Advisories

Aug 2021

Heap OOB in `ResourceScatterUpdate`

An attacker can trigger a read from outside of bounds of heap allocated data by sending invalid arguments to tf.raw_ops.ResourceScatterUpdate: import tensorflow as tf v = tf.Variable([b'vvv']) tf.raw_ops.ResourceScatterUpdate( resource=v.handle, indices=[0], updates=['1', '2', '3', '4', '5'])

Heap OOB in `RaggedGather`

If the arguments to tf.raw_ops.RaggedGather don't determine a valid ragged tensor code can trigger a read from outside of bounds of heap allocated buffers. import tensorflow as tf tf.raw_ops.RaggedGather( params_nested_splits = [0,0,0], params_dense_values = [1,1], indices = [0,0,9,0,0], OUTPUT_RAGGED_RANK=0) In debug mode, the same code triggers a CHECK failure.

Heap OOB in `RaggedGather`

If the arguments to tf.raw_ops.RaggedGather don't determine a valid ragged tensor code can trigger a read from outside of bounds of heap allocated buffers. import tensorflow as tf tf.raw_ops.RaggedGather( params_nested_splits = [0,0,0], params_dense_values = [1,1], indices = [0,0,9,0,0], OUTPUT_RAGGED_RANK=0) In debug mode, the same code triggers a CHECK failure.

Heap OOB in `RaggedGather`

If the arguments to tf.raw_ops.RaggedGather don't determine a valid ragged tensor code can trigger a read from outside of bounds of heap allocated buffers. import tensorflow as tf tf.raw_ops.RaggedGather( params_nested_splits = [0,0,0], params_dense_values = [1,1], indices = [0,0,9,0,0], OUTPUT_RAGGED_RANK=0) In debug mode, the same code triggers a CHECK failure.

Heap OOB and CHECK fail in `ResourceGather`

An attacker can trigger a crash via a CHECK-fail in debug builds of TensorFlow using tf.raw_ops.ResourceGather or a read from outside the bounds of heap allocated data in the same API in a release build: import tensorflow as tf tensor = tf.constant(value=[[1,2],[3,4],[5,6]],shape=(3,2),dtype=tf.uint32) v = tf.Variable(tensor) tf.raw_ops.ResourceGather( resource=v.handle, indices=[0], dtype=tf.uint32, batch_dims=10, validate_indices=False)

Heap OOB and CHECK fail in `ResourceGather`

An attacker can trigger a crash via a CHECK-fail in debug builds of TensorFlow using tf.raw_ops.ResourceGather or a read from outside the bounds of heap allocated data in the same API in a release build: import tensorflow as tf tensor = tf.constant(value=[[1,2],[3,4],[5,6]],shape=(3,2),dtype=tf.uint32) v = tf.Variable(tensor) tf.raw_ops.ResourceGather( resource=v.handle, indices=[0], dtype=tf.uint32, batch_dims=10, validate_indices=False)

Heap OOB and CHECK fail in `ResourceGather`

An attacker can trigger a crash via a CHECK-fail in debug builds of TensorFlow using tf.raw_ops.ResourceGather or a read from outside the bounds of heap allocated data in the same API in a release build: import tensorflow as tf tensor = tf.constant(value=[[1,2],[3,4],[5,6]],shape=(3,2),dtype=tf.uint32) v = tf.Variable(tensor) tf.raw_ops.ResourceGather( resource=v.handle, indices=[0], dtype=tf.uint32, batch_dims=10, validate_indices=False)

Heap buffer overflow in `FractionalAvgPoolGrad`

The implementation for tf.raw_ops.FractionalAvgPoolGrad can be tricked into accessing data outside of bounds of heap allocated buffers: import tensorflow as tf tf.raw_ops.FractionalAvgPoolGrad( orig_input_tensor_shape=[0,1,2,3], out_backprop = np.array([[[[541],[541]],[[541],[541]]]]), row_pooling_sequence=[0, 0, 0, 0, 0], col_pooling_sequence=[-2, 0, 0, 2, 0], overlapping=True)

Heap buffer overflow in `FractionalAvgPoolGrad`

The implementation for tf.raw_ops.FractionalAvgPoolGrad can be tricked into accessing data outside of bounds of heap allocated buffers: import tensorflow as tf tf.raw_ops.FractionalAvgPoolGrad( orig_input_tensor_shape=[0,1,2,3], out_backprop = np.array([[[[541],[541]],[[541],[541]]]]), row_pooling_sequence=[0, 0, 0, 0, 0], col_pooling_sequence=[-2, 0, 0, 2, 0], overlapping=True)

Heap buffer overflow in `FractionalAvgPoolGrad`

The implementation for tf.raw_ops.FractionalAvgPoolGrad can be tricked into accessing data outside of bounds of heap allocated buffers: import tensorflow as tf tf.raw_ops.FractionalAvgPoolGrad( orig_input_tensor_shape=[0,1,2,3], out_backprop = np.array([[[[541],[541]],[[541],[541]]]]), row_pooling_sequence=[0, 0, 0, 0, 0], col_pooling_sequence=[-2, 0, 0, 2, 0], overlapping=True)

Headers containing newline characters can split messages in hyper

Serializing of headers to the socket did not filter the values for newline bytes (\r or \n), which allowed for header values to split a request or response. People would not likely include newlines in the headers in their own applications, so the way for most people to exploit this is if an application constructs headers based on unsanitized user input. This issue was fixed by replacing all newline characters …

FPE in LSH in TFLite

An attacker can craft a TFLite model that would trigger a division by zero error in LSH implementation. int RunningSignBit(const TfLiteTensor* input, const TfLiteTensor* weight, float seed) { int input_item_bytes = input->bytes / SizeOfDimension(input, 0); // … } There is no check that the first dimension of the input is non zero.

FPE in LSH in TFLite

An attacker can craft a TFLite model that would trigger a division by zero error in LSH implementation. int RunningSignBit(const TfLiteTensor* input, const TfLiteTensor* weight, float seed) { int input_item_bytes = input->bytes / SizeOfDimension(input, 0); // … } There is no check that the first dimension of the input is non zero.

FPE in LSH in TFLite

An attacker can craft a TFLite model that would trigger a division by zero error in LSH implementation. int RunningSignBit(const TfLiteTensor* input, const TfLiteTensor* weight, float seed) { int input_item_bytes = input->bytes / SizeOfDimension(input, 0); // … } There is no check that the first dimension of the input is non zero.

FPE in `tf.raw_ops.UnravelIndex`

An attacker can cause denial of service in applications serving models using tf.raw_ops.UnravelIndex by triggering a division by 0: import tensorflow as tf tf.raw_ops.UnravelIndex(indices=-1, dims=[1,0,2])

Flaw in streaming state in orion

Affected versions of this crate did not properly reset a streaming state. Resetting a streaming state, without finalising it first, creates incorrect results. The flaw was corrected by not first checking if the state had already been reset, when calling reset().

File exposure in pleaser

pleaser before 0.4.0 allows a local unprivileged attacker to gain knowledge about the existence of files or directories in privileged locations via the search_path function, the –check option, or the -d option.

Exposure of uninitialized memory in memoffset

Affected versions of this crate caused traps and/or memory unsafety by zero-initializing references. They also could lead to uninitialized memory being dropped if the field for which the offset is requested was behind a deref coercion, and that deref coercion caused a panic. The flaw was corrected by using MaybeUninit.

Excessive memory usage in tokio-rustls

tokio-rustls does not call process_new_packets immediately after read, so the expected termination condition wants_read always returns true. As long as new incoming data arrives faster than it is processed and the reader does not return pending, data will be buffered. This may cause DoS.

Error on unsupported architectures in raw-cpuid

native_cpuid::cpuid_count() exposes the unsafe __cpuid_count() intrinsic from core::arch::x86 or core::arch::x86_64 as a safe function, and uses it internally, without checking the safety requirement: The CPU the program is currently running on supports the function being called. CPUID is available in most, but not all, x86/x86_64 environments. The crate compiles only on these architectures, so others are unaffected. This issue is mitigated by the fact that affected programs are expected to …

Double-free in id-map

A double free can occur in remove_set upon a panic in a Drop impl. When removing a set of elements, ptr::drop_in_place is called on each of the element to be removed. If the Drop impl of one of these elements panics then the previously dropped elements can be dropped again.

Double-free in id-map

The clone_from implementation for IdMap drops the values present in the map and then begins cloning values from the other map. If a .clone() call pancics, then the afformentioned dropped elements can be freed again. get_or_insert get_or_insert reserves space for a value, before calling the user provided insertion function f. If the function f panics then uninitialized or previously freed memory can be dropped. remove_set When removing a set of …

Double-free in id-map

A double free can occur in get_or_insert upon a panic of a user-provided f function. get_or_insert reserves space for a value, before calling the user provided insertion function f. If the function f panics then uninitialized or previously freed memory can be dropped.

Double free in through

An issue was discovered in the through crate through 2021-02-18 for Rust. There is a double free (in through and through_and) upon a panic of the map function.

Double free in sys-info

Affected versions of sys-info use a static, global, list to store temporary disk information while running. The function that cleans up this list, DFCleanup, assumes a single threaded environment and will try to free the same memory twice in a multithreaded environment. This results in consistent double-frees and segfaults when calling sys_info::disk_info from multiple threads at once. The issue was fixed by moving the global variable into a local scope.

Double free in smallvec

Attempting to call grow on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents. An attacker that controls the value passed to grow may exploit this flaw to obtain memory contents or gain remote code execution.

Double free in smallvec

If an iterator passed to SmallVec::insert_many panicked in Iterator::next, destructors were run during unwinding while the vector was in an inconsistent state, possibly causing a double free (a destructor running on two copies of the same value). This is fixed in smallvec 0.6.3 by ensuring that the vector's length is not updated to include moved items until they have been removed from their original positions. Items may now be leaked …

Double free in linea

Affected versions of this crate did not properly implements the Matrix::zip_elements method, which causes an double free when the given trait implementation might panic. This allows an attacker to corrupt or take control of the memory.

Double free in http

An issue was discovered in the http crate before 0.1.20 for Rust. The HeaderMap::Drain API can use a raw pointer, defeating soundness.

Double free in glsl-layout

Affected versions of this crate did not guard against panic within the user-provided function f (2nd parameter of fn map_array), and thus panic within f causes double drop of a single object. The flaw was corrected in the 0.4.0 release by wrapping the object vulnerable to a double drop within ManuallyDrop.

Double free in crossbeam

Even if an element is popped from a queue, crossbeam would run its destructor inside the epoch-based garbage collector. This is a source of double frees. The flaw was corrected by wrapping elements inside queues in a ManuallyDrop.

Double free in containers

Upon panic in a user-provided function f, fn mutate() & fn mutate2 drops twice a same object. Affected versions of this crate did not guard against double drop while temporarily duplicating an object's ownership with ptr::read(). Dropping a same object can result in memory corruption. The flaw was corrected in version "0.9.11" by fixing the code to abort upon panic.

Double free in arenavec

Affected versions of this crate did not guard against potential panics that may happen from user-provided functions T::default() and T::drop(). Panic within T::default() leads to dropping uninitialized T, when it is invoked from common::Slice::<T, H>::new(). Panic within T::drop() leads to double drop of T, when it is invoked either from common::SliceVec::<T, H>::resize_with() or common::SliceVec::<T, H>::resize() Either case causes memory corruption in the heap memory.

Double free in algorithmica

An issue was discovered in the algorithmica crate through 2021-03-07 for Rust. In the affected versions of this crate, merge_sort::merge() wildly duplicates and drops ownership of T without guarding against double-free. Due to such implementation, simply invoking merge_sort::merge() on Vec<T: Drop> can cause double free bugs.

Division by zero in TFLite

The implementation of fully connected layers in TFLite is vulnerable to a division by zero error: const int batch_size = input_size / filter->dims->data[1]; An attacker can craft a model such that filter->dims->data[1] is 0.

Division by zero in TFLite

The implementation of fully connected layers in TFLite is vulnerable to a division by zero error: const int batch_size = input_size / filter->dims->data[1]; An attacker can craft a model such that filter->dims->data[1] is 0.

Division by zero in TFLite

The implementation of fully connected layers in TFLite is vulnerable to a division by zero error: const int batch_size = input_size / filter->dims->data[1]; An attacker can craft a model such that filter->dims->data[1] is 0.

Division by 0 in most convolution operators

Most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash: import tensorflow as tf tf.compat.v1.disable_v2_behavior() tf.raw_ops.Conv2D( input = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32), filter = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32), strides = [1, 1, 1, 1], padding = "SAME")

Division by 0 in most convolution operators

Most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash: import tensorflow as tf tf.compat.v1.disable_v2_behavior() tf.raw_ops.Conv2D( input = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32), filter = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32), strides = [1, 1, 1, 1], padding = "SAME")

Division by 0 in most convolution operators

Most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash: import tensorflow as tf tf.compat.v1.disable_v2_behavior() tf.raw_ops.Conv2D( input = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32), filter = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32), strides = [1, 1, 1, 1], padding = "SAME")

Division by 0 in `ResourceGather`

An attacker can trigger a crash via a floating point exception in tf.raw_ops.ResourceGather: import tensorflow as tf tensor = tf.constant(value=[[]],shape=(0,1),dtype=tf.uint32) v = tf.Variable(tensor) tf.raw_ops.ResourceGather( resource=v.handle, indices=[0], dtype=tf.uint32, batch_dims=1, validate_indices=False)

Division by 0 in `ResourceGather`

An attacker can trigger a crash via a floating point exception in tf.raw_ops.ResourceGather: import tensorflow as tf tensor = tf.constant(value=[[]],shape=(0,1),dtype=tf.uint32) v = tf.Variable(tensor) tf.raw_ops.ResourceGather( resource=v.handle, indices=[0], dtype=tf.uint32, batch_dims=1, validate_indices=False)

Division by 0 in `ResourceGather`

An attacker can trigger a crash via a floating point exception in tf.raw_ops.ResourceGather: import tensorflow as tf tensor = tf.constant(value=[[]],shape=(0,1),dtype=tf.uint32) v = tf.Variable(tensor) tf.raw_ops.ResourceGather( resource=v.handle, indices=[0], dtype=tf.uint32, batch_dims=1, validate_indices=False)

Divide By Zero

TensorFlow is an end-to-end open source platform for machine learning.We have patched the issue in GitHub commit aa137691ee23f03638867151f74935f. The fix will be included in TensorFlow We will also cherrypick this commit on TensorFlow, TensorFlow, and TensorFlow, as these are also affected and still in supported range.

Divide By Zero

TensorFlow is an end-to-end open source platform for machine learning. There is no check that the divisor tensor does not contain zero elements. We have patched the issue in GitHub commit 1e206baedf8bef0334cca3eb92bab134ef525a28. The fix will be included in TensorFlow We will also cherrypick this commit on TensorFlow, TensorFlow, and TensorFlow, as these are also affected and still in supported range.

Data races on syncpool

Affected versions of this crate unconditionally implements Send for Bucket2. This allows sending non-Send types to other threads. This can lead to data races when non Send types like Cell<T> or Rc<T> are contained inside Bucket2 and sent across thread boundaries. The data races can potentially lead to memory corruption (as demonstrated in the PoC from the original report issue). The flaw was corrected in commit 15b2828 by adding a …

Data races in v9

Affected versions of this crate unconditionally implement Sync for SyncRef<T>. This definition allows data races if &T is accessible through &SyncRef. SyncRef<T> derives Clone and Debug, and the default implementations of those traits access &T by invoking T::clone() & T::fmt(). It is possible to create data races & undefined behavior by concurrently invoking SyncRef<T>::clone() or SyncRef<T>::fmt() from multiple threads with T: !Sync.

Data races in unicycle

Affected versions of this crate unconditionally implemented Send & Sync for types PinSlab<T> & Unordered<T, S>. This allows sending non-Send types to other threads and concurrently accessing non-Sync types from multiple threads. This can result in a data race & memory corruption when types that provide internal mutability without synchronization are contained within PinSlab<T> or Unordered<T, S> and accessed concurrently from multiple threads. The flaw was corrected in commits 92f40b4 …

Data races in unicycle

Affected versions of this crate unconditionally implemented Send & Sync for types PinSlab<T> & Unordered<T, S>. This allows sending non-Send types to other threads and concurrently accessing non-Sync types from multiple threads. This can result in a data race & memory corruption when types that provide internal mutability without synchronization are contained within PinSlab<T> or Unordered<T, S> and accessed concurrently from multiple threads. The flaw was corrected in commits 92f40b4 …

Data races in try-mutex

Affected versions of this crate unconditionally implemented Sync trait for TryMutex type. This allows users to put non-Send T type in TryMutex and send it to another thread, which can cause a data race. The flaw was corrected in the 0.3.0 release by adding T: Send bound for the Sync trait implementation.

Data races in tiny_future

tiny_future contains a light-weight implementation of Futures. The Future type it has lacked bound on its Send and Sync traits. This allows for a bug where non-thread safe types such as Cell can be used in Futures and cause data races in concurrent programs. The flaw was corrected in commit c791919 by adding trait bounds to Future's Send and Sync.

Data races in ticketed_lock

Affected versions of this crate unconditionally implemented Send for ReadTicket & WriteTicket. This allows to send non-Send T to other threads. This can allows creating data races by cloning types with internal mutability and sending them to other threads (as T of ReadTicket/WriteTicket). Such data races can cause memory corruption or other undefined behavior. The flaw was corrected in commit a986a93 by adding T: Send bounds to Send impls of …

Data races in ticketed_lock

Affected versions of this crate unconditionally implemented Send for ReadTicket<T> & WriteTicket<T>. This allows to send non-Send T to other threads. This can allows creating data races by cloning types with internal mutability and sending them to other threads (as T of ReadTicket<T>/WriteTicket<T>). Such data races can cause memory corruption or other undefined behavior. The flaw was corrected in commit a986a93 by adding T: Send bounds to Send impls of …

Data races in thex

An issue was discovered in the thex crate through 2020-12-08 for Rust. Thex allows cross-thread data races of non-Send types.

Data races in signal-simple

Affected versions of this crate unconditionally implement Send/Sync for SyncChannel. SyncChannel doesn't provide access to &T but merely serves as a channel that consumes and returns owned T. Users can create UB in safe Rust by sending T: !Send to other threads with SyncChannel::send/recv APIs. Using T = Arc<Cell<_> allows to create data races (which can lead to memory corruption), and using T = MutexGuard allows to unlock a mutex …

Data races in scottqueue

An issue was discovered in the scottqueue crate through 2020-11-15 for Rust. There are unconditional implementations of Send and Sync for Queue. This allows (1) creating data races to a T: !Sync and (2) sending T: !Send to other threads, resulting in memory corruption or other undefined behavior.

Data races in rusb

Affected versions of rusb did not require UsbContext to implement Send and Sync. However, through Device and DeviceHandle it is possible to use UsbContexts across threads. This issue allows non-thread safe UsbContext types to be used concurrently leading to data races and memory corruption. The issue was fixed by adding Send and Sync bounds to UsbContext.

Data races in rulinalg

The affected version of rulinalg has incorrect lifetime boundary definitions for RowMut::raw_slice and RowMut::raw_slice_mut. They do not conform with Rust's borrowing rule and allows the user to create multiple mutable references to the same location. This may result in unexpected calculation result and data race if both references are used at the same time.

Data races in rocket

The affected version of rocket contains a Clone trait implementation of LocalRequest that reuses the pointer to inner Request object. This causes data race in rare combinations of APIs if the original and the cloned objects are modified at the same time.

Data races in reffers

ARefss<'a, V> is a type that is assumed to contain objects that are Send + Sync. In the affected versions of this crate, Send/Sync traits are unconditionally implemented for ARefss<'a, V>. By using the ARefss::map() API, we can insert a !Send or !Sync object into ARefss<'a, V>. After that, it is possible to create a data race to the inner object of ARefss<'a, V>, which can lead to undefined behavior …

Data races in rcu_cell

Affected versions of this crate unconditionally implement Send/Sync for RcuCell<T>. This allows users to send T: !Send to other threads (while T enclosed within RcuCell<T>), and allows users to concurrently access T: !Sync by using the APIs of RcuCell<T> that provide access to &T. This can result in memory corruption caused by data races.

Data races in parc

In the affected versions of this crate, LockWeak unconditionally implemented Send with no trait bounds on T. LockWeak doesn't own T and only provides &T. This allows concurrent access to a non-Sync T, which can cause undefined behavior like data races.

Data races in noise_search

Affected versions of the noise_search crate unconditionally implement Send/Sync for MvccRwLock. This can lead to data races when types that are either !Send or !Sync (e.g. Rc<T>, Arc<Cell<_>>) are contained inside MvccRwLock and sent across thread boundaries. The data races can potentially lead to memory corruption (as demonstrated in the PoC from the original report issue). Also, safe APIs of MvccRwLock allow aliasing violations by allowing &T and LockResult<MutexGuard<Box<T>>> to …

Data races in multiqueue2

Affected versions of this crate unconditionally implemented Send for types used in queue implementations (InnerSend<RW, T>, InnerRecv<RW, T>, FutInnerSend<RW, T>, FutInnerRecv<RW, T>). This allows users to send non-Send types to other threads, which can lead to data race bugs or other undefined behavior. The flaw was corrected in v0.1.7 by adding T: Send bound to to the Send impl of four data types explained above.

Data races in multiqueue

Affected versions of this crate unconditionally implemented Send for types used in queue implementations (InnerSend<RW, T>, InnerRecv<RW, T>, FutInnerSend<RW, T>, FutInnerRecv<RW, T>). This allows users to send non-Send types to other threads, which can lead to data race bugs or other undefined behavior.

Data races in multiqueue

Affected versions of multiqueue unconditionally implemented Send for types used in queue implementations (InnerSend<RW, T>, InnerRecv<RW, T>, FutInnerSend<RW, T>, FutInnerRecv<RW, T>). This allows users to send non-Send types to other threads, which can lead to data race bugs or other undefined behavior.

Data races in model

Shared data structure in model crate implements Send and Sync traits regardless of the inner type. This allows safe Rust code to trigger a data race, which is undefined behavior in Rust. Users are advised to treat Shared as an unsafe type. It should not be used outside of the testing context, and care must be taken so that the testing code does not have a data race besides a …

Data races in model

Shared data structure in model crate implements Send and Sync traits regardless of the inner type. This allows safe Rust code to trigger a data race, which is undefined behavior in Rust. Users are advised to treat Shared as an unsafe type. It should not be used outside of the testing context, and care must be taken so that the testing code does not have a data race besides a …

Data races in max7301

The ImmediateIO and TransactionalIO types implement Sync for all contained Expander<EI> types regardless of if the Expander itself is safe to use across threads. As the IO types allow retrieving the Expander, this can lead to non-thread safe types being sent across threads as part of the Expander leading to data races.

Data races in magnetic

Affected versions of this crate unconditionally implemented Sync and Send traits for MPMCConsumer and MPMCProducer types. This allows users to send types that do not implement Send trait across thread boundaries, which can cause a data race. The flaw was corrected in the 2.0.1 release by adding T: Send bound to affected Sync/Send trait implementations.

Data races in libsbc

Affected versions of this crate implements Send for Decoder<R> for any R: Read. This allows Decoder<R> to contain R: !Send and carry (move) it to another thread. This can result in undefined behavior such as memory corruption from data race on R, or dropping R = MutexGuard<_> from a thread that didn't lock the mutex. The flaw was corrected in commit a34d6e1 by adding trait bound R: Send to the …

Data races in lexer

lexer is a plugin based lexical reader.Affected versions of this crate implements Sync for ReaderResult<T, E> with the trait bound T: Send, E: Send. Since matching on the public enum ReaderResult<T, E> provides access to &T & &E, allowing data race to a non-Sync type T or E. This can result in a memory corruption when multiple threads concurrently access &T or &E. Suggested fix for the bug is change …

Data races in lever

An issue was discovered in the lever crate before 0.1.1 for Rust. AtomicBox implements the Send and Sync traits for all types T. This allows non-Send types such as Rc and non-Sync types such as Cell to be used across thread boundaries which can trigger undefined behavior and memory corruption.

Data races in late-static

Affected versions of this crate implemented Sync for LateStatic with T: Send, so that it is possible to create a data race to a type T: Send + !Sync (e.g. Cell). This can result in a memory corruption or other kinds of undefined behavior. The flaw was corrected in commit 11f396c by replacing the T: Send bound to T: Sync bound in the Sync impl for LateStatic.

Data races in im

An issue was discovered in the im crate prior to 15.1.0 for Rust. Because TreeFocus does not have bounds on its Send trait or Sync trait, a data race can occur.

Data races in hashconsing

Affected versions of hashconsing implements Send/Sync for its HConsed type without restricting it to Sendable types and Syncable types. This allows non-Sync types such as Cell to be shared across threads leading to undefined behavior and memory corruption in concurrent programs.

Data races in gfwx

In the affected versions of this crate, ImageChunkMut<'_, T> unconditionally implements Send and Sync, allowing to create data races. This can result in a memory corruption or undefined behavior when non thread-safe types are moved and referenced across thread boundaries. The flaw was corrected in commit e7fb2f5 by adding T: Send bound to the Send impl and adding T: Sync bound to the Sync impl.

Data races in generator

The Generator type is an iterable which uses a generator function that yields values. In affected versions of the crate, the provided function yielding values had no Send bounds despite the Generator itself implementing Send. The generator function lacking a Send bound means that types that are dangerous to send across threads such as Rc could be sent as part of a generator, potentially leading to data races.

Data races in generator

The Generator type is an iterable which uses a generator function that yields values. In affected versions of the crate, the provided function yielding values had no Send bounds despite the Generator itself implementing Send. The generator function lacking a Send bound means that types that are dangerous to send across threads such as Rc could be sent as part of a generator, potentially leading to data races.

Data races in futures-intrusive

GenericMutexGuard was given the Sync auto trait as long as T is Send due to its contained members. However, since the guard is supposed to represent an acquired lock and allows concurrent access to the underlying data from different threads, it should only be Sync when the underlying data is. This is a soundness issue and allows data races, potentially leading to crashes and segfaults from safe Rust code. The …

Data races in dces

An issue was discovered in the dces crate through 2020-12-09 for Rust. The World type is marked as Send but lacks bounds on its EntityStore and ComponentStore. This allows non-thread safe EntityStore and ComponentStores to be sent across threads and cause data races.

Data races in convec

Affected versions of this crate unconditionally implement Send/Sync for ConVec<T>. This allows users to insert T that is not Send or not Sync. This allows users to create data races by using non-Send types like Arc<Cell<>> or Rc<> as T in ConVec<T>. It is also possible to create data races by using types like Cell<> or RefCell<> as T (types that are Send but not Sync). Such data races can …

Data races in conquer-once

Affected versions of conquer-once implements Sync for its OnceCell type without restricting it to Sendable types. This allows non-Send but Sync types such as MutexGuard to be sent across threads leading to undefined behavior and memory corruption in concurrent programs. The issue was fixed by adding a Send constraint to OnceCell.

Data races in concread

An issue was discovered in the concread crate before 0.2.6 for Rust. Attackers can cause an ARCache<K,V> data race by sending types that do not implement Send/Sync.

Data races in cache

An issue was discovered in the cache crate through 2020-11-24 for Rust. Affected versions of this crate unconditionally implement Send/Sync for Cache<K>. This allows users to insert K that is not Send or not Sync. This allows users to create data races by using non-Send types like Arc<Cell<T>> or Rc<T> as K in Cache<K>. It is also possible to create data races by using types like Cell<T> or RefCell<T> (types …

Data races in bunch

An issue was discovered in the bunch crate through 2020-11-12 for Rust. Affected versions of this crate unconditionally implements Send/Sync for Bunch<T>. This allows users to insert T: !Sync to Bunch<T>. It is possible to create a data race to a T: !Sync by invoking the Bunch::get() API (which returns &T) from multiple threads. It is also possible to send T: !Send to other threads by inserting T inside Bunch<T> …

Data races in beef

An issue was discovered in the beef crate before 0.5.0 for Rust. Affected versions of this crate did not have a T: Sync bound in the Send impl for Cow<', T, U>. This allows users to create data races by making Cow contain types that are (Send && !Sync) like Cell<> or RefCell<_>. Such data races can lead to memory corruption. The flaw was corrected in commit d1c7658 by adding …

Data races in atom

The atom crate contains a security issue revolving around its implementation of the Send trait. It incorrectly allows any arbitrary type to be sent across threads potentially leading to use-after-free issues through memory races.

Data races in async-coap

An issue was discovered in the async-coap crate through 2020-12-08 for Rust. Affected versions of this crate implement Send/Sync for ArcGuard<RC, T> with no trait bounds on RC. This allows users to send RC: !Send to other threads and also allows users to concurrently access Rc: !Sync from multiple threads. This can result in memory corruption from data race or other undefined behavior caused by sending T: !Send to other …

Data races in appendix

The appendix crate implements a key-value mapping data structure called Index<K, V> that is stored on disk. The crate allows for any type to inhabit the generic K and V type parameters and implements Send and Sync for them unconditionally. Using a type that is not marked as Send or Sync with Index can allow it to be used across multiple threads leading to data races. Additionally using reference types …

Data races in aovec

An issue was discovered in the aovec crate through 2020-12-10 for Rust. Because Aovec does not have bounds on its Send trait or Sync trait, a data race and memory corruption can occur.

Data race in va-ts

In the affected versions of this crate, Demuxer unconditionally implemented Send with no trait bounds on T. This allows sending a non-Send type T across thread boundaries, which can cause undefined behavior like unlocking a mutex from a thread that didn't lock the mutex, or memory corruption from data race. The flaw was corrected in commit 0562cbf by adding a T: Send bound to the Send impl for Demuxer.

Data race in v9

Affected versions of this crate unconditionally implement Sync for SyncRef. This definition allows data races if &T is accessible through &SyncRef. SyncRef derives Clone and Debug, and the default implementations of those traits access &T by invoking T::clone() & T::fmt(). It is possible to create data races & undefined behavior by concurrently invoking SyncRef::clone() or SyncRef::fmt() from multiple threads with T: !Sync.

Data race in tiny_future

tiny_future contains a light-weight implementation of Futures. The Future type it has lacked bound on its Send and Sync traits. This allows for a bug where non-thread safe types such as Cell can be used in Futures and cause data races in concurrent programs. The flaw was corrected in commit c791919 by adding trait bounds to Future's Send and Sync.

Data race in syncpool

Affected versions of this crate unconditionally implements Send for Bucket2. This allows sending non-Send types to other threads. This can lead to data races when non Send types like Cell or Rc are contained inside Bucket2 and sent across thread boundaries. The data races can potentially lead to memory corruption (as demonstrated in the PoC from the original report issue). The flaw was corrected in commit 15b2828 by adding a …

Data race in ruspiro-singleton

Singleton<T> is meant to be a static object that can be initialized lazily. In order to satisfy the requirement that static items must implement Sync, Singleton implemented both Sync and Send unconditionally. This allows for a bug where non-Sync types such as Cell can be used in singletons and cause data races in concurrent programs. The flaw was corrected in commit b0d2bd20e by adding trait bounds, requiring the contaiend type …

Data race in may_queue

An issue was discovered in the may_queue crate through 2020-11-10 for Rust. Because Queue does not have bounds on its Send trait or Sync trait, memory corruption can occur.

Data race in internment

An issue was discovered in the internment crate before 0.4.2 for Rust. There is a data race that can cause memory corruption because of the unconditional implementation of Sync for Intern.

Data race in eventio

Input implements Send without requiring R: Send. Affected versions of this crate allows users to send non-Send types to other threads, which can lead to undefined behavior such as data race and memory corruption. The flaw was corrected in version 0.5.1 by adding R: Send bound to the Send impl of Input.

Data race in conqueue

Affected versions of this crate unconditionally implemented Send/Sync for QueueSender<T>, allowing to send non-Send T to other threads by invoking (&QueueSender<T>).send(). This fails to prevent users from creating data races by sending types like Rc<T> or Arc<Cell<T>> to other threads, which can lead to memory corruption. The flaw was corrected in commit 1e462c3 by imposing T: Send to both Send/Sync impls for QueueSender<T>/QueueReceiver<T>.

Data race in abox

Affected versions of this crate implements Send/Sync for AtomicBox<T> without requiring T: Send/T: Sync. This allows to create data races to T: !Sync and send T: !Send to another thread. Such behavior breaks the compile-time thread safety guarantees of Rust, and allows users to incur undefined behavior using safe Rust (e.g. memory corruption from data race). The flaw was corrected in commit 34c2b9e by adding trait bound T: Send to …

crossbeam-deque Data Race before v0.7.4 and v0.8.1

In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using Stealer::steal, Stealer::steal_batch, or Stealer::steal_batch_and_pop are affected …

crossbeam-channel Undefined Behavior before v0.4.4

The affected version of this crate's the bounded channel incorrectly assumes that Vec::from_iter has allocated capacity that same as the number of iterator elements. Vec::from_iter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when Vec::from_iter has allocated different sizes …

Cross-site Scripting in ammonia

An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870.

Cross site scripting in comrak

An issue was discovered in the comrak crate before 0.9.1 for Rust. Cross site scripting (XSS) can occur because the protection mechanism for data: and javascript: URIs is case-sensitive, allowing (for example) Data: to be used in an attack.

Crash caused by integer conversion to unsigned

An attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments: import tensorflow as tf from tensorflow.python.ops import gen_boosted_trees_ops import numpy as np v= tf.Variable([0.0, 0.0, 0.0, 0.0, 0.0]) gen_boosted_trees_ops.boosted_trees_create_quantile_stream_resource( quantile_stream_resource_handle = v.handle, epsilon = [74.82224], num_streams = [-49], max_elements = np.int32(586))

Crash caused by integer conversion to unsigned

An attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments: import tensorflow as tf from tensorflow.python.ops import gen_boosted_trees_ops import numpy as np v= tf.Variable([0.0, 0.0, 0.0, 0.0, 0.0]) gen_boosted_trees_ops.boosted_trees_create_quantile_stream_resource( quantile_stream_resource_handle = v.handle, epsilon = [74.82224], num_streams = [-49], max_elements = np.int32(586))

Crash caused by integer conversion to unsigned

An attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments: import tensorflow as tf from tensorflow.python.ops import gen_boosted_trees_ops import numpy as np v= tf.Variable([0.0, 0.0, 0.0, 0.0, 0.0]) gen_boosted_trees_ops.boosted_trees_create_quantile_stream_resource( quantile_stream_resource_handle = v.handle, epsilon = [74.82224], num_streams = [-49], max_elements = np.int32(586))

Certificate check bypass in openssl-src

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the …

Calculation error in ark-r1cs-std

An issue was discovered in the ark-r1cs-std crate before 0.3.1 for Rust. It does not enforce any constraints in the FieldVar::mul_by_inverse method. Thus, a prover can produce a proof that is unsound but is nonetheless verified.

Buffer overflow and format vulnerabilities in ncurses

ncurses exposes functions from the ncurses library which: Pass buffers without length to C functions that may write an arbitrary amount of data, leading to a buffer overflow. (instr, mvwinstr, etc) Passes rust &str to strings expecting C format arguments, allowing hostile input to execute a format string attack, which trivially allows writing arbitrary data to stack memory (functions in the printw family).

Buffer Overflow

Buffer Overflow in Netwide Assembler (NASM) v2.15.xx allows attackers to cause a denial of service via 'crc64i' in the component 'nasmlib/crc64'. This issue is different than CVE-2019-7147.

Bad alloc in `StringNGrams` caused by integer conversion

The implementation of tf.raw_ops.StringNGrams is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. import tensorflow as tf tf.raw_ops.StringNGrams( data=['',''], data_splits=[0,2], separator=' '*100, ngram_widths=[-80,0,0,-60], left_pad=' ', right_pad=' ', pad_width=100, preserve_short_sequences=False)

Bad alloc in `StringNGrams` caused by integer conversion

The implementation of tf.raw_ops.StringNGrams is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. import tensorflow as tf tf.raw_ops.StringNGrams( data=['',''], data_splits=[0,2], separator=' '*100, ngram_widths=[-80,0,0,-60], left_pad=' ', right_pad=' ', pad_width=100, preserve_short_sequences=False)

Bad alloc in `StringNGrams` caused by integer conversion

The implementation of tf.raw_ops.StringNGrams is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. import tensorflow as tf tf.raw_ops.StringNGrams( data=['',''], data_splits=[0,2], separator=' '*100, ngram_widths=[-80,0,0,-60], left_pad=' ', right_pad=' ', pad_width=100, preserve_short_sequences=False)

Assumed memory layout of std::net::SocketAddr

The socket2 crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. The standard library does not say anything about the memory layout, and this will cause invalid memory access if the standard library changes the implementation. No warnings or errors will be emitted once the change happens.

Argument injection in lettre

Affected versions of lettre allowed argument injection to the sendmail command. It was possible, using forged to addresses, to pass arbitrary arguments to the sendmail executable. Depending on the implementation (original sendmail, postfix, exim, etc.) it could be possible in some cases to write email data into abritrary files (using sendmail's logging features). NOTE: This vulnerability only affects the sendmail transport. Others, including smtp, are not affected.

Arbitrary file overwrite in tar-rs

When unpacking a tarball with the unpack_in-family of functions it's intended that only files within the specified directory are able to be written. Tarballs with hard links or symlinks, however, can be used to overwrite any file on the filesystem. Tarballs can contain multiple entries for the same file. A tarball which first contains an entry for a hard link or symlink pointing to any file on the filesystem will …

Arbitrary code execution due to YAML deserialization

TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. from tensorflow.keras import models payload = ''' !!python/object/new:type args: ['z', !!python/tuple [], {'extend': !!python/name:exec }] listitems: "import('os').system('cat /etc/passwd')" ''' models.model_from_yaml(payload)

Arbitrary code execution due to YAML deserialization

TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. from tensorflow.keras import models payload = ''' !!python/object/new:type args: ['z', !!python/tuple [], {'extend': !!python/name:exec }] listitems: "import('os').system('cat /etc/passwd')" ''' models.model_from_yaml(payload)

Arbitrary code execution due to YAML deserialization

TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. from tensorflow.keras import models payload = ''' !!python/object/new:type args: ['z', !!python/tuple [], {'extend': !!python/name:exec }] listitems: "import('os').system('cat /etc/passwd')" ''' models.model_from_yaml(payload)

`std::abort` raised from `TensorListReserve`

Providing a negative element to num_elements list argument of tf.raw_ops.TensorListReserve causes the runtime to abort the process due to reallocating a std::vector to have a negative number of elements: import tensorflow as tf tf.raw_ops.TensorListReserve( element_shape = tf.constant([1]), num_elements=tf.constant([-1]), element_dtype = tf.int32)

`std::abort` raised from `TensorListReserve`

Providing a negative element to num_elements list argument of tf.raw_ops.TensorListReserve causes the runtime to abort the process due to reallocating a std::vector to have a negative number of elements: import tensorflow as tf tf.raw_ops.TensorListReserve( element_shape = tf.constant([1]), num_elements=tf.constant([-1]), element_dtype = tf.int32)

`std::abort` raised from `TensorListReserve`

Providing a negative element to num_elements list argument of tf.raw_ops.TensorListReserve causes the runtime to abort the process due to reallocating a std::vector to have a negative number of elements: import tensorflow as tf tf.raw_ops.TensorListReserve( element_shape = tf.constant([1]), num_elements=tf.constant([-1]), element_dtype = tf.int32)

`CHECK`-fail in `MapStage`

An attacker can trigger a denial of service via a CHECK-fail in tf.raw_ops.MapStage: import tensorflow as tf tf.raw_ops.MapStage( key=tf.constant([], shape=[0, 0, 0, 0], dtype=tf.int64), indices=tf.constant((0), dtype=tf.int32), values=[tf.constant((0), dtype=tf.int32)], dtypes=[tf.int32, tf.int64], capacity=0, memory_limit=0, container='', shared_name='')

`CHECK`-fail in `MapStage`

An attacker can trigger a denial of service via a CHECK-fail in tf.raw_ops.MapStage: import tensorflow as tf tf.raw_ops.MapStage( key=tf.constant([], shape=[0, 0, 0, 0], dtype=tf.int64), indices=tf.constant((0), dtype=tf.int32), values=[tf.constant((0), dtype=tf.int32)], dtypes=[tf.int32, tf.int64], capacity=0, memory_limit=0, container='', shared_name='')

`CHECK`-fail in `MapStage`

An attacker can trigger a denial of service via a CHECK-fail in tf.raw_ops.MapStage: import tensorflow as tf tf.raw_ops.MapStage( key=tf.constant([], shape=[0, 0, 0, 0], dtype=tf.int64), indices=tf.constant((0), dtype=tf.int32), values=[tf.constant((0), dtype=tf.int32)], dtypes=[tf.int32, tf.int64], capacity=0, memory_limit=0, container='', shared_name='')

Out-of-bounds Read

ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) …

Out-of-bounds Read

If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext)

Out-of-bounds Read

ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) …

Incorrect Authorization

Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio contains a remotely exploitable vulnerability where an HTTP request with #fragment in the path may bypass Istio's URI path based authorization policies. As a work around a Lua filter may be written to normalize the path.

Improper Handling of Case Sensitivity

Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to RFC , Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could …

Buffer Overflow

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time …

Unrestricted Upload of File with Dangerous Type

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted.

Server-Side Request Forgery (SSRF)

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime to Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.

Server-Side Request Forgery (SSRF)

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.

Potential privilege escalation on Kubernetes >= v1.19 when the Argo Sever is run with `--auth-mode=client`

Impact This is pro-active fix. No know exploits exist. Impacted: You're running Kubernetes >= v1.19 You're running Argo Server It is configured to with –auth-mode=client Is not configured with –auth-mode=server You are not running Argo Server in Kubernetes pod. E.g. on bare metal or other VM. You're using client key to authenticate on the server. The server has more permissions that the connecting client's account. The client's authentication will be …

Improper Privilege Management

Contao is an open source CMS that allows creation of websites and scalable web applications. In affected versions it is possible to gain privileged rights in the Contao back end. Installations are only affected if they have untrusted back end users who have access to the form generator. All users are advised to update to Contao 4.4.56, 4.9.18 or 4.11.7. As a workaround users may disable the form generator or …

Improper Control of Generation of Code ('Code Injection')

Contao is an open source CMS that allows you to create websites and scalable web applications. In affected versions it is possible to load PHP files by entering insert tags in the Contao back end. Installations are only affected if they have untrusted back end users who have the rights to modify fields that are shown in the front end. Update to Contao 4.4.56, 4.9.18 or 4.11.7 to resolve. If …

Deserialization of Untrusted Data

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.

Deserialization of Untrusted Data

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.

Deserialization of Untrusted Data

XStream is a simple library to serialize objects to XML and back again.However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.

Deserialization of Untrusted Data

XStream is a simple library to serialize objects to XML and back again. if using the version out of the box with Java runtime to 8 or with JavaFX installed. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.

Deserialization of Untrusted Data

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted.

Deserialization of Untrusted Data

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.

Deserialization of Untrusted Data

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.

Deserialization of Untrusted Data

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to allocate % CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the …

Deserialization of Untrusted Data

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with an allow list limited to the minimal required types are not impacted.

Code Injection

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a allow list limited to the minimal required types are not impacted.

Argo Server TLS requests could be forged by attacker with network access

Impact We are not aware of any exploits. This is a pro-active fix. Impacted: You are running Argo Server < v3.0 with –secure=true or >= v3.0 with –secure unspecified (note - running in secure mode is recommended regardless). The attacker is within your network. If you expose Argo Server to the Internet then "your network" is "the Internet". The Argo Server's keys are packaged within the image. They could be …

Improper Authentication

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously., when an anonymous user is first signed up using REST, the server creates session incorrectly. Particularly, the authProvider field in _Session class under createdWith shows the user logged in creating a password. If a developer later …

Uncaught Exception

jsoup is a Java library for working with HTML. Those using jsoup to parse untrusted HTML or XML may be vulnerable to DoS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. …

Loop with Unreachable Exit Condition ('Infinite Loop')

jsoup is a Java library for working with HTML. Those using jsoup to parse untrusted HTML or XML may be vulnerable to DoS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. …

Improper Handling of Exceptional Conditions

ced detects character encoding using Google's compact_enc_det library. In ced, passing data types other than Buffer causes the Node.js process to crash. As a workaround, before passing an argument to ced, verify it's a Buffer using Buffer.isBuffer(obj).

Improper Authentication

Admin level users can change other user's details but fails to validate already existing Login name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.

Command Injection

The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

Path Traversal

bblfshd is an open source self-hosted server for source code parsing. In bblfshd there is a zipslip vulnerability. The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder. This issue may lead to arbitrary file write (with same permissions as the program running the unpack operation) if the attacker can control the archive file.

Information Exposure

The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications.

Improper Input Validation

Shopware is an open source eCommerce platform. contain a vulnerability that allows manipulation of product reviews via API. contains a patch. As workarounds for older versions of, corresponding security measures are also available via a plugin.

Cross-site Scripting

In the editor module of the Dolibarr editor scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a …

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, …

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, …

Improper Handling of Exceptional Conditions

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking …

Improper Handling of Exceptional Conditions

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking …

Externally Controlled Reference to a Resource in Another Sphere

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level …

Cross-site Scripting

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEdit The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at The problem has been recognized and patched.

Cross-site Scripting

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEdit The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at The problem has been recognized and patched.

Insecure Storage of Sensitive Information

WAL-G, when a non-libsodium build (e.g., one of the official binary releases published as GitHub Releases) is used, silently ignores the libsodium encryption key and uploads cleartext backups. This is arguably a Principle of Least Surprise violation because "the user likely wanted to encrypt all file activity."

Exposure of Resource to Wrong Sphere

PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). the phpinfo() can be exposed if the /vendor is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc).

Cross-site Scripting

ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at The problem has been recognized and patched. The fix will …

Cross-site Scripting

ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at The problem has been recognized and patched. The fix will …

Code Injection

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEdit The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor.

Code Injection

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 Clipboard. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at The problem has been recognized and patched.

Improper Privilege Management

Contao is an open source CMS that allows creation of websites and scalable web applications.All users are advised to update to Contao As a workaround users may disable the form generator or disable the login for untrusted back end users.

Command injection in Yamale

23andMe Yamale before 3.0.8 allows remote attackers to execute arbitrary code via a crafted schema file. The schema parser uses eval as part of its processing, and tries to protect from malicious expressions by limiting the builtins that are passed to the eval. When processing the schema, each line is run through Python's eval function to make the validator available. A well-constructed string within the schema rules can execute system …

Code Injection

Contao is an open source CMS that allows you to create websites and scalable web applications.Update to Contao to resolve. If you cannot update then disable the login for untrusted back end users.

Incorrect Authorization

Serverless Offline returns a HTTP status code for a route that has a trailing / character, which might cause a developer to implement incorrect access control, because the actual behavior within the Amazon AWS environment is a HTTP status code (i.e., possibly greater than expected permissions).

Cross-site Scripting

TYPO3 is an open source PHP based web content management system released under the GNU GPL. sanitize and encode malicious rich-text content, the content rendering process in the website frontend is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In …

Cross-site Scripting

TYPO3 is vulnerable to cross-site scripting. Corresponding rendering instructions via TypoScript functionality HTMLparser does not consider all potentially malicious HTML tag & attribute combinations per default. In default scenarios, a valid backend user account is needed to exploit this vulnerability. In case custom plugins used in the website frontend accept and reflect rich-text content submitted by users, no authentication is required.

Uncontrolled Recursion

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node.

ReDOS in Mpmath

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Mpmath v1.0.0 when the mpmathify function is called.

Open Redirect in Flask-User

This affects all versions of package Flask-User. When using the make_safe_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple backslashes such as /////evil.com/path or \\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using autocorrect_location_header=False.

Missing Encryption of Sensitive Data

While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not applied. This issue affects Apache Directory Studio version 2.0.0.v20210213-M16 and prior versions.

Integer overflow in pywin32

An integer overflow exists in pywin32 prior to version b301 when adding an access control entry (ACE) to an access control list (ACL) that would cause the size to be greater than 65535 bytes. An attacker who successfully exploited this vulnerability could crash the vulnerable process.

Incorrect Authorization

Dolibarr applications do not restrict, or incorrectly restricts, access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator should have rights to do, the affected field is in the /adherents/note.php?id=1 endpoint.

Deserialization of Untrusted Data

Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may …

VecStorage Deserialize Allows Violation of Length Invariant

The Deserialize implementation for VecStorage did not maintain the invariant that the number of elements must equal nrows * ncols. Deserialization of specially crafted inputs could allow memory access beyond allocation of the vector. This flaw was introduced in v0.11.0 (086e6e) due to the addition of an automatically derived implementation of Deserialize for MatrixVec. MatrixVec was later renamed to VecStorage in v0.16.13 (0f66403) and continued to use the automatically derived …

Use of Incorrectly-Resolved Name or Reference

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup. Due to errors in the logic, the config matching function does not take issuercert into account and it compared the involved paths case insensitively, which could lead to libcurl reusing wrong connections. File paths are, or can be, case sensitive on many systems but not all, and can even …

URL Redirection to Untrusted Site ('Open Redirect') in Products.isurlinportal

Various parts of Plone use the 'is url in portal' check for security, mostly to see if it is safe to redirect to a url. A url like https://example.org is not in the portal. But the url https:example.org without slashes tricks our code and it is considered to be in the portal. When redirecting, some browsers go to https://example.org, others give an error. Attackers may use this to redirect you …

Storage corruption due to variables overwritten by re-entrancy locks

Background When attempting to use the v0.2.14 release, @pandadefi discovered an issue using the @nonreentrant decorator. Impact Reentrancy protection storage slots get allocated to the same slots as storage variables, leading to the corruption of storage variables when using the @nonreentrant decorator. Patches This issue was fixed in v0.2.15 in #2391, #2379 Workarounds Don't use the @nonreentrant decorator in these versions.

Improper Input Validation

A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.

Improper Control of Dynamically-Managed Code Resources

Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to prevent any potential abuse. If one has a chain of Traefik middlewares, and one of …

Improper Control of Dynamically-Managed Code Resources

Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to prevent any potential abuse. If one has a chain of Traefik middlewares, and one of …

Use After Free

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

SQL Injection

A SQL injection vulnerability in a MediaWiki script in Centreon allows remote unauthenticated attackers to execute arbitrary SQL commands via the host_name and service_description parameters.

SQL Injection

A SQL injection vulnerability in image generation in Centreon allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/views/graphs/generateGraphs/generateImage.php index parameter.

SQL Injection

A SQL injection vulnerability in reporting export in Centreon allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/reporting/dashboard/csvExport/csv_HostGroupLogs.php start and end parameters.

Path Traversal

An issue was discovered in Grafana Loki The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as a ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.

Path Traversal

An issue was discovered in Grafana Cortex The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as as ../../sensitive/path/in/deployment pathname, then Cortex will attempt to parse a rules file at that location and include some of the contents in the error message.

Improperly Controlled Modification of Object Prototype Attributes

Impact The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. Patches think-config@1.1.3 patched it, anyone used think-config should upgrade to >=1.1.3 version. References https://cwe.mitre.org/data/definitions/1321.html For more information If you have any questions or comments about this advisory: Open an issue in thinkjs/thinkjs Email us at …

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is …

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For …

Incorrect Access Control in Nacos

Nacos 1.1.4 is affected by: Incorrect Access Control. An environment can be set up locally to get the service details interface. Then other Nacos service names can be accessed through the service list interface. Service details can then be accessed when not logged in. (detail:https://github.com/alibaba/nacos/issues/2284)

Jul 2021

SQL Injection

SQL Injection vulnerability in NukeViet CMS module Shops via the (1) listid parameter in detail.php and the (2) group_price or groupid parameters in search_result.php.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0833, CVE-2020-0848.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0832, CVE-2020-0848.

Missing Authentication for Critical Function

An issue was discovered in Mirumee Sale Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer).

Improper Encoding or Escaping of Output

xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

Improper Encoding or Escaping of Output

xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the …

SQL Injection

Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of /wp-json/wc/v3/webhooks, /wp-json/wc/v2/webhooks and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting search parameter information can be …

Insecure Default Initialization of Resource

As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.

Insecure Default Initialization of Resource

As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Micronaut is a JVM-based, full stack Java framework designed for building JVM applications. A path traversal vulnerability exists in versions prior to 2.5.9. With a basic configuration, it is possible to access any file from a filesystem, using "/../../" in the URL. This occurs because Micronaut does not restrict file access to configured paths. The vulnerability is patched in version 2.5.9. As a workaround, do not use ** in mapping, …

Cross-site Scripting

Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS via the Menu Blocks feature, which can be bypassed by using HTML event handlers, such as "ontoggle,".

Prototype Pollution

This affects the package jszip Crafting a new zip file with filenames set to Object prototype values (e.g proto, toString, etc) results in a returned object with a modified prototype instance.

Out-of-bounds Write

Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out-of-bounds write on the heap with the possibility of remote code execution.

Externally Controlled Reference to a Resource in Another Sphere

Contour is a Kubernetes ingress controller using Envoy proxy. In Contour a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy remotely (a denial of service), or to expose the existence of any Secret that Envoy is using for its configuration, including most notably TLS Keypairs.

Command Injection

All versions of package gitlogplus is vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.

Cross-site Scripting

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the main functionality. It accepts input that can result in the output (an anchor a tag) containing undesirable Javascript code that can be executed upon user interaction.

Cross-site Scripting

TYPO3 contains a cross-site scripting vulnerability. When Page TSconfig settings are not properly encoded, corresponding page preview module (Web>View) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 contain a patch for this issue.

Cross-site Scripting

TYPO3 contains a cross-site scripting vulnerability. When error messages are not properly encoded, the components QueryGenerator and QueryView are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability. TYPO3 contain a patch for this issue.

Cross-site Scripting

TYPO3 contains a cross-site scripting vulnerability. When settings for backend layouts are not properly encoded, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 contain a patch for this vulnerability.

Cross-site Scripting

TYPO3 is an open source PHP based web content management system. have a cross-site scripting vulnerability. When settings for backend layouts are not properly encoded, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 contain a patch for this vulnerability.

Cross-site Scripting

TYPO3 contains a cross-site scripting vulnerability. When error messages are not properly encoded, the components QueryGenerator and QueryView are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileges is needed to exploit this vulnerability. TYPO3 contain a patch for this issue.

Cross-site Scripting

TYPO3 contains a cross-site scripting vulnerability. When Page TSconfig settings are not properly encoded, corresponding page preview module (Web>View) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 contain a patch for this issue.

Improper Removal of Sensitive Information Before Storage or Transfer

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

Exposure of Resource to Wrong Sphere

containerd is a container runtime. A bug was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, …

chroot isolation: environment value leakage to intermediate processes

Impact When running processes using "chroot" isolation, the process being run can examine the environment variables of its immediate parent and grandparent processes (CVE-2021-3602). This isolation type is often used when running buildah in unprivileged containers, and it is often used to do so in CI/CD environments. If sensitive information is exposed to the original buildah process through its environment, that information will unintentionally be shared with child processes which …

SQL Injection

An issue was discovered in Centreon-Web in Centreon Platform A SQL injection vulnerability in "Configuration > Users > Contacts / Users" allows remote authenticated users to execute arbitrary SQL commands via the Additional Information parameters.

Path Traversal

Micronaut is a JVM-based, full stack Java framework designed for building JVM applications. With a basic configuration, it is possible to access any file from a filesystem, using "/../../" in the URL. This occurs because Micronaut does not restrict file access to configured paths.

Cross-site Scripting

An issue was discovered in Centreon-Web in Centreon Platform A Stored Cross-Site Scripting (XSS) issue in "Configuration > Hosts" allows remote authenticated users to inject arbitrary web script or HTML via the Alias parameter.

Insufficiently Protected Credentials

Gatsby is a framework for building websites. The gatsby-source-wordpress plugin leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected.

Uncontrolled Resource Consumption

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files.

Information Exposure Through Discrepancy

In wolfSSL, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.

Improper Input Validation

A ReDoS (regular expression denial of service) flaw was found in the Segment is-email package for Node.js. An attacker that is able to provide crafted input to the isEmail(input) function may cause an application to consume an excessive amount of CPU.

SMTP command injection in lettre

Affected versions of lettre allowed SMTP command injection through an attacker's controlled message body. The module for escaping lines starting with a period wouldn't catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary SMTP commands after it.

Lenient Parsing of Content-Length Header When Prefixed with Plus Sign

hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a Content-Length header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such Content-Length headers, but forwards them, can result in "request smuggling" or "desync attacks".

Integer Overflow in Chunked Transfer-Encoding

hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in "request smuggling" or "desync attacks".

Incorrect Comparison

RestSharp uses a regular expression which is vulnerable to Regular Expression Denial of Service (ReDoS) when converting strings into DateTimes. If a server responds with a malicious string, the client using RestSharp will be stuck processing it for an exceedingly long time. Thus the remote server can trigger Denial of Service.

Incorrect Authorization

Xen Orchestra mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.

Incorrect Authorization

Xen Orchestra (with xo-web and xo-server ) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.

Improper Restriction of XML External Entity Reference

FlowDroid is a data flow analysis tool. FlowDroid contained an XML external entity (XXE) vulnerability that allowed an attacker who had control over the source/sink definition file in XML format to read files from external locations. In order for this to occur, the XML-based format for sources and sinks had to be used and the attacker had to able control the source/sink definition file.

Improper Handling of Exceptional Conditions

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking …

Improper Handling of Exceptional Conditions

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking …

Files or Directories Accessible to External Parties

Ether Logs is a package that allows one to check one's logs in the Craft 3 utilities section. A vulnerability was found in versions prior to 3.0.4 that allowed authenticated admin users to access any file on the server. The vulnerability has been fixed in version 3.0.4. As a workaround, one may disable the plugin if untrustworthy sources have admin access.

SQL Injection

A SQL Injection flaw was found in the package pimcore/pimcore. This issue exists due to the absence of check on the storeId parameter in the method collectionsActionGet and groupsActionGet method within the ClassificationstoreController class.

Uncontrolled Resource Consumption

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable …

Cross-site Scripting

Smashing is vulnerable to Cross Site Scripting (XSS). A URL for a widget can be crafted and used to execute JavaScript on the victim's computer. The JavaScript code can then steal data available in the session/cookies depending on the user environment (e.g. if re-using internal URL's for deploying, or cookies that are very permissive) private information may be retrieved by the attacker.

Incorrect Authorization

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level …

Incorrect Authorization

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using …

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sulu is an open-source PHP content management system based on the Symfony framework. In versions of Sulu prior to 1.6.41, it is possible for a logged in admin user to add a script injection (cross-site-scripting) in the collection title. The problem is patched in version 1.6.41. As a workaround, one may manually patch the affected JavaScript files in lieu of updating.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's ListItem component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the …

Improper Authentication

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A vulnerability exists in versions prior to 12.6.88, 12.10.4, and 13.0. The script service method used to reset the authentication failures record can be executed by any user with Script rights and does not require Programming rights. An attacher with script rights who is able to reset the authentication failure record might perform …

Improper Authentication

js-stellar-sdk is a Javascript library for communicating with a Stellar Horizon server. The Utils.readChallengeTx function used in SEP-10 Stellar Web Authentication states in its function documentation that it reads and validates the challenge transaction including verifying that the serverAccountID has signed the transaction. In js-stellar-sdk, the function does not verify that the server has signed the transaction. Applications that also used Utils.verifyChallengeTxThreshold or Utils.verifyChallengeTxSigners to verify the signatures including the …

Improper Authentication

js-stellar-sdk is a Javascript library for communicating with a Stellar Horizon server. The Utils.readChallengeTx function used in SEP-10 Stellar Web Authentication states in its function documentation that it reads and validates the challenge transaction including verifying that the serverAccountID has signed the transaction. In js-stellar-sdk, the function does not verify that the server has signed the transaction. Applications that also used Utils.verifyChallengeTxThreshold or Utils.verifyChallengeTxSigners to verify the signatures including the …

Exposure of Sensitive Information to an Unauthorized Actor

Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the …

Exposure of Resource to Wrong Sphere

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Between (and including) versions 13.1RC1 and 13.1, the reset password form reveals the email address of users just by giving their username. The problem has been patched on XWiki 13.2RC1. As a workaround, it is possible to manually modify the resetpasswordinline.vm to perform the changes made to mitigate the vulnerability.

Cross-site Scripting

A stored cross site scripting (XSS) vulnerability in the /admin/roles/role component of LavaLite allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the New parameter.

Cross-site Scripting

A stored cross site scripting (XSS) vulnerability in the /admin/contact/contact component of LavaLite allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the New parameter.

Cross-site Scripting

A stored cross site scripting (XSS) vulnerability in the /admin/user/team component of LavaLite allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the New parameter.

Cross-Site Request Forgery (CSRF)

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A cross-site request forgery vulnerability exists in versions prior to 12.10.5, and in versions 13.0 through 13.1. It's possible for forge an URL that, when accessed by an admin, will reset the password of any user in XWiki. The problem has been patched in XWiki 12.10.5 and 13.2RC1. As a workaround, it is …

Use of Insufficiently Random Values

Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. …