows remote attackers to inject arbitrary web script or HTML via a textarea field. This code is interpreted by users in a privileged role (Administrator, Editor, `etc.).`

Added on 2021-01-22

CVE-2020-27219

Cross-site Scripting in maven/org.eclipse.hawkbit/hawkbit-parent

In all version of Eclipse Hawkbit M7, the HTTP (Not Found) JSON response body returned by the REST API may contain unsafe characters within the path attribute. Sending a POST request to a non existing resource will return the full path from the given URL unescaped to the client.

Added on 2021-01-22

CVE-2020-17534

Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition) in maven/org.netbeans.html/webkit

There exists a race condition between the deletion of the temporary file and the creation of the temporary directory in `webkit` subproject of `HTML/Java` API.

Added on 2021-01-21

CVE-2021-3129

Code Injection in packagist/facade/ignition

Ignition, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of `file_get_contents()` and `file_put_contents()`. This is exploitable on sites using debug mode with Laravel

Added on 2021-01-21

CVE-2020-7794

Command Injection in npm/buns

This affects all versions of package buns. The injection point is located in line in index file `lib/index.js` in the exported function `install(requestedModule)`.

Added on 2021-01-21

CVE-2021-3007

Deserialization of Untrusted Data in packagist/zendframework/zendframework

Zend Framework, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the `__destruct` method of the Zend\Http\Response\Stream class in `Stream.php.`

Added on 2021-01-21

CVE-2020-23653

Deserialization of Untrusted Data in packagist/zoujingli/thinkadmin

An insecure unserialize vulnerability was discovered in ThinkAdm in `app/admin/controller/api/Update.php` and `app/wechat/controller/api/Push.php`, which may lead to arbitrary remote code execution.

Added on 2021-01-20

CVE-2020-36191

Cross-Site Request Forgery (CSRF) in pypi/jupyterhub

JupyterHub allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a `/hub/api/user` request (to add or remove a user account).

Added on 2021-01-20

CVE-2021-23900

Uncontrolled Resource Consumption in maven/com.mikesamuel/json-sanitizer

OWASP json-sanitizer can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations.

Added on 2021-01-20

CVE-2021-21614

Insufficiently Protected Credentials in maven/org.jenkins-ci.plugins/bumblebee

Jenkins Bumblebee HP ALM Plugin stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Added on 2021-01-20

CVE-2021-23899

Improper Restriction of XML External Entity Reference in maven/com.mikesamuel/json-sanitizer

OWASP json-sanitizer may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.

Added on 2021-01-20

CVE-2021-21605

Improper Input Validation in maven/org.jenkins-ci.main/jenkins-core

Jenkins allows users with `Agent/Configure` permission to choose agent names that cause Jenkins to override the global `config.xml` file.

Added on 2021-01-20

CVE-2020-7784

Command Injection in npm/ts-process-promises

This affects all versions of package ts-process-promises. The injection point is located in line in main entry of package in `lib/process-promises.js`.

Added on 2021-01-20

CVE-2021-21607

Allocation of Resources Without Limits or Throttling in maven/org.jenkins-ci.main/jenkins-core

Jenkins does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.

Added on 2021-01-18

CVE-2021-21606

Improper Input Validation in maven/org.jenkins-ci.main/jenkins-core

Jenkins improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path.

Added on 2021-01-18

CVE-2021-21604

Deserialization of Untrusted Data in maven/org.jenkins-ci.main/jenkins-core

Jenkins allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

Added on 2021-01-18

CVE-2021-21602

Improper Link Resolution Before File Access in maven/org.jenkins-ci.main/jenkins-core

Jenkins allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.

Added on 2021-01-18

CVE-2020-24025

Improper Certificate Validation in npm/node-sass

Certificate validation in node-sass is disabled when requesting binaries even if the user is not specifying an alternative download path.

Added on 2021-01-18

CVE-2021-21608

Cross-site Scripting in maven/org.jenkins-ci.main/jenkins-core

Jenkins does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.

Added on 2021-01-18

CVE-2021-21611

Cross-site Scripting in maven/org.jenkins-ci.main/jenkins-core

Jenkins does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

Added on 2021-01-18

CVE-2021-21603

Cross-site Scripting in maven/org.jenkins-ci.main/jenkins-core

Jenkins does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability.

Added on 2021-01-18

CVE-2021-21609

Incorrect Authorization in maven/org.jenkins-ci.main/jenkins-core

Jenkins does not correctly match requested URLs to the list of always accessible paths, allowing attackers without `Overall/Read` permission to access some URLs as if they did have `Overall/Read` permission.

Added on 2021-01-18

CVE-2021-21610

Cross-site Scripting in maven/org.jenkins-ci.main/jenkins-core

Jenkins does not implement any restrictions for the URL rendering a formatted preview of markup passed as a `query` parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.

Added on 2021-01-18

CVE-2020-26294

OS Command Injection in go/github.com/go-vela/compiler

Vela is a Pipeline Automation (`CI/CD)` framework built on Linux container technology written in Golang. In addition to upgrading, it is recommended to rotate all secrets.

Added on 2021-01-16

CVE-2020-26298

Cross-site Scripting in gem/redcarpet

In Redcarpet there is an injection vulnerability which can enable a cross-site scripting attack. This applies even when the `:escape_html` option was being used.

Added on 2021-01-16

CVE-2020-11995

Deserialization of Untrusted Data in maven/org.apache.dubbo/dubbo

A deserialization vulnerability existed in dubbo which could lead to malicious code execution. Most Dubbo users use `Hessian2` as the default serialization/deserialization protool, during `Hessian2` deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the `hashCode()` function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo

Added on 2021-01-16

CVE-2020-23849

Cross-site Scripting in npm/jsoneditor

Stored XSS was discovered in the tree mode of jsonedit through injecting and executing JavaScript.

Added on 2021-01-15

CVE-2020-36190

Cross-site Scripting in gem/rails_admin

RailsAdmin (aka rails_admin) allows XSS via nested forms.

Added on 2021-01-15

CVE-2020-13922

Incorrect Default Permissions in maven/org.apache.dolphinscheduler/dolphinscheduler

Versions of Apache DolphinScheduler allowed an ordinary user under any tenant to override another users password through the API interface.

Added on 2021-01-15

CVE-2020-35655

Out-of-bounds Read in pypi/Pillow

In Pillow, `SGIRleDecode` has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.

Added on 2021-01-13

CVE-2020-35653

Out-of-bounds Read in pypi/Pillow

In Pillow, `PcxDecode` has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.

Added on 2021-01-13

CVE-2020-28468

Code Injection in pypi/pwntools

This affects the package pwntools which can lead to remote code execution.

Added on 2021-01-13

CVE-2020-35654

Out-of-bounds Write in pypi/Pillow

In Pillow, `TiffDecode` has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.

Added on 2021-01-13

CVE-2020-36177

Out-of-bounds Write in conan/wolfssl

RsaPad_PSS in `wolfcrypt/src/rsa.c` in wolfSSL has an out-of-bounds write for certain relationships between key size and digest size.

Added on 2021-01-13

CVE-2020-36049

Uncontrolled Resource Consumption in npm/socket.io-parser

`socket.io-parser` allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.

Added on 2021-01-13

CVE-2020-36048

Uncontrolled Resource Consumption in npm/engine.io

`engine.iO` allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Added on 2021-01-13

CVE-2020-8264

Cross-site Scripting in gem/rails

In actionpack gem, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.

Added on 2021-01-13

CVE-2020-26768

Cross-site Scripting in npm/formstone

Formstone is vulnerable to a Reflected Cross-Site Scripting (XSS) vulnerability caused by improper validation of user supplied input in the `upload-target.php` and `upload-chunked.php` files. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site once the URL is clicked or visited. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials, force malware execution, user redirection and others.

Added on 2021-01-13

CVE-2020-36066

Denial of Service in go/github.com/tidwall/gjson

GJSON allows attackers to cause a denial of service (remote) via crafted JSON.

Added on 2021-01-12

CVE-2020-17519

Files or Directories Accessible to External Parties in maven/org.apache.flink/flink-metrics-core

A change introduced in Apache Flink (and released as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink if their Flink instance(s) are exposed.

Added on 2021-01-12

CVE-2020-26759

Buffer Overflow in pypi/clickhouse-driver

clickhouse-driver allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow.

Added on 2021-01-12

CVE-2020-17518

Path Traversal in maven/org.apache.flink/flink-metrics-core

Apache Flink introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink All users should upgrade to Flink if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from `apache/flink:master`.`

Added on 2021-01-12

CVE-2020-27845

Heap-based Buffer Overflow in conan/openjpeg

There's a flaw in `src/lib/openjp2/pi.c` of openjpeg If an attacker is able to provide untrusted input to openjpeg's `conversion/encoding` functionality, they could cause an out-of-bounds read. The highest impact of this flaw is to application availability.

Added on 2021-01-12

CVE-2020-27841

Out-of-bounds Write in conan/openjpeg

There's a flaw in openjpeg in `src/lib/openjp2/pi.c.` When an attacker is able to provide crafted input to be processed by the openjpeg encoder, this could cause an out-of-bounds read. The greatest impact from this flaw is to application availability.

Added on 2021-01-12

CVE-2020-27843

Out-of-bounds Read in conan/openjpeg

A flaw was found in OpenJPEG This flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest threat from this vulnerability is system availability.

Added on 2021-01-12

CVE-2020-27842

Out-of-bounds Read in conan/openjpeg

There's a flaw in openjpeg's t2 encoder An attacker who is able to provide crafted input to be processed by openjpeg could cause a null pointer dereference. The highest impact of this flaw is to application availability.

Added on 2021-01-12

CVE-2020-27844

Out-of-bounds Write in conan/openjpeg

A flaw was found in openjpeg's `src/lib/openjp2/t2.c` This flaw allows an attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Added on 2021-01-12

CVE-2020-26293

Cross-site Scripting in nuget/HtmlSanitizer

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the `<style>` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `<style>` tag so there is no risk if you have not explicitly allowed the `<style>` tag.

Added on 2021-01-12

CVE-2020-36067

Improper Validation of Array Index in go/github.com/tidwall/gjson

GJSON allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a crafted GET call.

Added on 2021-01-12

CVE-2020-36186

Deserialization of Untrusted Data in maven/com.fasterxml.jackson.core/jackson-databind

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.

Added on 2021-01-12

CVE-2020-36181

Deserialization of Untrusted Data in maven/com.fasterxml.jackson.core/jackson-databind

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.`

Added on 2021-01-12

CVE-2020-36184

Deserialization of Untrusted Data in maven/com.fasterxml.jackson.core/jackson-databind

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource`.

Added on 2021-01-12

CVE-2020-36189

Deserialization of Untrusted Data in maven/com.fasterxml.jackson.core/jackson-databind

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource`.

Added on 2021-01-12

CVE-2020-36188

Deserialization of Untrusted Data in maven/com.fasterxml.jackson.core/jackson-databind

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`.

Added on 2021-01-12

CVE-2020-36182

Deserialization of Untrusted Data in maven/com.fasterxml.jackson.core/jackson-databind

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.`

Added on 2021-01-12

CVE-2020-36180

Deserialization of Untrusted Data in maven/com.fasterxml.jackson.core/jackson-databind

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS`.

Added on 2021-01-12

CVE-2020-36183

Deserialization of Untrusted Data in maven/com.fasterxml.jackson.core/jackson-databind

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.`

Added on 2021-01-12

CVE-2020-36185

Deserialization of Untrusted Data in maven/com.fasterxml.jackson.core/jackson-databind

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`.

Added on 2021-01-12

CVE-2020-36187

Deserialization of Untrusted Data in maven/com.fasterxml.jackson.core/jackson-databind

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource`.

Added on 2021-01-12

CVE-2020-36179

Deserialization of Untrusted Data in maven/com.fasterxml.jackson.core/jackson-databind

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing.

Added on 2021-01-12