Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory database within 3.1 days (on average).

CVE-2021-21641

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/promoted-builds

A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin allows attackers to to promote builds.

Added on 2021-04-14

CVE-2020-23761

Cross-site Scripting in packagist/intelliants/subrion

Cross Site Scripting (XSS) vulnerability in subrion CMS allows remote attackers to execute arbitrary web script via the "payment gateway" column on transactions tab.

Added on 2021-04-14

CVE-2021-20305

Use of a Broken or Risky Cryptographic Algorithm in conan/nettle

A flaw was found in Nettle, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.

Added on 2021-04-11

CVE-2021-28163

Improper Link Resolution Before File Access in maven/org.eclipse.jetty/jetty-client

In Eclipse Jetty to beta2 to beta2 to, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

Added on 2021-04-10

CVE-2021-22696

Uncontrolled Resource Consumption in maven/org.apache.cxf/cxf-rt-frontend-jaxrs

CXF supports (via `JwtRequestCodeFilter`) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a `request` parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the `request_uri` parameter. CXF was not validating the `request_uri` parameter (apart from ensuring it uses https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section of the spec.

Added on 2021-04-10

CVE-2021-22696

Uncontrolled Resource Consumption in maven/org.apache.cxf/cxf-rt-rs-security-xml

CXF supports (via `JwtRequestCodeFilter`) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a `request` parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the `request_uri` parameter. CXF was not validating the `request_uri` parameter (apart from ensuring it uses https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section of the spec.

Added on 2021-04-10

CVE-2021-22696

Uncontrolled Resource Consumption in maven/org.apache.cxf/cxf-api

CXF supports (via `JwtRequestCodeFilter`) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a `request` parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the `request_uri` parameter. CXF was not validating the `request_uri` parameter (apart from ensuring it uses https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section of the spec.

Added on 2021-04-10

CVE-2021-22696

Uncontrolled Resource Consumption in maven/org.apache.cxf/cxf-rt-transports-http

CXF supports (via `JwtRequestCodeFilter`) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a `request` parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the `request_uri` parameter. CXF was not validating the `request_uri` parameter (apart from ensuring it uses https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section of the spec.

Added on 2021-04-10

CVE-2021-30074

Cross-site Scripting in npm/docsify

docsify is affected by Cross Site Scripting (XSS) because the search component does not appropriately encode Code Blocks and mishandles the `"` character.

Added on 2021-04-10

CVE-2021-22696

Uncontrolled Resource Consumption in maven/org.apache.cxf/cxf-core

CXF supports (via `JwtRequestCodeFilter`) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a `request` parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the `request_uri` parameter. CXF was not validating the `request_uri` parameter (apart from ensuring it uses https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section of the spec.

Added on 2021-04-10

CVE-2020-17453

Cross-site Scripting in maven/org.wso2.identity/identity-server-parent

WSO2 Management Console allows XSS via the `carbon/admin/login.jsp` msgId parameter.

Added on 2021-04-10

CVE-2021-22890

Authentication Bypass by Spoofing in conan/libcurl

curl to and including includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS session tickets. When using a HTTPS proxy and TLS, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

Added on 2021-04-10

CVE-2020-17453

Cross-site Scripting in maven/org.wso2.am.microgw/org.wso2.micro.gateway.core

WSO2 Management Console allows XSS via the `carbon/admin/login.jsp` msgId parameter.

Added on 2021-04-10

CVE-2021-21409

Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) in maven/io.netty/netty-codec-http2

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of Final.

Added on 2021-04-10

CVE-2021-3447

Inclusion of Sensitive Information in Log Files in pypi/ansible

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the `no_log` feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform and Ansible Tower

Added on 2021-04-10

CVE-2021-28164

Information Exposure in maven/org.eclipse.jetty/jetty-client

In Eclipse Jetty v20210219 to v20210224, the default compliance mode allows requests with URIs that contain `%2e` o`` %2e%2e` segments to access protected resources within the WEB-INF directory. For example a request to `/context/%2e/WEB-INF/web.xml` can retrieve the `web.xml` file. This can reveal sensitive information regarding the implementation of a web application.

Added on 2021-04-10

CVE-2021-22696

Uncontrolled Resource Consumption in maven/org.apache.cxf/cxf

CXF supports (via `JwtRequestCodeFilter`) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a `request` parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the `request_uri` parameter. CXF was not validating the `request_uri` parameter (apart from ensuring it uses https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section of the spec.

Added on 2021-04-10

CVE-2021-28165

Uncontrolled Resource Consumption in maven/org.eclipse.jetty/jetty-client

In Eclipse Jetty to alpha0 to alpha0 to, CPU usage can reach % upon receiving a large invalid TLS frame.

Added on 2021-04-10

CVE-2021-28164

Information Exposure in maven/org.eclipse.jetty/jetty-util

In Eclipse Jetty the default compliance mode allows requests with URIs that contain `%2e` or `%2e%2e` segments to access protected resources within the WEB-INF directory. For example a request to `/context/%2e/WEB-INF/web.xml` can retrieve the `web.xml` file. This can reveal sensitive information regarding the implementation of a web application.

Added on 2021-04-10

CVE-2021-28163

Improper Link Resolution Before File Access in maven/org.eclipse.jetty/jetty-util

In Eclipse Jetty, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

Added on 2021-04-10

CVE-2021-28165

Uncontrolled Resource Consumption in maven/org.eclipse.jetty/jetty-util

In Eclipse Jetty to alpha0 to alpha0 to, CPU usage can reach % upon receiving a large invalid TLS frame.

Added on 2021-04-10

CVE-2021-28164

Information Exposure in maven/org.eclipse.jetty/jetty-server

In Eclipse Jetty the default compliance mode allows requests with URIs that contain `%2e` or `%2e%2e` segments to access protected resources within the WEB-INF directory. For example a request to `/context/%2e/WEB-INF/web.xml` can retrieve the `web.xml` file. This can reveal sensitive information regarding the implementation of a web application.

Added on 2021-04-10

CVE-2021-28163

Improper Link Resolution Before File Access in maven/org.eclipse.jetty/jetty-server

In Eclipse Jetty, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

Added on 2021-04-10

CVE-2021-28165

Uncontrolled Resource Consumption in maven/org.eclipse.jetty/jetty-server

In Eclipse Jetty to alpha0 to alpha0 to, CPU usage can reach % upon receiving a large invalid TLS frame.

Added on 2021-04-10

CVE-2021-28164

Information Exposure in maven/org.eclipse.jetty/jetty-http

In Eclipse Jetty the default compliance mode allows requests with URIs that contain `%2e` or `%2e%2e` segments to access protected resources within the WEB-INF directory. For example a request to `/context/%2e/WEB-INF/web.xml` can retrieve the `web.xml` file. This can reveal sensitive information regarding the implementation of a web application.

Added on 2021-04-10

CVE-2021-28163

Improper Link Resolution Before File Access in maven/org.eclipse.jetty/jetty-http

In Eclipse Jetty, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

Added on 2021-04-10

CVE-2021-22876

Information Exposure in conan/libcurl

curl to and including is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Added on 2021-04-10

CVE-2021-21409

Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) in maven/io.netty/netty

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of Final.

Added on 2021-04-10

CVE-2021-21409

Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) in maven/io.netty/netty-all

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of Final.

Added on 2021-04-10

CVE-2021-21409

Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) in maven/io.netty/netty-codec

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of Final.

Added on 2021-04-10

CVE-2021-21409

Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) in maven/io.netty/netty-handler

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of Final.

Added on 2021-04-10

CVE-2021-21409

Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) in maven/io.netty/netty-codec-http

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of Final.

Added on 2021-04-10

CVE-2020-17453

Cross-site Scripting in maven/org.wso2.carbon.analytics-common/org.wso2.carbon.event.publisher.core

WSO2 Management Console allows XSS via the carbon/admin/login.jsp msgId parameter.

Added on 2021-04-10

CVE-2021-28165

Uncontrolled Resource Consumption in maven/org.eclipse.jetty/jetty-http

In Eclipse Jetty to alpha0 to alpha0 to, CPU usage can reach % upon receiving a large invalid TLS frame.

Added on 2021-04-10

CVE-2021-20289

Information Exposure Through an Error Message in maven/org.jboss.resteasy/resteasy-client

A flaw was found in RESTEasy where the endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

Added on 2021-04-09

CVE-2020-24391

Javascript Injection in npm/mongo-express

mongo-express offers support for certain advanced syntax but implements this in an unsafe way

Added on 2021-04-09

CVE-2021-26919

Remote Code Execution in maven/org.apache.druid/druid

Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes.

Added on 2021-04-09

CVE-2021-20289

Information Exposure Through an Error Message in maven/org.jboss.resteasy/resteasy-jaxrs

A flaw was found in RESTEasy where the endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

Added on 2021-04-09

CVE-2021-28657

Loop with Unreachable Exit Condition (Infinite Loop) in maven/org.apache.tika/tika-parsers

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser

Added on 2021-04-09

CVE-2021-28657

Loop with Unreachable Exit Condition (Infinite Loop) in maven/org.apache.tika/tika-app

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser.

Added on 2021-04-09

CVE-2021-28657

Loop with Unreachable Exit Condition (Infinite Loop) in maven/org.apache.tika/tika-core

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser

Added on 2021-04-09

CVE-2021-21389

Incorrect Authorization in packagist/buddypress/buddypress

BuddyPress is an open source WordPress plugin to build a community site. In vulnerable releases of BuddyPress, it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint

Added on 2021-04-09

CVE-2021-28657

Loop with Unreachable Exit Condition (Infinite Loop) in maven/org.apache.tika/tika-server

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser

Added on 2021-04-09

CVE-2021-21638

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/tfs

A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Added on 2021-04-06

CVE-2021-3479

Uncontrolled Resource Consumption in conan/openexr

There's a flaw in OpenEXR's Scanline API functionality . An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.

Added on 2021-04-06

CVE-2021-28657

Loop with Unreachable Exit Condition (Infinite Loop) in maven/org.apache.tika/tika-bundle

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika Apache Tika users should upgrade to or later.

Added on 2021-04-06

CVE-2021-21637

Missing Authorization in maven/org.jenkins-ci.plugins/tfs

A missing permission check in Jenkins Team Foundation Server Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Added on 2021-04-06

CVE-2021-21636

Missing Authorization in maven/org.jenkins-ci.plugins/tfs

A missing permission check in Jenkins Team Foundation Server Plugin allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

Added on 2021-04-06

CVE-2021-3477

Out-of-bounds Read in conan/openexr

There's a flaw in OpenEXR's deep tile sample size calculations . An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, subsequently leading to an out-of-bounds read. The greatest risk of this flaw is to application availability.

Added on 2021-04-06

CVE-2021-3478

Uncontrolled Resource Consumption in conan/openexr

There's a flaw in OpenEXR's scanline input file functionality . An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.

Added on 2021-04-06

CVE-2021-21333

Injection Vulnerability in pypi/matrix-synapse

Synapse is a Matrix reference homeserver written in python. Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker.

Added on 2021-04-02

CVE-2021-3449

NULL Pointer Dereference in conan/openssl

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation `ClientHello` message from a client. If a TLSv1.2 renegotiation `ClientHello` omits the `signature_algorithms` extension (where it was present in the initial `ClientHello`), but includes a `signature_algorithms_cert` extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue.

Added on 2021-04-02

CVE-2021-3450

Improper Certificate Validation in conan/openssl

The `X509_V_FLAG_X509_STRICT` flag enables additional security checks of the certificates present in a certificate chain. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a `purpose` has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named `purpose` values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A `purpose` is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the `X509_V_FLAG_X509_STRICT` verification flag and either not set a `purpose` for the certificate verification or, in the case of TLS client or server applications, override the default `purpose`.

Added on 2021-04-02

CVE-2021-21332

Cross-site Scripting in pypi/matrix-synapse

Synapse is a Matrix reference homeserver written in python. Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.

Added on 2021-04-02