Advisories

Jerryscript was discovered to contain a SEGV vulnerability via ecma_ref_object_inline in /jerry-core/ecma/base/ecma-gc.c.

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test. Vulnerability ID: OTF-001 Vulnerability type: Improper Input Sanitization Threat level: Elevated

An untrusted pointer dereference vulnerability exists in HDF5 v1.13.1-1 via the function H5O__dtype_decode_helper () at hdf5/src/H5Odtype.c. This vulnerability can lead to a Denial of Service (DoS).

Sending an invalid Content Type header leads to memory leak in DefaultArgumentConversionContext as this type is erroneously used in static state.

Due to a sudden upstream breaking change by Bitly, versions of bitlyshortener <0.6.0 generate invalid short URLs. All users are affected and must update immediately.

Impact A vulnerability exists in Pterodactyl Panel <= 1.6.6 that could allow a malicious attacker that compromises an API key to generate an authenticated user session that is not revoked when the API key is deleted, thus allowing the malicious user to remain logged in as the user the key belonged to. It is important to note that a malicious user must first compromise an existing API key for a …

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test. Vulnerability ID: OTF-006 Vulnerability type: Broken Website Hardening Control Threat level: Low

The package cached-path-relative is vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as proto, the attribute of the object is accessed instead of a path. Note: This vulnerability derives from an incomplete fix in …

The package min-dash is vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.

Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx

Improper Access Control in Packagist microweber/microweber prior to 1.2.11.

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in com.hazelcast.jet:hazelcast-jet.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in com.hazelcast:hazelcast.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in de.tum.in.ase:artemis-java-test-sandbox.

Cross-site Scripting (XSS) in NuGet OrchardCore.Application.Cms.Targets.

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.

livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

managers/views/iframe.js in FuturePress EPub.js allows XSS.

orchardcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

When using Apache Knox SSO, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign.

Jenkins Warnings Next Generation Plugin does not restrict the name of a file when configuring custom ID, allowing attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.

This affects all versions of package convert-svg-core; all versions of package convert-svg-to-png; all versions of package convert-svg-to-jpeg. Using a specially crafted SVG file, an attacker could read arbitrary files from the file system and then show the file content as a converted PNG file.

Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

Code Injection in Packagist microweber/microweber prior to 1.2.11.

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test. Vulnerability ID: OTF-004 Vulnerability type: Improper Access Control Threat level: Moderate

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test. Vulnerability ID: OTF-009 Vulnerability type: Improper Access Control Threat level: Low

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test. Vulnerability ID: OTF-003 Vulnerability type: Improper Access Control Threat level: Moderate

Impact Minecraft Bedrock authentication and its protocol encryption are inseparably linked. One is not complete without the other. This vulnerability affects servers which are able to be directly connected to via the internet (i.e. not behind a proxy). If you are using a proxy, please check that it supports protocol encryption and that it is enabled. Technical details Basics The client generates a private ECC key clientPriv which it uses …

ezsystems/ezpublish-kernel versions 7.5.* before 7.5.26 are vulnerable to certain injection attacks and unauthorized access to some image files.

livehelperchat is vulnerable to Generation of Error Message Containing Sensitive Information

This is a vulnerability that affects anyone who creates and publicly shares Gradio interfaces using gradio<2.4.8. Because of the way that static files were being served, someone who generated a public Gradio link and shared it with others would potentially be exposing the files on the computer that generated the link, while the link was active. An attacker would be able to view the contents of a file on the …

Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.

We’d like to disclose an arbitrary code execution vulnerability in IPython that stems from IPython executing untrusted files in CWD. This vulnerability allows one user to run code as another. Proof of concept User1: mkdir -m 777 /tmp/profile_default mkdir -m 777 /tmp/profile_default/startup echo 'print("stealing your private secrets")' > /tmp/profile_default/startup/foo.py User2: cd /tmp ipython User2 will see: Python 3.9.7 (default, Oct 25 2021, 01:04:21) Type 'copyright', 'credits' or 'license' for more …

A Divide By Zero vulnerability exists in HDF5 v1.13.1-1 vis the function H5T__complete_copy () at /hdf5/src/H5T.c. This vulnerability causes an aritmetic exception, leading to a Denial of Service (DoS).

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when …

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. Vulnerability ID: OTF-012 Vulnerability type: Denial of Service Threat level: Moderate

Impact Due to this library's use of an inefficient algorithm, it is vulnerable to a denial of service attack when a maliciously crafted input is passed to DecodeFromBytes or other CBOR decoding mechanisms in this library. Affected versions include versions 4.0.0 through 4.5.0. This vulnerability was privately reported to me. Patches This issue has been fixed in version 4.5.1. Users should use the latest version of this library. (The latest …

Impact Due to this library's use of an inefficient algorithm, it is vulnerable to a denial of service attack when a maliciously crafted input is passed to DecodeFromBytes or other CBOR decoding mechanisms in this library. Affected versions include versions 4.0.0 through 4.5.0. This vulnerability was privately reported to me. Patches This issue has been fixed in version 4.5.1. Users should use the latest version of this library. (The latest …

Cross-Site Request Forgery (CSRF) in GitHub repository livehelperchat/livehelperchat

calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)

When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not had editing access to, as long as they have left a comment or reply somewhere on the site.

calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

calibre-web is vulnerable to Business Logic Errors

Authorization Bypass Through User-Controlled Key in Packagist remdex/livehelperchat prior to 3.92v.

In api.rb in Sidekiq, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.

There is an Assertion 'ecma_object_check_class_name_is_object (obj_p)' failed at /jerry-core/ecma/operations/ecma-objects.c in JerryScript

There is an Assertion 'local_tza == ecma_date_local_time_zone_adjustment (date_value)' failed at /jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421 in JerryScript

There is an Assertion 'arguments_type != SCANNER_ARGUMENTS_PRESENT && arguments_type != SCANNER_ARGUMENTS_PRESENT_NO_REG' failed at /jerry-core/parser/js/js-scanner-util.c in Jerryscript

There is an Assertion 'opts & PARSER_CLASS_LITERAL_CTOR_PRESENT' failed at /parser/js/js-parser-expr.c(parser_parse_class_body) in JerryScript

There is an Assertion 'context_p->token.type == LEXER_LITERAL' failed at /jerry-core/parser/js/js-parser-expr.c in JerryScript

There is an Assertion 'ecma_is_lexical_environment (object_p)' failed at /base/ecma-helpers.c(ecma_get_lex_env_type) in JerryScript

There is an Assertion 'type == ECMA_OBJECT_TYPE_GENERAL || type == ECMA_OBJECT_TYPE_PROXY' failed at /jerry-core/ecma/operations/ecma-objects.c in JerryScript

There is an Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' failed at /jerry-core/ecma/base/ecma-literal-storage.c in JerryScript

There is an Assertion 'ecma_is_lexical_environment (obj_p) || !ecma_op_object_is_fast_array (obj_p)' failed at /jerry-core/ecma/base/ecma-helpers.c in JerryScript

There is an Assertion 'ecma_is_value_object (value)' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c in JerryScript

There is an Assertion 'lit_is_valid_cesu8_string (string_p, string_size)' failed at /base/ecma-helpers-string.c(ecma_new_ecma_string_from_utf8) in JerryScript

There is an Assertion 'context_p->stack_top_uint8 == SCAN_STACK_TRY_STATEMENT || context_p->stack_top_uint8 == SCAN_STACK_CATCH_STATEMENT' failed at /parser/js/js-scanner.c(scanner_scan_statement_end) in JerryScript

There is an Assertion 'local_tza == ecma_date_local_time_zone_adjustment (date_value)' failed at /jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421 in JerryScript

There is an Assertion 'page_p != NULL' failed at /parser/js/js-parser-mem.c(parser_list_get) in JerryScript

There is an Assertion 'flags & PARSER_PATTERN_HAS_REST_ELEMENT' failed at /jerry-core/parser/js/js-parser-expr.c in JerryScript

There is an Assertion 'cesu8_cursor_p == cesu8_end_p' failed at /jerry-core/lit/lit-strings.c in JerryScript

Jerryscript was discovered to contain a stack overflow via ecma_op_object_find_own in /ecma/operations/ecma-objects.c.

In Apache Airflow This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for.

Cross-site Scripting (XSS) - Stored XSS in Packagist pimcore/pimcore.

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (.

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors.

log4js-node is a port of log4js to node. fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.

Istio is an open platform to connect, manage, and secure microservices. Istio is vulnerable to a privilege escalation attack. Users who have CREATE permission for gateways.gateway.networking.k8s.io objects can escalate this privilege to create other resources that they may not have access to, such as Pod. This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API. This is not the same as the Istio Gateway type (gateways.networking.istio.io), which is …

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Istio is an open platform to connect, manage, and secure microservices. In Istio The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or rejected unexpectedly for DENY action during the upgrade from to /1.12.1. Istio supports the hosts and notHosts fields in authorization policy with a new Envoy API shipped with the data plane. A bug in the incorrectly uses the new Envoy API with …

wolfSSL uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS or DTLS This occurs because of misplaced memory initialization in BuildMessage in internal.c.

Unrestricted Upload of File with Dangerous Type in Packagist pimcore/pimcore

Sending an invalid Content Type header leads to memory leak in DefaultArgumentConversionContext as this type is erroneously used in static state.

The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL.See the AppCheck advisory for further information and associated caveats.

Within the Umbraco CMS, a configuration element named "UmbracoApplicationUrl" (or just "ApplicationUrl") is used whenever application code needs to build a URL pointing back to the site. For example, when a user resets their password and the application builds a password reset URL or when the administrator invites users to the site. For Umbraco versions less than, if the Application URL is not specifically configured, the attacker can manipulate this …

By design, the JDBCAppender in Log4j accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j when …

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore

In Ericsson CodeChecker, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API.

Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore

This advisory has been marked as False Positive and removed.

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j where the same issue exists.

JMSSink in all versions of Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j when specifically configured …

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j where the same issue exists.

An issue was discovered in Spipu HTML2PDF Attackers can trigger deserialization of arbitrary data via the injection of a malicious tag in the converted HTML document.

Business Logic Errors in GitHub repository pimcore/pimcore

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

pimcore is vulnerable to Improper Neutralization of Special Elements used in an SQL Command

managers/views/iframe.js in FuturePress EPub.js allows XSS.

When using Apache Knox SSO, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign.

icecoder is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

By passing invalid javascript code where await and yield were called upon non-async and non-generator getter/setter functions, Hermes would invoke generator functions and error out on invalid await/yield positions. This could result in segmentation fault as a consequence of type confusion error, with a low chance of RCE. This issue affects Hermes versions prior to v0.10.0.

An issue was discovered in JerryScript commit a6ab5e9. There is an Use-After-Free in lexer_compare_identifier_to_string in js-lexer.c file.

A bug in Frontier's MODEXP precompile implementation can cause an integer underflow in certain conditions. This will cause a node crash for debug builds. For release builds (and production WebAssembly binaries), the impact is limited as it can only cause a normal EVM out-of-gas. It is recommended that you apply the patch as soon as possible. If you do not use MODEXP precompile in your runtime, then you are not …

A bug in Frontier's MODEXP precompile implementation can cause an integer underflow in certain conditions. This will cause a node crash for debug builds. For release builds (and production WebAssembly binaries), the impact is limited as it can only cause a normal EVM out-of-gas. It is recommended that you apply the patch as soon as possible. If you do not use MODEXP precompile in your runtime, then you are not …

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to …

The regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time …

The regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time …

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to …

Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user. Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.

dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command

October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework., an attacker with "create, modify and delete website pages" privileges in the backend is able to execute PHP code by running specially crafted Twig code in the template markup. The issue has been patched in Build (v1.0.473) and v1.1.6. Those unable to upgrade may apply the patch to their installation manually as a workaround.

October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with "create, modify and delete website pages" privileges in the backend is able to execute PHP code by running specially crafted Twig code in the template markup. The issue has been patched in Build 473 (v1.0.473) and v1.1.6. Those unable to upgrade may apply the patch …

October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with access to the backend is able to execute PHP code by using the theme import feature. This will bypass the safe mode feature that prevents PHP execution in the CMS templates.The issue has been patched in Build 473 (v1.0.473) and v1.1.6. Those unable to upgrade …

October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework., an attacker with access to the backend is able to execute PHP code by using the theme import feature. This will bypass the safe mode feature that prevents PHP execution in the CMS templates. The issue has been patched in Build (v1.0.473) and v1.1.6. Those unable to upgrade may apply the patch to their …

The package nanoid is vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Impact A remote attacker may crash a server by sending PlayerActionPacket with invalid facing values (e.g. negative), specifically with START_BREAK or CRACK_BLOCK actions, or with a UseItemTransactionData (typically in InventoryTransactionPacket). Patches f126479c37ff00a717a828f5271cf8e821d12d6c Workarounds Using a plugin, cancel DataPacketReceiveEvent if the packet is PlayerActionPacket and the facing is outside the range 0-5 when receiving START_BREAK or CRACK_BLOCK actions, or UseItemTransactionData. However, beware that negative values may be legitimate in some cases. …

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.

SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In v1.3.0, the wildcard is ignored entirely in …

Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed.

Jenkins Credentials Binding Plugin prior to 1.27.1 and 1.24.1 does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file. Credentials Binding Plugin 1.27.1 and 1.24.1 performs permission checks when validating secret file credentials IDs.

A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.

A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller.

Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Improper Neutralization in @openzeppelin/contracts.

Improper Neutralization in @openzeppelin/contracts-upgradeable.

Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.

snipe-it is vulnerable to Improper Access Control

Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.

A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.

A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

A cross-site request forgery (CSRF) vulnerability in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch task Plugin 1.19 and earlier allows attackers with Overall/Read access to retrieve logs, build or delete a batch task.

Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations.

Impact What kind of vulnerability is it? Who is impacted? colors package caused zalgo-like output (see https://github.com/soketi/soketi/issues/276, https://github.com/Marak/colors.js/issues/289), breaking the servers. Only NPM users that recently upgraded or installed the NPM package are affected. Docker users seem to not be affected as the dependencies were bundled at the time of the build, which were tested. Patches Has the problem been patched? What versions should users upgrade to? Latest patch. 0.26.1 …

Impact The net/http Go package has a reported vulnerability tracked under CVE-2021-44716 which allows attacker controlled HTTP/2 requests to trigger unbounded memory usage in HTTP/2 endpoints. gRPC endpoints are not vulnerable as they rely on their own HTTP/2 implementation instead of the net/http package. HTTP/2 endpoints consuming the net/http package within SPIRE server and agent (or other components in this repository) that are on by default include the following: OIDC …

@replit/crosis is a JavaScript client that speaks Replit's container protocol. A vulnerability that involves exposure of sensitive information exists When using this library as a way to programmatically communicate with Replit in a standalone fashion, if there are multiple failed attempts to contact Replit through a WebSocket, the library will attempt to communicate using a fallback poll-based proxy. The URL of the proxy has changed, so any communication done to …

Due to a flaw in pipenv's parsing of requirements files, an attacker can insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file (e.g. with "pipenv install -r requirements.txt") to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker …

GNOME gdk-pixbuf is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals 12

path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.

Jenkins Configuration as Code Plugin used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.

snipe-it is vulnerable to Improper Access Control

Jenkins Debian Package Builder Plugin implements functionality that allows agents to invoke command-line git at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller.

Jenkins Docker Commons Plugin does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job's SCM repository.

Jenkins Badge Plugin does not escape the description and does not check for allowed protocols when creating a badge, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in oro/platform.

keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins Matrix Project Plugin does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Pillow is the friendly PIL (Python Imaging Library) fork. path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.

Missing permission checks in Jenkins SSH Agent Plugin allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.

The dnslib package through 0.9.16 for Python does not verify that the ID value in a DNS reply matches an ID value in a query.

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.

A cross-site request forgery (CSRF) vulnerability in Jenkins allows attackers to trigger build of job without parameters when no security realm is set.

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method ImageMath.eval("exec(exit())"). While Pillow 9.0.0 restricted top-level builtins available to PIL.ImageMath.eval(), it did not prevent builtins available to lambda expressions. These are now also restricted in 9.0.1.

shelljs is vulnerable to Improper Privilege Management

NVIDIA NeMo before 1.6.0 contains a vulnerability in ASR WebApp, in which ../ Path Traversal may lead to deletion of any directory when admin privileges are available.

Apache Guacamole do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.

Apache Guacamole may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user's active use of that same connection.

Lua are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.

There is a Heap-use-after-free in intrapred.h when decoding a file using dec265.

A open redirect vulnerability exists in Action Pack that could allow an attacker to craft a X-Forwarded-Host headers in combination with certain allowed host formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

markdown-it is a Markdown parser. special patterns with length greater than thousand characterss could slow down the parser significantly. Users should upgrade to to receive a patch. There are no known workarounds aside from upgrading.

There is an Assertion scaling_list_pred_matrix_id_delta==1 failed at sps.cc:925 in libde265 when decoding a file, which allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file or possibly have unspecified other impact.

A Denial of Service vulnerability exists in Binaryen due to an assertion abort in wasm::WasmBinaryBuilder::visitRethrow(wasm::Rethrow*).

A Denial of Service vulnerability exists in Binaryen due to an assertion abort in wasm::WasmBinaryBuilder::readFunctions.

A Denial of Service vulnerability exists in Binaryen due to an assertion abort in wasm::WasmBinaryBuilder::visitRethrow(wasm::Rethrow*).

A Denial of Service vulnerability exists in Binaryen due to an assertion abort in wasm::Tuple::validate.

The package extend2 is vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.

A Stack Overflow vulnerability exists in Binaryen via the printf_common function.

A stack-buffer-overflow exists in libde265 via fallback-motion.cc in function put_epel_hv_fallback when running program dec265.

LibTIFF has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field.

An issue has been found in libde265 v1.0.8 due to incorrect access control. A SEGV caused by a READ memory access in function derive_boundaryStrength of deblock.cc has occurred. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service.

An Out-of-bounds Read vulnerability exists in libde265 due to a SEGV in slice.cc.

colors is a library for including colored text in node.js consoles. Between January, colors were published including malicious code that caused a Denial of Service due to an infinite loop. Software dependent on these versions experienced the printing of randomized characters to console and an infinite loop resulting in unbound system resource consumption.

All versions of package realms-shim is vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.

All versions of package realms-shim is vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.

A Denial of Service vulnerability exists in Binaryen The program terminates with signal SIGKILL.

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string.

Kentico Xperience allows XSS via an XML document to the Media Libraries subsystem.

dolibarr is vulnerable to Business Logic Errors

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. A vulnerability was found that may allow template authors could run restricted static php methods.

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

A deserialization vulnerability existed in dubbo hessian-lite and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution.

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

An issue in protobuf-java (JRuby gem) allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users’ passwords with minimal to no computational effort.

Impact The regex used for the forge.util.parseUrl API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior. Patches forge.util.parseUrl and other very old related URL APIs were removed in 1.0.0 in favor of letting applications use the more modern WHATWG URL Standard API. Workarounds Ensure code does not directly or indirectly call forge.util.parseUrl with untrusted input. References https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae/ For more information …

Pac4j v5.1 and earlier allows (by default) clients to accept and successfully validate ID Tokens with "none" algorithm (i.e., tokens with no signature) which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key …

Impact The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way. Patches The forge.debug API and related functions were removed in 1.0.0. Workarounds Don't use the …

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information.

In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highest privileged user in the application.

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.

kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.

In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in …

If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting …

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifact

A DOM-based cross-site scripting (XSS) vulnerability in Scratch-Svg-Renderer v0.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted sb3 file.

In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” page to view all the tasks.

The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact

The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.

Impact forge.util.setPath had a potential prototype pollution issue if called with untrusted keys. This API was not used by forge itself. Patches The forge.util.setPath API and related functions were removed in 0.10.0. Workarounds Don't call forge.util.setPath directly or indirectly with untrusted keys. References https://security.snyk.io/vuln/SNYK-JS-NODEFORGE-598677 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720 For more information If you have any questions or comments about this advisory: Open an issue in forge. Email us at support@digitalbazaar.com.

Impact What kind of vulnerability is it? Who is impacted? There was a wrong behavior when reading POST requests, making the server crash if it couldn't read the body. In case a POST request was sent to any endpoint of the server with an empty body, even unauthenticated with the Pusher Protocol, it would simply just crash the server for trying to send a response after the request closed. All …

Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information.

bookstack is vulnerable to Improper Access Control

kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.

Lru crate has two functions for getting an iterator. Both iterators give references to key and value. Calling specific functions, like pop(), will remove and free the value, and but it's still possible to access the reference of value which is already dropped causing use after free.

Common/Grav.php in Grav before 1.7 has an Open Redirect. This is partially fixed in 1.6.23 and still present in 1.6.x.

Common/Grav.php in Grav before 1.7 has an Open Redirect. This is partially fixed in 1.6.23 and still present in 1.6.x.

A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. NOTE: The vendor does not agree this is a vulnerability; In (very limited) circumstances a user may be able provoke the buffer overflow, the user is most likely already privileged to at least provoke …

Incomplete string comparison vulnerability exits in cvxopt.org cvxop <= 1.2.6 in APIs (cvxopt.cholmod.diag, cvxopt.cholmod.getfactor, cvxopt.cholmod.solve, cvxopt.cholmod.spsolve), which allows attackers to conduct Denial of Service attacks by construct fake Capsule objects.

Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. Reporter: OSS-Fuzz Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected. Severity CVE-2021-22569 High - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can …

Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. Reporter: OSS-Fuzz Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected. Severity CVE-2021-22569 High - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can …

Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. Reporter: OSS-Fuzz Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected. Severity CVE-2021-22569 High - CVSS Score:, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy …

An issue was discovered in the rdiff crate through version 0.1.2 for Rust. Window may read from uninitialized memory locations.

Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Arbitrary Read implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior. The problem was fixed in commit cdff034 by zero-initializing the buffer before passing it to a user-provided Read implementation.

Affected versions of this crate called mem::uninitialized() to create values of a user-supplied type T. This is unsound e.g. if T is a reference type (which must be non-null and thus may not remain uninitialized). The flaw was corrected by avoiding the use of mem::uninitialized(), using MaybeUninit instead.

An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_extension_others may read from uninitialized memory locations.

An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_string_primitive may read from uninitialized memory locations.

An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_binary may read from uninitialized memory locations.

An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_string may read from uninitialized memory locations.

Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Arbitrary Read implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior.

Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. There are two of such cases (go_offset_log::read_entry() & offset_log::read_entry()). Arbitrary Read implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior.

Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation (within fn preamble_skipcount()). Arbitrary Read implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior.

Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Arbitrary Read implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior.

An issue was discovered in the bronzedb-protocol crate through 2021-01-03 for Rust. ReadKVExt may read from uninitialized memory locations.

An issue was discovered in the bite crate through 2020-12-31 for Rust. read::BiteReadExpandedExt::read_framed_max may read from uninitialized memory locations.

An issue was discovered in the binjs_io crate through 2021-01-03 for Rust. The Read method may read from uninitialized memory locations.

An issue was discovered in the ash crate before 0.33.1 for Rust. util::read_spv may read from uninitialized memory locations.

An issue was discovered in the acc_reader crate through 2020-12-27 for Rust. read_up_to may read from uninitialized memory locations.

An issue was discovered in the acc_reader crate through 2020-12-27 for Rust. fill_buf may read from uninitialized memory locations.

Kylin can receive user input and load any class through Class.forName(…). This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions.

A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information.

The implementation does not enforce alignment requirements on input slices while incorrectly assuming 4-byte alignment through an unsafe call to std::slice::from_raw_parts_mut, which breaks the contract and introduces undefined behavior. This affects Chacha20 encryption and decryption in crypto2.

An issue was discovered in the tremor-script crate before 0.11.6 for Rust. A patch operation may result in a use-after-free.

An issue was discovered in the tremor-script crate before 0.11.6 for Rust. A merge operation may result in a use-after-free.

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. update_hook has a use-after-free.

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. create_collation has a use-after-free.

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. create_window_function has a use-after-free.

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. rollback_hook has a use-after-free.

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. create_aggregate_function has a use-after-free.

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. commit_hook has a use-after-free.

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. create_scalar_function has a use-after-free.

Affected versions contained a pair of use-after-free issues with the objects returned by the get_format_info and get_context methods of Stream objects. These objects were mistakenly being constructed without setting an important flag to prevent destruction of the underlying C objects they reference upon their own destruction.

Affected versions contained a pair of use-after-free issues with the objects returned by the get_format_info and get_context methods of Stream objects. These objects were mistakenly being constructed without setting an important flag to prevent destruction of the underlying C objects they reference upon their own destruction.

An issue was discovered in uriparser It performs invalid free operations in uriFreeUriMembers and uriMakeOwner.

An issue was discovered in uriparser It performs invalid free operations in uriNormalizeSyntax.

forge is vulnerable to URL Redirection to Untrusted Site

An issue was discovered in the simple_asn1 crate 0.6.0 before 0.6.1 for Rust. There is a panic if UTCTime data, supplied by a remote attacker, has a second character greater than 0x7f.

A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.

It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.

Impact Some skin data fields (e.g. skinID, geometryName) are not capped in length. These fields are typically saved in the NBT data of a player when the player quits the server, or during an autosave. This is problematic due to the 32767 byte limit on TAG_Strings. If any of these fields exceeds 32767 bytes, an exception will be thrown during data saving, which will cause the server to crash. Other …

Anyone who uses total_size(..) function to partial read the length of any FixVec will get an incorrect result, due to an incorrect implementation. This has been resolved in the 0.7.2 release.

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

All request mappings in StreamingCoordinatorController.java handling /kylin/api/streaming_coordinator/* REST API endpoints does not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

An issue was discovered in the ckb crate before 0.40.0 for Rust. A get_block_template RPC call may fail in situations where it is supposed to select a Nervos CKB blockchain transaction with a higher fee rate than another transaction.

Lodash versions prior to 4.17.21 is vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Lodash versions prior to 4.17.21 is vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Lodash versions prior to 4.17.21 is vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

If a tokio::sync::oneshot channel is closed (via the oneshot::Receiver::close method), a data race may occur if the oneshot::Sender::send method is called while the corresponding oneshot::Receiver is awaited or calling try_recv. When these methods are called concurrently on a closed channel, the two halves of the channel can concurrently access a shared memory location, resulting in a data race. This has been observed to cause memory corruption. Note that the race …

pytorch-lightning is vulnerable to Deserialization of Untrusted Data.

An issue was discovered in the nanorand crate before 0.6.1 for Rust. There can be multiple mutable references to the same object because the TlsWyRand Deref implementation dereferences a raw pointer.

When running in debug mode and the debug-embed (off by default) feature is not enabled, the generated get method does not check that the input path is a child of the folder given. This allows attackers to read arbitrary files in the file system if they have control over the filename given. The following code will print the contents of your /etc/passwd if adjusted with a correct number of ../s …

An issue was discovered in the libpulse-binding crate before 2.6.0 for Rust. It mishandles a panic that crosses a Foreign Function Interface (FFI) boundary.

An issue was discovered in the vec-const crate before 2.0.0 for Rust. It tries to construct a Vec from a pointer to a const slice, leading to memory corruption.

On certain platforms, if a user has more than 16 groups, the nix::unistd::getgrouplist function will call the libc getgrouplist function with a length parameter greater than the size of the buffer it provides, resulting in an out-of-bounds write and memory corruption. The libc getgrouplist function takes an in/out parameter ngroups specifying the size of the group buffer. When the buffer is too small to hold all of the requested user's …

An issue was discovered in the derive-com-impl crate before 0.1.2 for Rust. An invalid reference (and memory corruption) can occur because AddRef might not be called before returning a pointer.

An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can unsoundly coerce an immutable reference into a mutable reference, leading to memory corruption.

An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can unsoundly extend the lifetime of a string, leading to memory corruption.

An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can add the Send marker trait to an object that cannot be sent between threads safely, leading to memory corruption.

In the affected versions of the crate, AtomicBucket unconditionally implements Send/Sync traits. Therefore, users can create a data race to the inner T: !Sync by using the AtomicBucket::data_with() API. Such data races can potentially cause memory corruption or other undefined behavior. The flaw was fixed in commit 8e6daab by adding appropriate Send/Sync bounds to the Send/Sync impl of struct Block (which is a data type contained inside AtomicBucket).

A flaw was found in podman. The podman machine function (used to create and manage Podman virtual machine containing a Podman process) spawns a gvproxy process on the host system. The gvproxy API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the gvproxy API to forward ports on the host to ports …

NLTK is vulnerable to REDoS in some RegexpTaggers used in the functions get_pos_tagger and malt_regex_tagger.

An issue was discovered in the pnet crate before 0.27.2 for Rust. There is a segmentation fault (upon attempted dereference of an uninitialized descriptor) because of an erroneous IcmpTransportChannelIterator compiler optimization.

An issue was discovered in the zeroize_derive crate before 1.1.1 for Rust. Dropped memory is not zeroed out for an enum.

In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions.

In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext.

In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection. By luring a victim application user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account.

The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to a Regular Expression Denial of Service (ReDoS) attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. The effect of this vulnerability is noticeable with the following example: from nltk.tokenize import word_tokenize n = …

In the threshold signature scheme, participants start by dividing secrets into shares using a secret sharing scheme. The Verifiable Secret Sharing scheme generates shares from the user’s IDs but does not properly validate them. Using a malicious ID will make other users reveal their secrets during the secret-sharing procedure. In addition, a second issue resulting from lack of validation could cause nodes to crash when sent maliciously formed user IDs.

The mopa crate redefines the deprecated TraitObject struct from core::raw. This is done to then transmute a reference to a trait object (&dyn Trait for any trait Trait) into this struct and retrieve the data field for the purpose of downcasting. This is used to implement downcast_ref_unchecked(), in terms of which downcast_ref() is also implemented. Same goes for mutable reference downcasting and Box downcasting. The Rust compiler explicitly reserves the …

The v0.9.7 release of the sha2 crate introduced a new AVX2-accelerated backend which was automatically enabled for all x86/x86_64 CPUs where AVX2 support was autodetected at runtime. This backend was buggy and would miscompute results for long messages (i.e. messages spanning multiple SHA blocks). The crate has since been yanked, but any users who upgraded to v0.9.7 should immediately upgrade to v0.9.8 and recompute any hashes which were previously computed …

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and …

Pac4j v5.1 allows (by default) clients to accept and successfully validate ID Tokens with none algorithm (i.e., tokens with no signature) which is not secure and violates the OpenID Core Specification. The none algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using none as the value of alg key in the …

A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library’s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server’s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid. The security update addresses the vulnerability by fixing the bugs disclosed in the ECC …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in com.h2database:h2.

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.powernukkit:powernukkit.

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kyl

Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the …

The "first name" and "last name" fields of the Apache Pluto MVCBean JSP portlet maven archetype is vulnerable to Cross-Site Scripting (XSS) attacks.

The input fields of the Apache Pluto UrlTestPortlet is vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to of the v3-demo-portlet.war artifact

The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet is vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to of the applicant-mvcbean-cdi-jsp-portlet.war artifact

A cross-site scripting issue was found in Apache Ambari Views. This was addressed in Apache Ambari 2.7.4.

It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.

invoiceninja is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.

Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files. This issue affects Apache Parquet-MR version 1.9.0 and later versions.

An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * …

Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files. This issue affects Apache Parquet-MR version 1.9.0 and later versions.

A flaw was found in http-proxy-agent, It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.

An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. When starting IoTDB, the JMX port 31999 is exposed with no certification.Then, clients could execute code remotely.

Jawn is an open source JSON parser. Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don't override objectContext() are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. jawn-parser-1.3.1 fixes this issue and users are advised to upgrade. For users unable to upgrade override objectContext() to use a collision-safe collection.

project_configure function exist remote code execute in Gerapy < 0.9.8

Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions.

An issue was discovered in the raw-cpuid crate before 9.1.1 for Rust. If the serialize feature is used (which is not the the default), a Deserialize operation may lack sufficient validation, leading to memory corruption or a panic.

It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).

An issue was discovered in the ckb crate before 0.40.0 for Rust. Attackers can cause a denial of service (Nervos CKB blockchain node crash) via a dead call that is used as a DepGroup.

Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation (ColumnarReadExt::read_typed_vec()). Arbitrary Read implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior.

Impact Players can fill book pages with as many characters as they like; the server does not check this. In addition, the maximum of 50 pages is also not enforced, meaning that players can create "book bombs". This causes a variety of problems: Oversized NBT on the wire costing excess bandwidth for server and client Server crashes when saving region-based worlds due to exceeding maximum chunk size of 1 MB …

archivy is vulnerable to Cross-Site Request Forgery (CSRF). There is a fix available in the master branch.

An authenticated user can execute arbitrary command, see more in https://github.com/Gerapy/Gerapy/issues/211.

An issue was discovered in the ckb crate before 0.40.0 for Rust. Remote attackers may be able to conduct a 51% attack against the Nervos CKB blockchain by triggering an inability to allocate memory for the misbehavior HashMap.

A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro and prior versions. Users should update to which addresses this issue.

An issue was discovered in the abomonation crate through version 0.7.3 for Rust. Because transmute operations are insufficiently constrained, there can be an information leak or ASLR bypass.

Shopware is an open source e-commerce software platform. An open redirect vulnerability has been discovered. Users may be arbitrary redirected due to incomplete URL handling in the shopware router. This issue has been resolved There is no workaround and users are advised to upgrade as soon as possible.

A Stack-based Buffer Overflow Vulnerability exists in HDF5 at at hdf5/src/H5Eint.c, which causes a Denial of Service (context-dependent).

A heap-based buffer overflow vulnerability exists in HDF5 via H5F_addr_decode_len in /hdf5/src/H5Fint.c, which could cause a Denial of Service.

A Stack-based Buffer Overflow Vulnerability exists in HDF5 via the H5D__create_chunk_file_map_hyper function in /hdf5/src/H5Dchunk.c, which causes a Denial of Service (context-dependent).

Shopware is an open source e-commerce software platform.With the session validation was adjusted, so that sessions created prior to the latest password change of a customer account can't be used to login with said account. This also means, that upon a password change, all existing sessions for a given customer account are automatically considered invalid. There is no workaround for this issue.

containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either /etc/hosts, …

Cross Site Scripting (XSS) vulnerability exits in Anchor CMS <=0.12.7 in posts.php. Attackers can use the posts column to upload the title and content containing malicious code to achieve the purpose of obtaining the administrator cookie, thereby achieving other malicious operations.

livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)

uppy is vulnerable to Server-Side Request Forgery (SSRF)

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions.This vulnerability had been patched in Apache James and higher. We recommend the upgrade.

Apache Geode is vulnerable to log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords.

OroPlatform is a PHP Business Application Platform. an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that is vulnerable to Prototype Pollution. This issue has been patched Users unable to upgrade may configure a firewall to drop requests containing next strings: proto, constructor[prototype], and constructor.prototype to mitigate this issue.

Apache James prior to release is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information.

This advisory has been marked as a false positive.

OroPlatform is a PHP Business Application Platform.An attacker must have permission to create or edit an email template. For successful payload, execution the attacked user must preview a vulnerable email template. There are no workarounds that address this vulnerability. Users are advised to upgrade as soon as is possible.

Latte is an open source template engine for PHP. Users unable to upgrade should not accept template input from untrusted sources.

Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.

CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the old() function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection. Users are advised to upgrade to v4.1.6 or later. Users unable to upgrade as advised to not …

HDF5 which causes a Denial of Service.

showdoc is vulnerable to Generation of Error Message Containing Sensitive Information

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

admin/limits.php in Dolibarr allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.

CGI::Cookie.parse in Ruby mishandles security prefixes in cookie names. This also affects the CGI gem for Ruby.

Date includes a ReDoS vulnerability.

HarfBuzz has an out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t<hb_bit_set_invertible_t>::set and hb_set_copy).

OpenEXR has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

libbpf has a heap-based buffer overflow (8 bytes) in __bpf_object__open (called from bpf_object__open_mem and bpf-object-fuzzer.c).

Open Asset Import Library (aka assimp) has a heap-based buffer overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper).

GDAL has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment).

uWebSockets has an out-of-bounds write in std::__1::pair<unsigned int, void*> uWS::HttpParser::fenceAndConsumePostPadded<0 (called from uWS::HttpParser::consumePostPadded and std::__1::__function::__func<LLVMFuzzerTestOneInput::$_0, std::__1::allocator<LL).

libbpf has a heap-based buffer overflow (4 bytes) in __bpf_object__open (called from bpf_object__open_mem and bpf-object-fuzzer.c).

jQuery Terminal Emulator is a plugin for creating command line interpreters in your applications.As a workaround, the user can use formatting that wrap whole user input and its no op. The code for this workaround is available in the GitHub Security Advisory. The fix will only work when user of the library is not using different formatters (e.g. to highlight code in different way).

Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams., malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to to receive a patch. There are no known workarounds aside from upgrading.

This affects the package celery It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

Apache Log4j2

MinIO is a Kubernetes native application for cloud storage. Prior to version RELEASE.2021-12-27T07-23-18Z, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version RELEASE.2021-12-27T07-23-18Z changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding …

Netgen Tags Bundle allows XSS in the Tags Admin interface.

basic/BasicAuthProvider.java in AuthGuard allows authentication via an inactive identifier.

showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

The package parse-link-header is vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.

All versions of package js-data is vulnerable to Prototype Pollution via the deepFillIn and the set functions.

elgg is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.

cordova-plugin-fingerprint-aio is a plugin provides a single and simple interface for accessing fingerprint APIs on both Android 6+ and iOS. The exported activity de.niklasmerz.cordova.biometric.BiometricActivity can cause the app to crash. This vulnerability occurred because the activity didn't handle the case where it is requested with invalid or empty data which results in a crash. Any third party app can constantly call this activity with no permission. A 3rd party app/attacker …

An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * …

A flaw was found in podman. The podman machine function (used to create and manage Podman virtual machine containing a Podman process) spawns a gvproxy process on the host system. The gvproxy API is accessible on port on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the gvproxy API to forward ports on the host to ports in …

A Null Pointer Dereference vulnerability existfs in nasm rc0 via asm/preproc.c.

An infinite loop vulnerability exists in nasm rc0 via the gpaste_tokens function.

lib/cmd.js in the node-windows package for Node.js allows command injection via the PID parameter.

Ajax.Releases are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details.

A Denial of Service vulnerability exits in Binaryen due to an assertion abort in wasm::handle_unreachable.

A Denial of Service vulnerability exists in Binaryen due to an Invalid memory address dereference in wasm::WasmBinaryBuilder::visitLet.

The Contact Form, Drag and Drop Form Builder for WordPress plugin does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are no tested workarounds. All validator node operators are recommended to upgrade to Cronos v0.6.5 at their earliest possible convenience.

Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are no tested workarounds. All validator node operators are recommended to upgrade to Cronos v0.6.5 at their earliest possible convenience.

Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are no tested workarounds. All validator node operators are recommended to upgrade to Cronos v0.6.5 at their earliest possible convenience.

In OAuth2 Proxy from version 5.1.1 and less than version 6.0.0, users can provide a redirect address for the proxy to send the authenticated user to at the end of the authentication flow. This is expected to be the original URL that the user was trying to access. This redirect URL is checked within the proxy and validated before redirecting the user to prevent malicious actors providing redirects to potentially …

In OAuth2 Proxy before 5.1.1, there is an open redirect vulnerability. Users can provide a redirect address for the proxy to send the authenticated user to at the end of the authentication flow. This is expected to be the original URL that the user was trying to access. This redirect URL is checked within the proxy and validated before redirecting the user to prevent malicious actors providing redirects to potentially …

The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819

Sourcegraph before 3.15.1 has a vulnerable authentication workflow because of improper validation in the SafeRedirectURL method in cmd/frontend/auth/redirect.go, such as for the //foo//example.com substring.

OAuth2 Proxy before 5.0 has an open redirect vulnerability. Authentication tokens could be silently harvested by an attacker. This has been patched in version 5.0.

Sourcegraph before 3.15.1 has a vulnerable authentication workflow because of improper validation in the SafeRedirectURL method in cmd/frontend/auth/redirect.go, such as for the //foo//example.com substring.

jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot of JSX elements into <blockquote> tag with including multibyte characters, an internal regular expression for escaping characters may consume an excessive amount of computing resources. …

The root cause of this security vulnerability is in the Tendermint specification, and this advisory is a duplicate of https://github.com/tendermint/spec/security/advisories/GHSA-jqfc-687g-59pw. Impact Tendermint light clients running versions 0.34.0 to 0.34.8 are unable to detect and punish a new kind of attack. We’re calling this a “forward lunatic attack,” or FLA. The severity of this vulnerability is moderate. Note that an FLA cannot be successfully executed unless there are already ⅓+ Byzantine …

libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.

An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing/<user>/<instance>. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.

Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).

TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (without changing chainID). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the …

Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.

OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in npm-groovy-lint.

The API server in OpenShift Origin 1.0.5 allows remote attackers to cause a denial of service (master process crash) via crafted JSON data.

Authelia is a a single sign-on multi-factor portal for web apps. This affects uses who are using nginx ngx_http_auth_request_module with Authelia, it allows a malicious individual who crafts a malformed HTTP request to bypass the authentication mechanism. It additionally could theoretically affect other proxy servers, but all of the ones we officially support except nginx do not allow malformed URI paths. The problem is rectified entirely in v4.29.3. As this …

Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution.

Abusively constructed YAML payload can significantly reduce parsing performance potentially leading to DoS.

Contrary to the OCI runtime specification runc's implementation of the linux.resources.devices list was a black-list by default. This means that users who created their own config.json objects and didn't prefix a deny-all rule ({"allow": false, "permissions": "rwm"} or equivalent) were not provided protection by the devices cgroup.

CSRF in Bitly oauth2_proxy 2.1 during authentication flow

solidus_frontend is the cart and storefront for the Solidus e-commerce project. Versions of solidus_frontend contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other …

solidus_frontend is the cart and storefront for the Solidus e-commerce project. Versions of solidus_frontend contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other …

solidus_frontend is the cart and storefront for the Solidus e-commerce project. Versions of solidus_frontend contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other …

RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.

Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed.

Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.

Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code.

Apache PLC4X - PLC4C (Only the C language implementation was effected) was vulnerable to an unsigned integer underflow flaw inside the tcp transport. Users should update to, which addresses this issue. However, in order to exploit this vulnerability, a user would have to actively connect to a mallicious device which could send a response with invalid content. Currently we consider the probability of this being exploited as quite minimal, however …

This advisory has been marked as a false positive.

Buffer overflow in ajaxsoundstudio.com Pyo <= 1.03 in the Server_jack_init function which allows attackers to conduct Denial of Service attacks by arbitrary constructing a overlong client_name.

Apache Log4j2 does not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

Null pointer reference in CMS_Conservative_increment_obj in RaRe-Technologies bounter version 1.01 and 1.10, allows attackers to conduct Denial of Service attacks by inputting a huge width of hash bucket.

This affects the package unisharp/laravel-filemanager from The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: - Install a package with a web Laravel application. - Navigate to the Upload window - Upload an image file, then capture the request - Edit the request contents with a malicious file (webshell) - Enter the path of file uploaded on …

A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages.

jsx-slack is a library for building JSON objects for Slack Block Kit surfaces from JSX. users is vulnerable to a regular expression denial-of-service (ReDoS) attack. If attacker can put a lot of JSX elements into <blockquote> tag, an internal regular expression for escaping characters may consume an excessive amount of computing resources. jsx-slack v4.5.1 has patched to a regex for escaping blockquote characters.

Null Pointer Dereference vulnerability exists in numpy.sort in NumPy &lt in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attacks by repetitively creating sort arrays.

Incomplete string comparison in the numpy.core allows attackers to fail the APIs via constructing specific string objects.

There is a way to bypass allowFunctions that will affect the security of the application. When the template is set to allow/disallow the use of certain functions, adding control characters (x00-x08) after the function will bypass these restrictions.

All versions of package dojo is vulnerable to Prototype Pollution via the setObject function.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ru.yandex.clickhouse:clickhouse-jdbc-bridge.

An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node.

Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in Wechat.php.

yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

All versions of package http-server-node is vulnerable to Directory Traversal via use of –path-as-is.

message_bus is a messaging bus for Ruby processes and web clients. users who deployed message bus with diagnostics features enabled (default off) is vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of …

In the TransformXML processor of Apache NiFi an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

An issue in Atomix v3.1.5 allows attackers to access sensitive information when a malicious Atomix node queries distributed variable primitives which contain the entire primitive lists that ONOS nodes use to share important states.

In logback version 1.2.9 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)

An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages.

Buffer Overflow Vulnerability exists in the Server_debug function, which allows remote attackers to conduct DoS attacks by deliberately passing on an overlong audio file name.

Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values.

An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information.

An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node in a target cluster via manipulation of the variable terms in RaftContext.

An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations.

yetiforcecrm is vulnerable to Business Logic Errors

yetiforcecrm is vulnerable to Business Logic Errors

Impact The impacted portion of the XTDB connector is its connectivity to S3 as a backing store: this is the only portion of the connector that uses this vulnerable httpclient dependency. Per the description, the vulnerability regards URIs that may be misinterpreted, which given the area of impact within the connector we understand to be any URI used to configure connectivity to S3. Note therefore that if you do not …

What kind of vulnerability is it? Who is impacted?

The Auth0 Next.js does not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

Impact Originally reported in iTXTech/Genisys#1188 PotterHarry98 potterharry98 deop PotterHarry98 will remove potterharry98 from the ops.txt but not PotterHarry98. Operator permissions are checked using Config->exists() with lowercase=true, which will result in a match: https://github.com/pmmp/PocketMine-MP/blob/22bb1ce8e03dba57173debf0415390511d68e045/src/utils/Config.php#L449 This means that it's possible to make yourself impossible to de-op (using commands) by adding your name to ops.txt with uppercase letters. Patches 4d37b79ff7f9d9452e988387f97919a9a1c4954e Workarounds This can be easily addressed by removing the offending lines from ops.txt …

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

The package md-to-pdf are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.

iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.

iTextPDF in iText 7 and up to allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.

yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these …

bookstack is vulnerable to Improper Access Control

Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.

All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.

yetiforcecrm is vulnerable to Cross-Site Request Forgery (CSRF)

In GNU Mailman, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.

Impact UIMA PEAR projects that have been generated with the de.averbis.textanalysis:pear-archetype version 2.0.0 have a maven dependency with scope test to log4j 2.8.2 and might be affected by CVE-2021-44228. Patches The issue has been resolved in de.averbis.textanalysis:pear-archetype version 2.0.1. Please make sure to use de.averbis.textanalysis:pear-archetype version >= 2.0.1 for generating new PEAR projects. Existing maven PEAR projects can be patched by manually upgrading to log4j >= 2.16.0 in pom.xml. References …

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value …

Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions Sulu users who have access to any subset of the admin UI are able to elevate their privilege. Over the API it was possible for them to give themselves permissions to areas which they did not already had. This issue was introduced in 2.0.0-RC1 with the new ProfileController putAction. The versions have been patched …

ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability

SQL Injection vulnerability exists in ThinkPHP5 via the parseOrder function in Builder.php.

A Cross Site Scripting (XSS) vulnerability exists in Dolibarr via the ticket creation flow. Exploitation requires that an admin copies the payload into a box.

Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service sulu_route.generator.expression_token_provider and wrap the translator before passing it to the expression language.

This vulnerability affects all users of the perseus deploy functionality who have not exported their sites to static files. If you are using the inbuilt Perseus server in production, there is a memory leak in Actix Web stemming from this upstream issue which can allow even a single user to cause the process to exhaust its memory on low-memory servers by continuously reloading the page. Note that this issue does …

Microsoft PowerShell Spoofing Vulnerability

A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

The issue was mostly mitigated before, drastically reducing the risk. See references below for more information. Impact Opencast before version 10.6 will try to authenticate against any external services listed in a media package when it is trying to access the files, sending the global system user's credentials, regardless of the target being part of the Opencast cluster or not. Previous mitigations already prevented clear text authentications for such requests …

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses.

Initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.opencastproject:opencast-common.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in com.splunk.logging:splunk-library-javalogging.

It was found that the fix to address CVE-2021-44228 in Apache Log4j was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in …

It was found that the fix to address CVE-2021-44228 in Apache Log4j was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in …

Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player.

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Opencast is an Open Source Lecture Capture & Video Management for Education.You can mitigate this issue by narrowing down the read access Opencast has to files on the file system using UNIX permissions or mandatory access control systems like SELinux. This cannot prevent access to files Opencast needs to read though and we highly recommend updating.

Opencast is an Open Source Lecture Capture & Video Management for Education.You can mitigate this issue by narrowing down the read access Opencast has to files on the file system using UNIX permissions or mandatory access control systems like SELinux. This cannot prevent access to files Opencast needs to read though and we highly recommend updating.

This advisory has been marked as a False Positive and has been removed.

A security vulnerability that causes buffer overflow when you pass a very large string ( MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows. Please update the cgi gem to,1,1 or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", " " to your Gemfile. Alternatively, please update Ruby to This issue has been introduced …

JMSAppender in Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j when specifically configured to use JMSAppender, which is not the default. Apache Log4j reached end of life in …

This CVE has been marked as a False Positive and has been removed. Programs using log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

JMSAppender in Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j when specifically configured to use JMSAppender, which is not the default. Apache Log4j reached end of life in …

JMSAppender in Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j when specifically configured to use JMSAppender, which is not the default. Apache Log4j reached end of life in …

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end …

The olm_session_describe function in Matrix libolm is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. …

Opencast is an Open Source Lecture Capture & Video Management for Education.You can mitigate the problem by setting the SameSite=Strict attribute for your cookies. If this is a viable option for you depends on your integrations. We strongly recommend updating in any case.

Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions otherwise put on these types of requests and aids in cross-site request forgery (CSRF) attacks, which would …

The HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5.