Advisories

Feb 2022

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin does not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are …

User Interface (UI) Misrepresentation of Critical Information

Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. As a workaround, change next.config.js to use a different loader configuration other than the default.

Reachable Assertion

There is an Assertion in 'context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION' failed at parser_parse_function_arguments in /js/js-parser.c of JerryScript commit a6ab5e9.

Incorrect Authorization

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

Incorrect Authorization

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

Incorrect Authorization

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

Uncontrolled Resource Consumption

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter …

Uncontrolled Resource Consumption

client_golang's HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass metric with method label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown method. …

Missing Authorization

Missing permission checks in Jenkins Snow Commander Plugin 1.10 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Missing Authorization

Missing permission checks in Jenkins Checkmarx Plugin 2022.1.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Invalid drop of partially-initialized instances in the pooling instance allocator for modules with defined `externref` globals

There exists a bug in the pooling instance allocator in Wasmtime's runtime where a failure to instantiate an instance for a module that defines an externref global will result in an invalid drop of a VMExternRef via an uninitialized pointer. As instance slots may be reused between consecutive instantiations, the value of the uninitialized pointer may be from a previous instantiation and therefore under the control of an attacker via …

Improper Validation of Certificate with Host Mismatch in mellium.im/xmpp/websocket

Impact If no TLS configuration is provided by the user, the websocket package constructs its own TLS configuration using recommended defaults. When looking up a WSS endpoint using the DNS TXT record method described in XEP-0156: Discovering Alternative XMPP Connection Methods the ServerName field was incorrectly being set to the name of the server returned by the TXT record request, not the name of the initial server we were attempting …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the names of Pipeline libraries to create cache directories without any sanitization, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially crafted library names if a global Pipeline library configured to use caching already exists.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The connection properties for configuring a pgjdbc connection are not meant to be exposed to an unauthenticated attacker. While allowing an attacker to specify arbitrary connection properties could lead to a compromise of a system, that's a defect of an application that allows unauthenticated attackers that level of control. It's not the job of the pgjdbc driver to decide whether a given log file location is acceptable. End user applications …

Improper Input Validation

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Improper Input Validation

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Improper Input Validation

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Improper Certificate Validation

Traefik is an HTTP reverse proxy and load balancer., Traefik skips the router transport layer security (TLS) configuration when the host header is a fully qualified domain name (FQDN). For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. When sending a request using FQDN handled by a router configured with a dedicated TLS configuration, the TLS …

crossbeam-utils Unsoundness of AtomicCell<{i,u}64> arithmetics on 32-bit targets that support Atomic{I,U}64

The affected versions of this crate incorrectly assumed that the alignment of {i,u}64 was always the same as Atomic{I,U}64. However, the alignment of {i,u}64 on a 32-bit target can be smaller than Atomic{I,U}64. This can cause the following problems: Unaligned memory accesses Data race Crates using fetch_* methods with AtomicCell<{i,u}64> are affected by this issue. 32-bit targets without Atomic{I,U}64 and 64-bit targets are not affected by this issue. 32-bit targets …

Access of Uninitialized Pointer

Wasmtime is an open source runtime for WebAssembly & WASI. Prior to versions 0.34.1 and 0.33.1, there exists a bug in the pooling instance allocator in Wasmtime's runtime where a failure to instantiate an instance for a module that defines an externref global will result in an invalid drop of a VMExternRef via an uninitialized pointer. A number of conditions listed in the GitHub Security Advisory must be true in …

Access of Uninitialized Pointer

Wasmtime is an open source runtime for WebAssembly & WASI. Prior to versions 0.34.1 and 0.33.1, there exists a bug in the pooling instance allocator in Wasmtime's runtime where a failure to instantiate an instance for a module that defines an externref global will result in an invalid drop of a VMExternRef via an uninitialized pointer. A number of conditions listed in the GitHub Security Advisory must be true in …

Access of Uninitialized Pointer

Wasmtime is an open source runtime for WebAssembly & WASI. Prior to versions 0.34.1 and 0.33.1, there exists a bug in the pooling instance allocator in Wasmtime's runtime where a failure to instantiate an instance for a module that defines an externref global will result in an invalid drop of a VMExternRef via an uninitialized pointer. A number of conditions listed in the GitHub Security Advisory must be true in …

Access of Uninitialized Pointer

Wasmtime is an open source runtime for WebAssembly & WASI. Prior to versions 0.34.1 and 0.33.1, there exists a bug in the pooling instance allocator in Wasmtime's runtime where a failure to instantiate an instance for a module that defines an externref global will result in an invalid drop of a VMExternRef via an uninitialized pointer. A number of conditions listed in the GitHub Security Advisory must be true in …

URL Redirection to Untrusted Site ('Open Redirect')

Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with …

Untrusted Search Path

Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and …

Untrusted Search Path

Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and …

Untrusted Search Path

Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and …

Untrusted Search Path

Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and …

Untrusted Search Path

Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and …

Session Fixation

A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Session Fixation

Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron.

Server-Side Request Forgery (SSRF)

The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 is vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

Server-Side Request Forgery (SSRF)

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.

Server-Side Request Forgery (SSRF)

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.

Privilege Escalation in Kubernetes

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.

NULL Pointer Dereference

Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot does not reference any VolumeSnapshotClass. - The snapshot-controller crashes, is automatically restarted by Kubernetes, and processes the same VolumeSnapshot custom resource after the restart, entering an endless crashloop. Only the volume snapshot feature is affected by this vulnerability. When exploited, users can’t take …

NULL Pointer Dereference

Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot does not reference any VolumeSnapshotClass. - The snapshot-controller crashes, is automatically restarted by Kubernetes, and processes the same VolumeSnapshot custom resource after the restart, entering an endless crashloop. Only the volume snapshot feature is affected by this vulnerability. When exploited, users can’t take …

Missing Authorization

core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.

Man-in-the-Middle (MitM)

Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.

Loop with Unreachable Exit Condition ('Infinite Loop')

An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler does not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send it data, preventing any further operations until the yubihsm-connector is restarted. An attacker can send 0, 1, or 2 bytes to trigger …

Insufficiently Protected Credentials

The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.

Insufficiently Protected Credentials

The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.

Information Exposure

Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image.

Incorrect Permission Assignment for Critical Resource

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by –cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If –cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.

Incorrect Permission Assignment for Critical Resource

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by –cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If –cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.

Incorrect Authorization

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. An authentication mechanism added in version 0.7.0 enables some malicious user to obtain secrets utilizing the injected credentials within the ~/.netrc file. Refer to the referenced GitHub Security Advisory for complete details. This is fixed in version 0.7.5.

Incorrect Authorization

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. An authentication mechanism added in version 0.7.0 enables some malicious user to obtain secrets utilizing the injected credentials within the ~/.netrc file. Refer to the referenced GitHub Security Advisory for complete details. This is fixed in version 0.7.5.

Improper nonce handling: potential overflow, potential state DoS

The Go package github.com/flynn/noise, a Noise Protocol implementation, has two bugs in nonce handling in versions prior to v1.0.0. Issue 1: Potential nonce overflow If 2^64 (~18.4 quintillion) or more messages are encrypted with Encrypt after handshaking, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce, resulting in a potentially catastrophic weakening of the security properties of the symmetric cipher. This …

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

In Couchbase Sync Gateway 2.1.2, an attacker with access to the Sync Gateway’s public REST API was able to issue additional N1QL statements and extract sensitive data or call arbitrary N1QL functions through the parameters "startkey" and "endkey" on the "_all_docs" endpoint. By issuing nested queries with CPU-intensive operations they may have been able to cause increased resource usage and denial of service conditions. The _all_docs endpoint is not required …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Kata Containers does not restrict containers from accessing the guest's root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Kata Containers does not restrict containers from accessing the guest's root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.

Improper Link Resolution Before File Access ('Link Following')

ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. …

Improper Link Resolution Before File Access ('Link Following')

A malicious guest compromised before a container creation (e.g. a malicious guest image or a guest running multiple containers) can trick the kata runtime into mounting the untrusted container filesystem on any host path, potentially allowing for code execution on the host. This issue affects: Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; Kata Containers 1.9 and earlier versions.

Improper Link Resolution Before File Access ('Link Following')

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on …

Improper Link Resolution Before File Access ('Link Following')

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on …

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS suffers from a zip-slip vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside …

Improper Input Validation

A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.

Improper Input Validation

An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as 'reboot'. The highest threat from this …

Improper Input Validation

An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.

Improper Input Validation

DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).

Improper Input Validation

An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as 'reboot'. The highest threat from this …

Improper Authentication in Kubernetes

The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on …

Improper Authentication

The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on …

Improper Authentication

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 is vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.

Import token permissions checking not enforced

The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an Export/Import system used to grant cross-account access to some Subjects. Some Exports are public, such that anyone can import the relevant subjects, and some Exports are private, such that the Import requires a token JWT to prove permission. The JWT library's validation of the bindings in the …

Import token permissions checking not enforced

The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an Export/Import system used to grant cross-account access to some Subjects. Some Exports are public, such that anyone can import the relevant subjects, and some Exports are private, such that the Import requires a token JWT to prove permission. The JWT library's validation of the bindings in the …

Exposure of Sensitive Information to an Unauthorized Actor

Clusters using Calico (version 3.14.0 and below), Calico Enterprise (version 2.8.2 and below), may be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege is able to reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default, allowing the attacker to redirect full or partial network traffic from the node to the compromised pod.

Exposure of Sensitive Information to an Unauthorized Actor

Clusters using Calico (version 3.14.0 and below), Calico Enterprise (version 2.8.2 and below), may be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege is able to reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default, allowing the attacker to redirect full or partial network traffic from the node to the compromised pod.

Duplicate Advisory: Incorrect Access Control in github.com/nats-io/jwt and github.com/nats-io/nats-server/v2

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-62mh-w5cv-p88c (for github.com/nats-io/jwt) and GHSA-j756-f273-xhp4 (for github.com/nats-io/nats-server). This link is maintained to preserve external references. Original Description NATS Server (github.com/nats-io/nats-server/v2/server) 2.x before 2.2.0 and JWT library (github.com/nats-io/jwt/v2) before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.

Denial of Service in Packetbeat

Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.

Denial of service in github.com/nats-io/nats-server/server

This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues with no …

Denial of service in github.com/nats-io/nats-server/server

This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues with no …

Denial of service

This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues with no …

Denial of service

This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues with no …

Cross-Site Request Forgery (CSRF)

A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.

Cross-Site Request Forgery (CSRF)

A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.

Authorization bypass in Istio

In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.

Authentication Bypass by Capture-replay

Cosmos Network Ethermint <= v0.4.0 is affected by a cross-chain transaction replay vulnerability in the EVM module. Since ethermint uses the same chainIDEpoch and signature schemes with ethereum for compatibility, a verified signature in ethereum is still valid in ethermint with the same msg content and chainIDEpoch, which enables "cross-chain transaction replay" attack.

Allocation of Resources Without Limits or Throttling

The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.

Unrestricted Upload of File with Dangerous Type

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

TLS certificate validation error

In mellium.im/xmpp, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification.

Incorrect Authorization

The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

Improper Link Resolution Before File Access ('Link Following')

DBdeployer is a tool that deploys MySQL database servers easily. In DBdeployer, users unpacking a tarball may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defenses. For the attack to succeed, the following factors need to contribute: 1) The user is logged in as root. While …

Exposure of Resource to Wrong Sphere

Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Exposure of Resource to Wrong Sphere

Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Duplicate Advisory: TLS certificate validation error in mellium.im/xmpp

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h289-x5wc-xcv8. This link is maintained to preserve external references. Original Description In Mellium mellium.im/xmpp through 0.21.0, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification.

Drupal core Cross-site Scripting (XSS) vulnerability

Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.

Drupal core Cross-site Scripting (XSS) vulnerability

Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.

Cross-Site Request Forgery (CSRF)

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.

Validation bypass vulnerability

Back in min June a security vulnerability was reported to the team, the reason for the slow response was due to ownership of some packages was locked and we wanted to be sure to update all packages before any disclosure was released. The issue is deemed being a Low severity vulnerability. Impact This vulnerability impacts users who rely on the for last digits of personnummer to be a real personnummer. …

Use of a Broken or Risky Cryptographic Algorithm

A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC …

Use of a Broken or Risky Cryptographic Algorithm

A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with …

Use of a Broken or Risky Cryptographic Algorithm

A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with …

Use of a Broken or Risky Cryptographic Algorithm

A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC …

URL Redirection to Untrusted Site ('Open Redirect')

In Traefik , there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component does not validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it …

URL Redirection to Untrusted Site ('Open Redirect')

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component does not validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this …

URL Redirection to Untrusted Site ('Open Redirect')

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component doesn't validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue …

URL Redirection to Untrusted Site ('Open Redirect')

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component does not validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this …

URL Redirection to Untrusted Site ('Open Redirect')

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component doesn't validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue …

URL Redirection to Untrusted Site ('Open Redirect')

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component does not validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this …

URL Redirection to Untrusted Site ('Open Redirect')

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component does not validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this …

URL Redirection to Untrusted Site ('Open Redirect')

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component does not validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this …

URL Redirection to Untrusted Site ('Open Redirect')

In Traefik , there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component does not validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it …

NULL Pointer Dereference

Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from to could lead to Denial of Service via a crafted TIFF file.

NULL Pointer Dereference

Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff could lead to Denial of Service via crafted TIFF file.

Information Exposure when using Puma with Rails

Puma is a Ruby/Rack web server built for parallelism. Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions …

Information Exposure when using Puma with Rails

Puma is a Ruby/Rack web server built for parallelism. Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code …

Improper Initialization

An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth', and then can calculate 'usageAuth ^ encMigrationAuth' as the 'migrationAuth' can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to …

Improper Control of Generation of Code ('Code Injection')

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

Exposure of Sensitive Information to an Unauthorized Actor

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but …

Exposure of information in Action Pack

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, …

Duplicate advisory: swift-nio-http2 vulnerable to denial of service via mishandled HPACK variable length integer encoding

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-w3f6-pc54-gfw7. This link is maintained to preserve external references. Original Description A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. There are a number of implementation errors in the parsing of HPACK-encoded …

Duplicate advisory: swift-nio-http2 vulnerable to denial of service via invalid HTTP/2 HEADERS frame length

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pgfx-g6rc-8cjv. This link is maintained to preserve external references. Original Description A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS …

Duplicate advisory: swift-nio-http2 vulnerable to denial of service via ALTSVC or ORIGIN frames

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pgfx-g6rc-8cjv. This link is maintained to preserve external references. Original Description A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. This vulnerability is caused by a logical error after frame parsing but before frame …

Deserialization of Untrusted Data

Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary …

Chrono has potential segfault issue in SPIFFE authenticator

Several vulnerabilities have been reported in the time and chrono crates related to handling of calls to localtime_r. You can follow some of the discussions here and here, and the associated CVE here. In our case, the issue with the dependency was flagged by our nightly CI build running cargo-audit. The vulnerability leads to a segfault in specific circumstances - namely, when one of a number of functions in the …

Authentication Bypass by Spoofing

Fleet is an open source osquery manager. In Fleet, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users that configure Fleet with SSO login may be vulnerable to this issue. This issue is patched The fix was made using https://github.com/mattermost/xml-roundtrip-validator If upgrade to …

Uncontrolled Resource Consumption

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

Type confusion leading to segfault in Tensorflow

The implementation of shape inference for ConcatV2 can be used to trigger a denial of service attack via a segfault caused by a type confusion: import tensorflow as tf @tf.function def test(): y = tf.raw_ops.ConcatV2( values=[[1,2,3],[4,5,6]], axis = 0xb500005b) return y test() The axis argument is translated into concat_dim in the ConcatShapeHelper helper function. Then, a value for min_rank is computed based on concat_dim. This is then used to validate …

Type confusion leading to segfault in Tensorflow

The implementation of shape inference for ConcatV2 can be used to trigger a denial of service attack via a segfault caused by a type confusion: import tensorflow as tf @tf.function def test(): y = tf.raw_ops.ConcatV2( values=[[1,2,3],[4,5,6]], axis = 0xb500005b) return y test() The axis argument is translated into concat_dim in the ConcatShapeHelper helper function. Then, a value for min_rank is computed based on concat_dim. This is then used to validate …

Type confusion leading to segfault in Tensorflow

The implementation of shape inference for ConcatV2 can be used to trigger a denial of service attack via a segfault caused by a type confusion: import tensorflow as tf @tf.function def test(): y = tf.raw_ops.ConcatV2( values=[[1,2,3],[4,5,6]], axis = 0xb500005b) return y test() The axis argument is translated into concat_dim in the ConcatShapeHelper helper function. Then, a value for min_rank is computed based on concat_dim. This is then used to validate …

SQL Injection in Hibernate ORM

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

Server-Side Request Forgery (SSRF)

In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes …

Possible SQL injection in tablelookupwizard Contao Extension

Impact The currently selected widget values were not correctly sanitized before passing it to the database, leading to an SQL injection possibility. Patches The issue has been patched in tablelookupwizard For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/terminal42/contao-tablelookupwizard Email us at info@terminal42.ch

Out-of-bounds Write

An issue was discovered in PlayJava in Play Framework The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service.

Out-of-bounds Write

An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service.

Null-dereference in Tensorflow

The implementation of GetInitOp is vulnerable to a crash caused by dereferencing a null pointer: const auto& init_op_sig_it = meta_graph_def.signature_def().find(kSavedModelInitOpSignatureKey); if (init_op_sig_it != sig_def_map.end()) { *init_op_name = init_op_sig_it->second.outputs() .find(kSavedModelInitOpSignatureKey) ->second.name(); return Status::OK(); } Here, we have a nested map and we assume that if the first .find succeeds then so would be the search in the internal map. However, the maps are built based on the SavedModel protobuf format and …

Null-dereference in Tensorflow

The implementation of GetInitOp is vulnerable to a crash caused by dereferencing a null pointer: const auto& init_op_sig_it = meta_graph_def.signature_def().find(kSavedModelInitOpSignatureKey); if (init_op_sig_it != sig_def_map.end()) { *init_op_name = init_op_sig_it->second.outputs() .find(kSavedModelInitOpSignatureKey) ->second.name(); return Status::OK(); } Here, we have a nested map and we assume that if the first .find succeeds then so would be the search in the internal map. However, the maps are built based on the SavedModel protobuf format and …

Null-dereference in Tensorflow

The implementation of GetInitOp is vulnerable to a crash caused by dereferencing a null pointer: const auto& init_op_sig_it = meta_graph_def.signature_def().find(kSavedModelInitOpSignatureKey); if (init_op_sig_it != sig_def_map.end()) { *init_op_name = init_op_sig_it->second.outputs() .find(kSavedModelInitOpSignatureKey) ->second.name(); return Status::OK(); } Here, we have a nested map and we assume that if the first .find succeeds then so would be the search in the internal map. However, the maps are built based on the SavedModel protobuf format and …

Missing Authentication for Critical Function

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5.

Memory leak in Tensorflow

If a graph node is invalid, TensorFlow can leak memory in the implementation of ImmutableExecutorState::Initialize: Status s = params_.create_kernel(n->properties(), &item->kernel); if (!s.ok()) { item->kernel = nullptr; s = AttachDef(s, n); return s; } Here, we set item->kernel to nullptr but it is a simple OpKernel pointer so the memory that was previously allocated to it would leak.

Memory leak in Tensorflow

If a graph node is invalid, TensorFlow can leak memory in the implementation of ImmutableExecutorState::Initialize: Status s = params_.create_kernel(n->properties(), &item->kernel); if (!s.ok()) { item->kernel = nullptr; s = AttachDef(s, n); return s; } Here, we set item->kernel to nullptr but it is a simple OpKernel pointer so the memory that was previously allocated to it would leak.

Memory leak in Tensorflow

If a graph node is invalid, TensorFlow can leak memory in the implementation of ImmutableExecutorState::Initialize: Status s = params_.create_kernel(n->properties(), &item->kernel); if (!s.ok()) { item->kernel = nullptr; s = AttachDef(s, n); return s; } Here, we set item->kernel to nullptr but it is a simple OpKernel pointer so the memory that was previously allocated to it would leak.

Memory exhaustion in Tensorflow

The implementation of StringNGrams can be used to trigger a denial of service attack by causing an OOM condition after an integer overflow: import tensorflow as tf tf.raw_ops.StringNGrams( data=['123456'], data_splits=[0,1], separator='a'*15, ngram_widths=[], left_pad='', right_pad='', pad_width=-5, preserve_short_sequences=True) We are missing a validation on pad_witdh and that result in computing a negative value for ngram_width which is later used to allocate parts of the output.

Memory exhaustion in Tensorflow

The implementation of StringNGrams can be used to trigger a denial of service attack by causing an OOM condition after an integer overflow: import tensorflow as tf tf.raw_ops.StringNGrams( data=['123456'], data_splits=[0,1], separator='a'*15, ngram_widths=[], left_pad='', right_pad='', pad_width=-5, preserve_short_sequences=True) We are missing a validation on pad_witdh and that result in computing a negative value for ngram_width which is later used to allocate parts of the output.

Memory exhaustion in Tensorflow

The implementation of ThreadPoolHandle can be used to trigger a denial of service attack by allocating too much memory: import tensorflow as tf y = tf.raw_ops.ThreadPoolHandle(num_threads=0x60000000,display_name='tf') This is because the num_threads argument is only checked to not be negative, but there is no upper bound on its value.

Memory exhaustion in Tensorflow

The implementation of ThreadPoolHandle can be used to trigger a denial of service attack by allocating too much memory: import tensorflow as tf y = tf.raw_ops.ThreadPoolHandle(num_threads=0x60000000,display_name='tf') This is because the num_threads argument is only checked to not be negative, but there is no upper bound on its value.

Memory exhaustion in Tensorflow

The implementation of StringNGrams can be used to trigger a denial of service attack by causing an OOM condition after an integer overflow: import tensorflow as tf tf.raw_ops.StringNGrams( data=['123456'], data_splits=[0,1], separator='a'*15, ngram_widths=[], left_pad='', right_pad='', pad_width=-5, preserve_short_sequences=True) We are missing a validation on pad_witdh and that result in computing a negative value for ngram_width which is later used to allocate parts of the output.

Memory exhaustion in Tensorflow

The implementation of ThreadPoolHandle can be used to trigger a denial of service attack by allocating too much memory: import tensorflow as tf y = tf.raw_ops.ThreadPoolHandle(num_threads=0x60000000,display_name='tf') This is because the num_threads argument is only checked to not be negative, but there is no upper bound on its value.

Integer overflow in Tensorflow

The implementation of OpLevelCostEstimator::CalculateTensorSize is vulnerable to an integer overflow if an attacker can create an operation which would involve a tensor with large enough number of elements: int64_t OpLevelCostEstimator::CalculateTensorSize( const OpInfo::TensorProperties& tensor, bool* found_unknown_shapes) { int64_t count = CalculateTensorElementCount(tensor, found_unknown_shapes); int size = DataTypeSize(BaseType(tensor.dtype())); VLOG(2) << "Count: " << count << " DataTypeSize: " << size; return count * size; } Here, count and size can be large enough …

Integer overflow in Tensorflow

The implementation of OpLevelCostEstimator::CalculateOutputSize is vulnerable to an integer overflow if an attacker can create an operation which would involve tensors with large enough number of elements: for (const auto& dim : output_shape.dim()) { output_size *= dim.size(); } Here, we can have a large enough number of dimensions in output_shape.dim() or just a small number of dimensions being large enough to cause an overflow in the multiplication.

Integer overflow in Tensorflow

The implementation of OpLevelCostEstimator::CalculateOutputSize is vulnerable to an integer overflow if an attacker can create an operation which would involve tensors with large enough number of elements: for (const auto& dim : output_shape.dim()) { output_size *= dim.size(); } Here, we can have a large enough number of dimensions in output_shape.dim() or just a small number of dimensions being large enough to cause an overflow in the multiplication.

Integer overflow in Tensorflow

The implementation of OpLevelCostEstimator::CalculateOutputSize is vulnerable to an integer overflow if an attacker can create an operation which would involve tensors with large enough number of elements: for (const auto& dim : output_shape.dim()) { output_size *= dim.size(); } Here, we can have a large enough number of dimensions in output_shape.dim() or just a small number of dimensions being large enough to cause an overflow in the multiplication.

Integer overflow in Tensorflow

The implementation of OpLevelCostEstimator::CalculateTensorSize is vulnerable to an integer overflow if an attacker can create an operation which would involve a tensor with large enough number of elements: int64_t OpLevelCostEstimator::CalculateTensorSize( const OpInfo::TensorProperties& tensor, bool* found_unknown_shapes) { int64_t count = CalculateTensorElementCount(tensor, found_unknown_shapes); int size = DataTypeSize(BaseType(tensor.dtype())); VLOG(2) << "Count: " << count << " DataTypeSize: " << size; return count * size; } Here, count and size can be large enough …

Integer overflow in Tensorflow

The implementation of OpLevelCostEstimator::CalculateTensorSize is vulnerable to an integer overflow if an attacker can create an operation which would involve a tensor with large enough number of elements: int64_t OpLevelCostEstimator::CalculateTensorSize( const OpInfo::TensorProperties& tensor, bool* found_unknown_shapes) { int64_t count = CalculateTensorElementCount(tensor, found_unknown_shapes); int size = DataTypeSize(BaseType(tensor.dtype())); VLOG(2) << "Count: " << count << " DataTypeSize: " << size; return count * size; } Here, count and size can be large enough …

Incorrect Authorization in Apache Solr

Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions. This issue is patched in 8.6.3.

Incorrect Authorization in Apache Solr

Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions. This issue is patched in 8.6.3.

Incorrect Authorization in Apache Solr

Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions. This issue is patched in 8.6.3.

Incomplete Cleanup

An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being deleted and the session remains valid on the server side for reuse.

Improper Validation of Specified Quantity in Input in Eclipse Hono

In Eclipse Hono the AMQP protocol adapter does not verify the size of AMQP messages received from devices. In particular, a device may send messages that are bigger than the max-message-size that the protocol adapter has indicated during link establishment. While the AMQP protocol explicitly disallows a peer to send such messages, a hand crafted AMQP client could exploit this behavior in order to send a message of unlimited size …

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Netflix Titus uses Java Bean Validation (JSR ) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

XWiki is a generic wiki platform offering runtime services for applications built on top of it. When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file. This problem has been patched so that the default configuration does not allow to display the SVG files in the browser. Users are advised to update or to …

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attribute of various other elements. An attacker might also exploit a bug in how the SCRIPT string is processed by splitting and nesting them for example.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

XWiki is a generic wiki platform offering runtime services for applications built on top of it. When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file. This problem has been patched so that the default configuration doesn't allow to display the SVG files in the browser. Users are advised to update or to disallow …

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.

Improper Input Validation

Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access.

Improper Control of Generation of Code ('Code Injection')

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Improper Certificate Validation

Graylog lacks SSL Certificate Validation for LDAP servers. It allows use of an external user/group database stored in LDAP. The connection configuration allows the usage of unencrypted, SSL- or TLS-secured connections. Unfortunately, the Graylog client code (in all versions that support LDAP) does not implement proper certificate validation (regardless of whether the "Allow self-signed certificates" option is used). Therefore, any attacker with the ability to intercept network traffic between a …

Improper Authentication in Apache Spark

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, …

Improper Authentication in Apache Spark

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, …

Improper Authentication

An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the TOTP code for the 2FA can be submitted correctly more than once.

Exposure of Sensitive Information to an Unauthorized Actor in Apache CXF

Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to …

Exposure of Sensitive Information to an Unauthorized Actor

Express-handlebars is a Handlebars view engine for Express. Express-handlebars mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .handlebars appended to them. For complete details refer to the …

Division by zero in Tensorflow

The estimator for the cost of some convolution operations can be made to execute a division by 0: import tensorflow as tf @tf.function def test(): y=tf.raw_ops.AvgPoolGrad( orig_input_shape=[1,1,1,1], grad=[[[[1.0],[1.0],[1.0]]],[[[2.0],[2.0],[2.0]]],[[[3.0],[3.0],[3.0]]]], ksize=[1,1,1,1], strides=[1,1,1,0], padding='VALID', data_format='NCHW') return y test() The function fails to check that the stride argument is stricly positive: int64_t GetOutputSize(const int64_t input, const int64_t filter, const int64_t stride, const Padding& padding) { // Logic for calculating output shape is from GetWindowedOutputSizeVerbose() …

Division by zero in Tensorflow

The estimator for the cost of some convolution operations can be made to execute a division by 0: import tensorflow as tf @tf.function def test(): y=tf.raw_ops.AvgPoolGrad( orig_input_shape=[1,1,1,1], grad=[[[[1.0],[1.0],[1.0]]],[[[2.0],[2.0],[2.0]]],[[[3.0],[3.0],[3.0]]]], ksize=[1,1,1,1], strides=[1,1,1,0], padding='VALID', data_format='NCHW') return y test() The function fails to check that the stride argument is stricly positive: int64_t GetOutputSize(const int64_t input, const int64_t filter, const int64_t stride, const Padding& padding) { // Logic for calculating output shape is from GetWindowedOutputSizeVerbose() …

Division by zero in Tensorflow

The implementation of FractionalMaxPool can be made to crash a TensorFlow process via a division by 0: import tensorflow as tf import numpy as np tf.raw_ops.FractionalMaxPool( value=tf.constant(value=[[[[1, 4, 2, 3]]]], dtype=tf.int64), pooling_ratio=[1.0, 1.44, 1.73, 1.0], pseudo_random=False, overlapping=False, deterministic=False, seed=0, seed2=0, name=None)

Division by zero in Tensorflow

The implementation of FractionalMaxPool can be made to crash a TensorFlow process via a division by 0: import tensorflow as tf import numpy as np tf.raw_ops.FractionalMaxPool( value=tf.constant(value=[[[[1, 4, 2, 3]]]], dtype=tf.int64), pooling_ratio=[1.0, 1.44, 1.73, 1.0], pseudo_random=False, overlapping=False, deterministic=False, seed=0, seed2=0, name=None)

Division by zero in Tensorflow

The implementation of FractionalMaxPool can be made to crash a TensorFlow process via a division by 0: import tensorflow as tf import numpy as np tf.raw_ops.FractionalMaxPool( value=tf.constant(value=[[[[1, 4, 2, 3]]]], dtype=tf.int64), pooling_ratio=[1.0, 1.44, 1.73, 1.0], pseudo_random=False, overlapping=False, deterministic=False, seed=0, seed2=0, name=None)

Division by zero in Tensorflow

The estimator for the cost of some convolution operations can be made to execute a division by 0: import tensorflow as tf @tf.function def test(): y=tf.raw_ops.AvgPoolGrad( orig_input_shape=[1,1,1,1], grad=[[[[1.0],[1.0],[1.0]]],[[[2.0],[2.0],[2.0]]],[[[3.0],[3.0],[3.0]]]], ksize=[1,1,1,1], strides=[1,1,1,0], padding='VALID', data_format='NCHW') return y test() The function fails to check that the stride argument is stricly positive: int64_t GetOutputSize(const int64_t input, const int64_t filter, const int64_t stride, const Padding& padding) { // Logic for calculating output shape is from GetWindowedOutputSizeVerbose() …

Deserialization of Untrusted Data

A deserialization flaw is present in Taoensso Nippy In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java Serializable interface.

Deserialization of Untrusted Data

This vulnerability can affect all Dubbo users stay on or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.

Code Injection

A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges.

`CHECK`-failures in Tensorflow

The implementation of MapStage is vulnerable a CHECK-fail if the key tensor is not a scalar: import tensorflow as tf import numpy as np tf.raw_ops.MapStage( key = tf.constant(value=[4], shape= (1,2), dtype=tf.int64), indices = np.array([[6]]), values = np.array([-60]), dtypes = [tf.int64], capacity=0, memory_limit=0, container='', shared_name='', name=None )

`CHECK`-failures in Tensorflow

The implementation of MapStage is vulnerable a CHECK-fail if the key tensor is not a scalar: import tensorflow as tf import numpy as np tf.raw_ops.MapStage( key = tf.constant(value=[4], shape= (1,2), dtype=tf.int64), indices = np.array([[6]]), values = np.array([-60]), dtypes = [tf.int64], capacity=0, memory_limit=0, container='', shared_name='', name=None )

`CHECK`-failures in Tensorflow

The implementation of MapStage is vulnerable a CHECK-fail if the key tensor is not a scalar: import tensorflow as tf import numpy as np tf.raw_ops.MapStage( key = tf.constant(value=[4], shape= (1,2), dtype=tf.int64), indices = np.array([[6]]), values = np.array([-60]), dtypes = [tf.int64], capacity=0, memory_limit=0, container='', shared_name='', name=None )

`CHECK`-failures in binary ops in Tensorflow

A malicious user can cause a denial of service by altering a SavedModel such that any binary op would trigger CHECK failures. This occurs when the protobuf part corresponding to the tensor arguments is modified such that the dtype no longer matches the dtype expected by the op. In that case, calling the templated binary operator for the binary op would receive corrupted data, due to the type confusion involved: …

`CHECK`-failures in binary ops in Tensorflow

A malicious user can cause a denial of service by altering a SavedModel such that any binary op would trigger CHECK failures. This occurs when the protobuf part corresponding to the tensor arguments is modified such that the dtype no longer matches the dtype expected by the op. In that case, calling the templated binary operator for the binary op would receive corrupted data, due to the type confusion involved: …

`CHECK`-failures in binary ops in Tensorflow

A malicious user can cause a denial of service by altering a SavedModel such that any binary op would trigger CHECK failures. This occurs when the protobuf part corresponding to the tensor arguments is modified such that the dtype no longer matches the dtype expected by the op. In that case, calling the templated binary operator for the binary op would receive corrupted data, due to the type confusion involved: …

`CHECK`-failures in `TensorByteSize` in Tensorflow

A malicious user can cause a denial of service by altering a SavedModel such that TensorByteSize would trigger CHECK failures. int64_t TensorByteSize(const TensorProto& t) { // num_elements returns -1 if shape is not fully defined. int64_t num_elems = TensorShape(t.tensor_shape()).num_elements(); return num_elems < 0 ? -1 : num_elems * DataTypeSize(t.dtype()); } TensorShape constructor throws a CHECK-fail if shape is partial or has a number of elements that would overflow the size …

`CHECK`-failures in `TensorByteSize` in Tensorflow

A malicious user can cause a denial of service by altering a SavedModel such that TensorByteSize would trigger CHECK failures. int64_t TensorByteSize(const TensorProto& t) { // num_elements returns -1 if shape is not fully defined. int64_t num_elems = TensorShape(t.tensor_shape()).num_elements(); return num_elems < 0 ? -1 : num_elems * DataTypeSize(t.dtype()); } TensorShape constructor throws a CHECK-fail if shape is partial or has a number of elements that would overflow the size …

`CHECK`-failures in `TensorByteSize` in Tensorflow

A malicious user can cause a denial of service by altering a SavedModel such that TensorByteSize would trigger CHECK failures. int64_t TensorByteSize(const TensorProto& t) { // num_elements returns -1 if shape is not fully defined. int64_t num_elems = TensorShape(t.tensor_shape()).num_elements(); return num_elems < 0 ? -1 : num_elems * DataTypeSize(t.dtype()); } TensorShape constructor throws a CHECK-fail if shape is partial or has a number of elements that would overflow the size …

User object created with invalid provider data in GoTrue

Impact What kind of vulnerability is it? Who is impacted? Under certain circumstances a valid user object would have been created with invalid provider metadata. This vulnerability affects everyone running an instance of GoTrue as a service. We advise you to update especially if you are using the provider metadata from the user object to secure other resources. Patches Has the problem been patched? What versions should users upgrade to? …

Use after free in `DecodePng` kernel

A malicious user can cause a use after free behavior when decoding PNG images: if (/* … error conditions … */) { png::CommonFreeDecode(&decode); OP_REQUIRES(context, false, errors::InvalidArgument("PNG size too large for int: ", decode.width, " by ", decode.height)); } After png::CommonFreeDecode(&decode) gets called, the values of decode.width and decode.height are in an unspecified state.

Use after free in `DecodePng` kernel

A malicious user can cause a use after free behavior when decoding PNG images: if (/* … error conditions … */) { png::CommonFreeDecode(&decode); OP_REQUIRES(context, false, errors::InvalidArgument("PNG size too large for int: ", decode.width, " by ", decode.height)); } After png::CommonFreeDecode(&decode) gets called, the values of decode.width and decode.height are in an unspecified state.

Use after free in `DecodePng` kernel

A malicious user can cause a use after free behavior when decoding PNG images: if (/* … error conditions … */) { png::CommonFreeDecode(&decode); OP_REQUIRES(context, false, errors::InvalidArgument("PNG size too large for int: ", decode.width, " by ", decode.height)); } After png::CommonFreeDecode(&decode) gets called, the values of decode.width and decode.height are in an unspecified state.

URL Redirection to Untrusted Site ('Open Redirect')

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is no protection against URL redirection to untrusted sites, in particular some well known parameters (xredirect) can be used to perform url redirections. This problem has been patched in XWiki 12.10.7 and XWiki 13.3RC1. Users are advised to update. There are no known workarounds for this issue.

Uninitialized variable access in Tensorflow

The implementation of AssignOp can result in copying unitialized data to a new tensor. This later results in undefined behavior. The implementation has a check that the left hand side of the assignment is initialized (to minimize number of allocations), but does not check that the right hand side is also initialized.

Uninitialized variable access in Tensorflow

The implementation of AssignOp can result in copying unitialized data to a new tensor. This later results in undefined behavior. The implementation has a check that the left hand side of the assignment is initialized (to minimize number of allocations), but does not check that the right hand side is also initialized.

Uninitialized variable access in Tensorflow

The implementation of AssignOp can result in copying unitialized data to a new tensor. This later results in undefined behavior. The implementation has a check that the left hand side of the assignment is initialized (to minimize number of allocations), but does not check that the right hand side is also initialized.

Undefined behavior in `SparseTensorSliceDataset`

The implementation of SparseTensorSliceDataset has an undefined behavior: under certain condition it can be made to dereference a nullptr value: import tensorflow as tf import numpy as np tf.raw_ops.SparseTensorSliceDataset( indices=[[]], values=[], dense_shape=[1,1]) The 3 input arguments represent a sparse tensor. However, there are some preconditions that these arguments must satisfy but these are not validated in the implementation.

Undefined behavior in `SparseTensorSliceDataset`

The implementation of SparseTensorSliceDataset has an undefined behavior: under certain condition it can be made to dereference a nullptr value: import tensorflow as tf import numpy as np tf.raw_ops.SparseTensorSliceDataset( indices=[[]], values=[], dense_shape=[1,1]) The 3 input arguments represent a sparse tensor. However, there are some preconditions that these arguments must satisfy but these are not validated in the implementation.

Undefined behavior in `SparseTensorSliceDataset`

The implementation of SparseTensorSliceDataset has an undefined behavior: under certain condition it can be made to dereference a nullptr value: import tensorflow as tf import numpy as np tf.raw_ops.SparseTensorSliceDataset( indices=[[]], values=[], dense_shape=[1,1]) The 3 input arguments represent a sparse tensor. However, there are some preconditions that these arguments must satisfy but these are not validated in the implementation.

Stack overflow in TensorFlow

The GraphDef format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a GraphDef containing a fragment such as the following can be consumed when loading a SavedModel: library { function { signature { name: "SomeOp" description: "Self recursive op" } node_def { name: "1" op: "SomeOp" } node_def { name: "2" op: "SomeOp" } } } This would result in a …

Stack overflow in TensorFlow

The GraphDef format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a GraphDef containing a fragment such as the following can be consumed when loading a SavedModel: library { function { signature { name: "SomeOp" description: "Self recursive op" } node_def { name: "1" op: "SomeOp" } node_def { name: "2" op: "SomeOp" } } } This would result in a …

Stack overflow in TensorFlow

The GraphDef format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a GraphDef containing a fragment such as the following can be consumed when loading a SavedModel: library { function { signature { name: "SomeOp" description: "Self recursive op" } node_def { name: "1" op: "SomeOp" } node_def { name: "2" op: "SomeOp" } } } This would result in a …

Server-Side Request Forgery (SSRF)

In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.

Segfault in `simplifyBroadcast` in Tensorflow

The simplifyBroadcast function in the MLIR-TFRT infrastructure in TensorFlow is vulnerable to a segfault (hence, denial of service), if called with scalar shapes. size_t maxRank = 0; for (auto shape : llvm::enumerate(shapes)) { auto found_shape = analysis.dimensionsForShapeTensor(shape.value()); if (!found_shape) return {}; shapes_found.push_back(found_shape); maxRank = std::max(maxRank, found_shape->size()); } SmallVector<const ShapeComponentAnalysis::SymbolicDimension> joined_dimensions(maxRank); If all shapes are scalar, then maxRank is 0, so we build an empty SmallVector.

Segfault in `simplifyBroadcast` in Tensorflow

The simplifyBroadcast function in the MLIR-TFRT infrastructure in TensorFlow is vulnerable to a segfault (hence, denial of service), if called with scalar shapes. size_t maxRank = 0; for (auto shape : llvm::enumerate(shapes)) { auto found_shape = analysis.dimensionsForShapeTensor(shape.value()); if (!found_shape) return {}; shapes_found.push_back(found_shape); maxRank = std::max(maxRank, found_shape->size()); } SmallVector<const ShapeComponentAnalysis::SymbolicDimension> joined_dimensions(maxRank); If all shapes are scalar, then maxRank is 0, so we build an empty SmallVector.

Segfault in `simplifyBroadcast` in Tensorflow

The simplifyBroadcast function in the MLIR-TFRT infrastructure in TensorFlow is vulnerable to a segfault (hence, denial of service), if called with scalar shapes. size_t maxRank = 0; for (auto shape : llvm::enumerate(shapes)) { auto found_shape = analysis.dimensionsForShapeTensor(shape.value()); if (!found_shape) return {}; shapes_found.push_back(found_shape); maxRank = std::max(maxRank, found_shape->size()); } SmallVector<const ShapeComponentAnalysis::SymbolicDimension> joined_dimensions(maxRank); If all shapes are scalar, then maxRank is 0, so we build an empty SmallVector.

Remote code execution in Apache TomEE

If Apache TomEE - - - - is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port, which does not include authentication. CVE-2020-11969 previously addressed the creation of the JMX management interface, however the incomplete fix does not cover this edge case.

Reachable Assertion in Tensorflow

When decoding a tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments, if the tensors have an invalid dtype and 0 elements or an invalid shape. This allows attackers to cause denial of services in TensorFlow processes.

Reachable Assertion in Tensorflow

When decoding a tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments, if the tensors have an invalid dtype and 0 elements or an invalid shape. This allows attackers to cause denial of services in TensorFlow processes.

Reachable Assertion in Tensorflow

When decoding a tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments, if the tensors have an invalid dtype and 0 elements or an invalid shape. This allows attackers to cause denial of services in TensorFlow processes.

Reachable Assertion in Tensorflow

When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes.

Reachable Assertion in Tensorflow

When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes.

Reachable Assertion in Tensorflow

When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes.

Partial authorization bypass on document save in xwiki-platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current user has programming right. This has been patched in XWiki 13.0. Users are advised to update to resolve this issue. The only known workaround …

Out-of-bounds Write

Tensorflow is an Open Source Machine Learning Framework. The TFG dialect of TensorFlow makes several assumptions about the incoming GraphDef before converting it to the MLIR-based dialect. If an attacker changes the SavedModel format on disk to invalidate these assumptions and the GraphDef is then converted to MLIR-based IR then they can cause a crash in the Python interpreter. Under certain scenarios, heap OOB read/writes are possible. These issues have …

Out-of-bounds Write

Tensorflow is an Open Source Machine Learning Framework. The TFG dialect of TensorFlow makes several assumptions about the incoming GraphDef before converting it to the MLIR-based dialect. If an attacker changes the SavedModel format on disk to invalidate these assumptions and the GraphDef is then converted to MLIR-based IR then they can cause a crash in the Python interpreter. Under certain scenarios, heap OOB read/writes are possible. These issues have …

Out of bounds write in TFLite

An attacker can craft a TFLite model that would cause a write outside of bounds of an array in TFLite. In fact, the attacker can override the linked list used by the memory allocator. This can be leveraged for an arbitrary write primitive under certain conditions.

Out of bounds write in TFLite

An attacker can craft a TFLite model that would cause a write outside of bounds of an array in TFLite. In fact, the attacker can override the linked list used by the memory allocator. This can be leveraged for an arbitrary write primitive under certain conditions.

Out of bounds write in TFLite

An attacker can craft a TFLite model that would cause a write outside of bounds of an array in TFLite. In fact, the attacker can override the linked list used by the memory allocator. This can be leveraged for an arbitrary write primitive under certain conditions.

Out of bounds write in Tensorflow

TensorFlow is vulnerable to a heap OOB write in Grappler: Status SetUnknownShape(const NodeDef* node, int output_port) { shape_inference::ShapeHandle shape = GetUnknownOutputShape(node, output_port); InferenceContext* ctx = GetContext(node); if (ctx == nullptr) { return errors::InvalidArgument("Missing context"); } ctx->set_output(output_port, shape); return Status::OK(); } The set_output function writes to an array at the specified index: void set_output(int idx, ShapeHandle shape) { outputs_.at(idx) = shape; } Hence, this gives a malicious user a write primitive.

Out of bounds write in Tensorflow

TensorFlow is vulnerable to a heap OOB write in Grappler: Status SetUnknownShape(const NodeDef* node, int output_port) { shape_inference::ShapeHandle shape = GetUnknownOutputShape(node, output_port); InferenceContext* ctx = GetContext(node); if (ctx == nullptr) { return errors::InvalidArgument("Missing context"); } ctx->set_output(output_port, shape); return Status::OK(); } The set_output function writes to an array at the specified index: void set_output(int idx, ShapeHandle shape) { outputs_.at(idx) = shape; } Hence, this gives a malicious user a write primitive.

Out of bounds write in Tensorflow

TensorFlow is vulnerable to a heap OOB write in Grappler: Status SetUnknownShape(const NodeDef* node, int output_port) { shape_inference::ShapeHandle shape = GetUnknownOutputShape(node, output_port); InferenceContext* ctx = GetContext(node); if (ctx == nullptr) { return errors::InvalidArgument("Missing context"); } ctx->set_output(output_port, shape); return Status::OK(); } The set_output function writes to an array at the specified index: void set_output(int idx, ShapeHandle shape) { outputs_.at(idx) = shape; } Hence, this gives a malicious user a write primitive.

Out of bounds read in Tensorflow

The implementation of FractionalAvgPoolGrad does not consider cases where the input tensors are invalid allowing an attacker to read from outside of bounds of heap: import tensorflow as tf @tf.function def test(): y = tf.raw_ops.FractionalAvgPoolGrad( orig_input_tensor_shape=[2,2,2,2], out_backprop=[[[[1,2], [3, 4], [5, 6]], [[7, 8], [9,10], [11,12]]]], row_pooling_sequence=[-10,1,2,3], col_pooling_sequence=[1,2,3,4], overlapping=True) return y test()

Out of bounds read in Tensorflow

TensorFlow's type inference can cause a heap OOB read as the bounds checking is done in a DCHECK (which is a no-op during production): if (node_t.type_id() != TFT_UNSET) { int ix = input_idx[i]; DCHECK(ix < node_t.args_size()) << "input " << i << " should have an output " << ix << " but instead only has " << node_t.args_size() << " outputs: " << node_t.DebugString(); input_types.emplace_back(node_t.args(ix)); // … } An …

Out of bounds read in Tensorflow

The implementation of FractionalAvgPoolGrad does not consider cases where the input tensors are invalid allowing an attacker to read from outside of bounds of heap: import tensorflow as tf @tf.function def test(): y = tf.raw_ops.FractionalAvgPoolGrad( orig_input_tensor_shape=[2,2,2,2], out_backprop=[[[[1,2], [3, 4], [5, 6]], [[7, 8], [9,10], [11,12]]]], row_pooling_sequence=[-10,1,2,3], col_pooling_sequence=[1,2,3,4], overlapping=True) return y test()

Out of bounds read in Tensorflow

The implementation of Dequantize does not fully validate the value of axis and can result in heap OOB accesses: import tensorflow as tf @tf.function def test(): y = tf.raw_ops.Dequantize( input=tf.constant([1,1],dtype=tf.qint32), min_range=[1.0], max_range=[10.0], mode='MIN_COMBINED', narrow_range=False, axis=2**31-1, dtype=tf.bfloat16) return y test() The axis argument can be -1 (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound …

Out of bounds read in Tensorflow

TensorFlow's type inference can cause a heap OOB read as the bounds checking is done in a DCHECK (which is a no-op during production): if (node_t.type_id() != TFT_UNSET) { int ix = input_idx[i]; DCHECK(ix < node_t.args_size()) << "input " << i << " should have an output " << ix << " but instead only has " << node_t.args_size() << " outputs: " << node_t.DebugString(); input_types.emplace_back(node_t.args(ix)); // … } An …

Out of bounds read in Tensorflow

The implementation of shape inference for ReverseSequence does not fully validate the value of batch_dim and can result in a heap OOB read: import tensorflow as tf @tf.function def test(): y = tf.raw_ops.ReverseSequence( input = ['aaa','bbb'], seq_lengths = [1,1,1], seq_dim = -10, batch_dim = -10 ) return y test() There is a check to make sure the value of batch_dim does not go over the rank of the input, but …

Out of bounds read in Tensorflow

The implementation of shape inference for ReverseSequence does not fully validate the value of batch_dim and can result in a heap OOB read: import tensorflow as tf @tf.function def test(): y = tf.raw_ops.ReverseSequence( input = ['aaa','bbb'], seq_lengths = [1,1,1], seq_dim = -10, batch_dim = -10 ) return y test() There is a check to make sure the value of batch_dim does not go over the rank of the input, but …

Out of bounds read in Tensorflow

The implementation of Dequantize does not fully validate the value of axis and can result in heap OOB accesses: import tensorflow as tf @tf.function def test(): y = tf.raw_ops.Dequantize( input=tf.constant([1,1],dtype=tf.qint32), min_range=[1.0], max_range=[10.0], mode='MIN_COMBINED', narrow_range=False, axis=2**31-1, dtype=tf.bfloat16) return y test() The axis argument can be -1 (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound …

Out of bounds read in Tensorflow

The implementation of Dequantize does not fully validate the value of axis and can result in heap OOB accesses: import tensorflow as tf @tf.function def test(): y = tf.raw_ops.Dequantize( input=tf.constant([1,1],dtype=tf.qint32), min_range=[1.0], max_range=[10.0], mode='MIN_COMBINED', narrow_range=False, axis=2**31-1, dtype=tf.bfloat16) return y test() The axis argument can be -1 (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound …

Out of bounds read in Tensorflow

TensorFlow's type inference can cause a heap OOB read as the bounds checking is done in a DCHECK (which is a no-op during production): if (node_t.type_id() != TFT_UNSET) { int ix = input_idx[i]; DCHECK(ix < node_t.args_size()) << "input " << i << " should have an output " << ix << " but instead only has " << node_t.args_size() << " outputs: " << node_t.DebugString(); input_types.emplace_back(node_t.args(ix)); // … } An …

Out of bounds read in Tensorflow

The implementation of FractionalAvgPoolGrad does not consider cases where the input tensors are invalid allowing an attacker to read from outside of bounds of heap: import tensorflow as tf @tf.function def test(): y = tf.raw_ops.FractionalAvgPoolGrad( orig_input_tensor_shape=[2,2,2,2], out_backprop=[[[[1,2], [3, 4], [5, 6]], [[7, 8], [9,10], [11,12]]]], row_pooling_sequence=[-10,1,2,3], col_pooling_sequence=[1,2,3,4], overlapping=True) return y test()

Out of bounds read in Tensorflow

The implementation of shape inference for ReverseSequence does not fully validate the value of batch_dim and can result in a heap OOB read: import tensorflow as tf @tf.function def test(): y = tf.raw_ops.ReverseSequence( input = ['aaa','bbb'], seq_lengths = [1,1,1], seq_dim = -10, batch_dim = -10 ) return y test() There is a check to make sure the value of batch_dim does not go over the rank of the input, but …

Out of bounds read and write in Tensorflow

There is a typo in TensorFlow's SpecializeType which results in heap OOB read/write: for (int i = 0; i < op_def.output_arg_size(); i++) { // … for (int j = 0; j < t->args_size(); j++) { auto* arg = t->mutable_args(i); // … } } Due to a typo, arg is initialized to the ith mutable argument in a loop where the loop index is j. Hence it is possible to assign …

Out of bounds read and write in Tensorflow

There is a typo in TensorFlow's SpecializeType which results in heap OOB read/write: for (int i = 0; i < op_def.output_arg_size(); i++) { // … for (int j = 0; j < t->args_size(); j++) { auto* arg = t->mutable_args(i); // … } } Due to a typo, arg is initialized to the ith mutable argument in a loop where the loop index is j. Hence it is possible to assign …

Out of bounds read and write in Tensorflow

There is a typo in TensorFlow's SpecializeType which results in heap OOB read/write: for (int i = 0; i < op_def.output_arg_size(); i++) { // … for (int j = 0; j < t->args_size(); j++) { auto* arg = t->mutable_args(i); // … } } Due to a typo, arg is initialized to the ith mutable argument in a loop where the loop index is j. Hence it is possible to assign …

OS Command Injection in ansible

A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.

Null-dereference in Tensorflow

When decoding a tensor from protobuf, TensorFlow might do a null-dereference if attributes of some mutable arguments to some operations are missing from the proto. This is guarded by a DCHECK: const auto* attr = attrs.Find(arg->s()); DCHECK(attr != nullptr); if (attr->value_case() == AttrValue::kList) { // … } However, DCHECK is a no-op in production builds and an assertion failure in debug builds. In the first case execution proceeds to the …

Null-dereference in Tensorflow

When decoding a tensor from protobuf, TensorFlow might do a null-dereference if attributes of some mutable arguments to some operations are missing from the proto. This is guarded by a DCHECK: const auto* attr = attrs.Find(arg->s()); DCHECK(attr != nullptr); if (attr->value_case() == AttrValue::kList) { // … } However, DCHECK is a no-op in production builds and an assertion failure in debug builds. In the first case execution proceeds to the …

Null-dereference in Tensorflow

When decoding a tensor from protobuf, TensorFlow might do a null-dereference if attributes of some mutable arguments to some operations are missing from the proto. This is guarded by a DCHECK: const auto* attr = attrs.Find(arg->s()); DCHECK(attr != nullptr); if (attr->value_case() == AttrValue::kList) { // … } However, DCHECK is a no-op in production builds and an assertion failure in debug builds. In the first case execution proceeds to the …

Null pointer dereference in TensorFlow

When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference: string allowed_gpus = flr->config_proto()->gpu_options().visible_device_list(); In the default scenario, all devices are allowed, so flr->config_proto is nullptr.

Null pointer dereference in TensorFlow

When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference: string allowed_gpus = flr->config_proto()->gpu_options().visible_device_list(); In the default scenario, all devices are allowed, so flr->config_proto is nullptr.

Null pointer dereference in TensorFlow

When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference: string allowed_gpus = flr->config_proto()->gpu_options().visible_device_list(); In the default scenario, all devices are allowed, so flr->config_proto is nullptr.

Null pointer dereference in TensorFlow

The implementation of QuantizedMaxPool has an undefined behavior where user controlled inputs can trigger a reference binding to null pointer. import tensorflow as tf tf.raw_ops.QuantizedMaxPool( input = tf.constant([[[[4]]]], dtype=tf.quint8), min_input = [], max_input = [1], ksize = [1, 1, 1, 1], strides = [1, 1, 1, 1], padding = "SAME", name=None )

Null pointer dereference in TensorFlow

The implementation of QuantizedMaxPool has an undefined behavior where user controlled inputs can trigger a reference binding to null pointer. import tensorflow as tf tf.raw_ops.QuantizedMaxPool( input = tf.constant([[[[4]]]], dtype=tf.quint8), min_input = [], max_input = [1], ksize = [1, 1, 1, 1], strides = [1, 1, 1, 1], padding = "SAME", name=None )

Null pointer dereference in TensorFlow

The implementation of QuantizedMaxPool has an undefined behavior where user controlled inputs can trigger a reference binding to null pointer. import tensorflow as tf tf.raw_ops.QuantizedMaxPool( input = tf.constant([[[[4]]]], dtype=tf.quint8), min_input = [], max_input = [1], ksize = [1, 1, 1, 1], strides = [1, 1, 1, 1], padding = "SAME", name=None )

NULL Pointer Dereference and Access of Uninitialized Pointer in TensorFlow

Impact The code for boosted trees in TensorFlow is still missing validation. This allows malicious users to read and write outside of bounds of heap allocated data as well as trigger denial of service (via dereferencing nullptrs or via CHECK-failures). This follows after CVE-2021-41208 where these APIs were still vulnerable to multiple security issues. Note: Given that the boosted trees implementation in TensorFlow is unmaintained, it is recommend to no …

NULL Pointer Dereference and Access of Uninitialized Pointer in TensorFlow

Impact The code for boosted trees in TensorFlow is still missing validation. This allows malicious users to read and write outside of bounds of heap allocated data as well as trigger denial of service (via dereferencing nullptrs or via CHECK-failures). This follows after CVE-2021-41208 where these APIs were still vulnerable to multiple security issues. Note: Given that the boosted trees implementation in TensorFlow is unmaintained, it is recommend to no …

NULL Pointer Dereference and Access of Uninitialized Pointer in TensorFlow

Impact The code for boosted trees in TensorFlow is still missing validation. This allows malicious users to read and write outside of bounds of heap allocated data as well as trigger denial of service (via dereferencing nullptrs or via CHECK-failures). This follows after CVE-2021-41208 where these APIs were still vulnerable to multiple security issues. Note: Given that the boosted trees implementation in TensorFlow is unmaintained, it is recommend to no …

Missing Authorization

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit right can copy the content of a page it does not have access to by using it as template of a new page. This issue has been patched in XWiki 13.2CR1 and 12.10.6. Users are advised to update. There are no known workarounds for this issue.

Missing Authorization

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString as $xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg"). This issue has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1. Users are advised to update. The only workaround is to limit SCRIPT right.

Missing Authorization

A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.

Missing Authentication for Critical Function

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user …

Memory leak in decoding PNG images

When decoding PNG images TensorFlow can produce a memory leak if the image is invalid. After calling png::CommonInitDecode(…, &decode), the decode value contains allocated buffers which can only be freed by calling png::CommonFreeDecode(&decode). However, several error case in the function implementation invoke the OP_REQUIRES macro which immediately terminates the execution of the function, without allowing for the memory free to occur.

Memory leak in decoding PNG images

When decoding PNG images TensorFlow can produce a memory leak if the image is invalid. After calling png::CommonInitDecode(…, &decode), the decode value contains allocated buffers which can only be freed by calling png::CommonFreeDecode(&decode). However, several error case in the function implementation invoke the OP_REQUIRES macro which immediately terminates the execution of the function, without allowing for the memory free to occur.

Memory leak in decoding PNG images

When decoding PNG images TensorFlow can produce a memory leak if the image is invalid. After calling png::CommonInitDecode(…, &decode), the decode value contains allocated buffers which can only be freed by calling png::CommonFreeDecode(&decode). However, several error case in the function implementation invoke the OP_REQUIRES macro which immediately terminates the execution of the function, without allowing for the memory free to occur.

Integer overflows in Tensorflow

The implementation of AddManySparseToTensorsMap is vulnerable to an integer overflow which results in a CHECK-fail when building new TensorShape objects (so, an assert failure based denial of service): import tensorflow as tf import numpy as np tf.raw_ops.AddManySparseToTensorsMap( sparse_indices=[(0,0),(0,1),(0,2),(4,3),(5,0),(5,1)], sparse_values=[1,1,1,1,1,1], sparse_shape=[232,232], container='', shared_name='', name=None) We are missing some validation on the shapes of the input tensors as well as directly constructing a large TensorShape with user-provided dimensions. The latter is an …

Integer overflows in Tensorflow

The implementations of SparseCwise ops are vulnerable to integer overflows. These can be used to trigger large allocations (so, OOM based denial of service) or CHECK-fails when building new TensorShape objects (so, assert failures based denial of service): import tensorflow as tf import numpy as np tf.raw_ops.SparseDenseCwiseDiv( sp_indices=np.array([[9]]), sp_values=np.array([5]), sp_shape=np.array([92233720368., 92233720368]), dense=np.array([4])) We are missing some validation on the shapes of the input tensors as well as directly constructing a …

Integer overflows in Tensorflow

The implementation of AddManySparseToTensorsMap is vulnerable to an integer overflow which results in a CHECK-fail when building new TensorShape objects (so, an assert failure based denial of service): import tensorflow as tf import numpy as np tf.raw_ops.AddManySparseToTensorsMap( sparse_indices=[(0,0),(0,1),(0,2),(4,3),(5,0),(5,1)], sparse_values=[1,1,1,1,1,1], sparse_shape=[232,232], container='', shared_name='', name=None) We are missing some validation on the shapes of the input tensors as well as directly constructing a large TensorShape with user-provided dimensions. The latter is an …

Integer overflows in Tensorflow

The implementation of AddManySparseToTensorsMap is vulnerable to an integer overflow which results in a CHECK-fail when building new TensorShape objects (so, an assert failure based denial of service): import tensorflow as tf import numpy as np tf.raw_ops.AddManySparseToTensorsMap( sparse_indices=[(0,0),(0,1),(0,2),(4,3),(5,0),(5,1)], sparse_values=[1,1,1,1,1,1], sparse_shape=[232,232], container='', shared_name='', name=None) We are missing some validation on the shapes of the input tensors as well as directly constructing a large TensorShape with user-provided dimensions. The latter is an …

Integer overflows in Tensorflow

The implementations of SparseCwise ops are vulnerable to integer overflows. These can be used to trigger large allocations (so, OOM based denial of service) or CHECK-fails when building new TensorShape objects (so, assert failures based denial of service): import tensorflow as tf import numpy as np tf.raw_ops.SparseDenseCwiseDiv( sp_indices=np.array([[9]]), sp_values=np.array([5]), sp_shape=np.array([92233720368., 92233720368]), dense=np.array([4])) We are missing some validation on the shapes of the input tensors as well as directly constructing a …

Integer overflows in Tensorflow

The implementations of SparseCwise ops are vulnerable to integer overflows. These can be used to trigger large allocations (so, OOM based denial of service) or CHECK-fails when building new TensorShape objects (so, assert failures based denial of service): import tensorflow as tf import numpy as np tf.raw_ops.SparseDenseCwiseDiv( sp_indices=np.array([[9]]), sp_values=np.array([5]), sp_shape=np.array([92233720368., 92233720368]), dense=np.array([4])) We are missing some validation on the shapes of the input tensors as well as directly constructing a …

Integer Overflow or Wraparound in TensorFlow

Impact The Grappler component of TensorFlow is vulnerable to a denial of service via CHECK-failure in constant folding for ; // … } The output_prop tensor has a shape that is controlled by user input and this can result in triggering one of the CHECKs in the PartialTensorShape constructor. This is an instance of TFSA-2021-198 . ### Patches We have patched the issue in GitHub commit be7b286d40bc68cb0b56f702186cc4837d508058 fix will be …

Integer Overflow or Wraparound in TensorFlow

Impact The Grappler component of TensorFlow is vulnerable to a denial of service via CHECK-failure in constant folding for ; // … } The output_prop tensor has a shape that is controlled by user input and this can result in triggering one of the CHECKs in the PartialTensorShape constructor. This is an instance of TFSA-2021-198 . ### Patches We have patched the issue in GitHub commit be7b286d40bc68cb0b56f702186cc4837d508058 fix will be …

Integer Overflow or Wraparound in TensorFlow

Impact The Grappler component of TensorFlow is vulnerable to a denial of service via CHECK-failure in constant folding for ; // … } The output_prop tensor has a shape that is controlled by user input and this can result in triggering one of the CHECKs in the PartialTensorShape constructor. This is an instance of TFSA-2021-198 . ### Patches We have patched the issue in GitHub commit be7b286d40bc68cb0b56f702186cc4837d508058 fix will be …

Integer overflow leading to crash in Tensorflow

The implementation of SparseCountSparseOutput can be made to crash a TensorFlow process by an integer overflow whose result is then used in a memory allocation: import tensorflow as tf import numpy as np tf.raw_ops.SparseCountSparseOutput( indices=[[1,1]], values=[2], dense_shape=[2 ** 31, 2 ** 32], weights=[1], binary_output=True, minlength=-1, maxlength=-1, name=None)

Integer overflow leading to crash in Tensorflow

The implementation of SparseCountSparseOutput can be made to crash a TensorFlow process by an integer overflow whose result is then used in a memory allocation: import tensorflow as tf import numpy as np tf.raw_ops.SparseCountSparseOutput( indices=[[1,1]], values=[2], dense_shape=[2 ** 31, 2 ** 32], weights=[1], binary_output=True, minlength=-1, maxlength=-1, name=None)

Integer overflow leading to crash in Tensorflow

The implementation of SparseCountSparseOutput can be made to crash a TensorFlow process by an integer overflow whose result is then used in a memory allocation: import tensorflow as tf import numpy as np tf.raw_ops.SparseCountSparseOutput( indices=[[1,1]], values=[2], dense_shape=[2 ** 31, 2 ** 32], weights=[1], binary_output=True, minlength=-1, maxlength=-1, name=None)

Integer overflow in TFLite array creation

An attacker can craft a TFLite model that would cause an integer overflow in TfLiteIntArrayCreate: TfLiteIntArray* TfLiteIntArrayCreate(int size) { int alloc_size = TfLiteIntArrayGetSizeInBytes(size); // … TfLiteIntArray* ret = (TfLiteIntArray*)malloc(alloc_size); // … } The TfLiteIntArrayGetSizeInBytes returns an int instead of a size_t: int TfLiteIntArrayGetSizeInBytes(int size) { static TfLiteIntArray dummy; int computed_size = sizeof(dummy) + sizeof(dummy.data[0]) * size;

Integer overflow in TFLite array creation

An attacker can craft a TFLite model that would cause an integer overflow in TfLiteIntArrayCreate: TfLiteIntArray* TfLiteIntArrayCreate(int size) { int alloc_size = TfLiteIntArrayGetSizeInBytes(size); // … TfLiteIntArray* ret = (TfLiteIntArray*)malloc(alloc_size); // … } The TfLiteIntArrayGetSizeInBytes returns an int instead of a size_t: int TfLiteIntArrayGetSizeInBytes(int size) { static TfLiteIntArray dummy; int computed_size = sizeof(dummy) + sizeof(dummy.data[0]) * size;

Integer overflow in TFLite array creation

An attacker can craft a TFLite model that would cause an integer overflow in TfLiteIntArrayCreate: TfLiteIntArray* TfLiteIntArrayCreate(int size) { int alloc_size = TfLiteIntArrayGetSizeInBytes(size); // … TfLiteIntArray* ret = (TfLiteIntArray*)malloc(alloc_size); // … } The TfLiteIntArrayGetSizeInBytes returns an int instead of a size_t: int TfLiteIntArrayGetSizeInBytes(int size) { static TfLiteIntArray dummy; int computed_size = sizeof(dummy) + sizeof(dummy.data[0]) * size;

Integer overflow in TFLite

An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations: int embedding_size = 1; int lookup_size = 1; for (int i = 0; i < lookup_rank - 1; i++, k++) { const int dim = dense_shape->data.i32[i]; lookup_size *= dim; output_shape->data[k] = dim; } for (int i = 1; i < embedding_rank; i++, k++) { const int dim = SizeOfDimension(value, i); embedding_size *= dim; …

Integer overflow in TFLite

An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations: int embedding_size = 1; int lookup_size = 1; for (int i = 0; i < lookup_rank - 1; i++, k++) { const int dim = dense_shape->data.i32[i]; lookup_size *= dim; output_shape->data[k] = dim; } for (int i = 1; i < embedding_rank; i++, k++) { const int dim = SizeOfDimension(value, i); embedding_size *= dim; …

Integer overflow in TFLite

An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations: int embedding_size = 1; int lookup_size = 1; for (int i = 0; i < lookup_rank - 1; i++, k++) { const int dim = dense_shape->data.i32[i]; lookup_size *= dim; output_shape->data[k] = dim; } for (int i = 1; i < embedding_rank; i++, k++) { const int dim = SizeOfDimension(value, i); embedding_size *= dim; …

Integer overflow in TensorFlow

Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior.

Integer overflow in TensorFlow

Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior.

Integer overflow in TensorFlow

Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior.

Integer overflow in Tensorflow

The implementation of shape inference for Dequantize is vulnerable to an integer overflow weakness: import tensorflow as tf input = tf.constant([1,1],dtype=tf.qint32) @tf.function def test(): y = tf.raw_ops.Dequantize( input=input, min_range=[1.0], max_range=[10.0], mode='MIN_COMBINED', narrow_range=False, axis=2**31-1, dtype=tf.bfloat16) return y test() The axis argument can be -1 (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not …