Advisories

Aug 2019

SQL Injection in Django

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, …

Command Injection

A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess via Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being called with unsafe user input as the filename.

Improper Input Validation

It was found that Keycloak's account console did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.

Improper Authentication

It was found that Keycloak's SAML broker did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.

Cross-Site Request Forgery (CSRF)

An issue was discovered in Dolibarr. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered |20 Storage A Path Traversal vulnerability in the TwentyTwenty.Storage library in the LocalStorageProvider allows creating and reading files outside of the specified basepath. If the application using this library does not sanitize user-supplied filenames, then this issue may be exploited to read or write arbitrary files. This affects LocalStorageProvider.cs.

Sensitive data written to disk unencrypted in Spark

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

Key confusion attack

The PHP JOSE Library is vulnerable to key confusion/algorithm substitution in the JWS component resulting in bypassing the signature verification via crafted tokens.

Uncontrolled Recursion in Django

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.

Django Denial-of-service in strip_tags()

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.

Django Denial-of-service in django.utils.text.Truncator

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

Cross-site Scripting

A stored cross-site scripting vulnerability exists in the product catalog form of Magento. This could be exploited by an authenticated user with privileges to the product catalog to inject malicious javascript.

Cross-site Scripting

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to modify content block titles to inject malicious javascript.

Cross-site Scripting

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to modify content page titles to inject malicious javascript.

Improper Authentication

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's dataConfig parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging/development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. The use of this …

Jul 2019

Improper Input Validation

Jenkins Configuration as Code Plugin does not not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.

Information Exposure

A flaw was discovered in the way Ansible templating was implemented causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.

Cryptographic Issues

Yarn is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Cross-site Scripting

Cross-site scripting (XSS) vulnerability in min-http-server allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser.

Credentials Management

When Rancher starts for the first time, it creates a default admin user with a well-known password. After initial setup, the Rancher administrator may choose to delete this default admin user. If Rancher is restarted, the default admin user will be recreated with the well-known default password. An attacker could exploit this by logging in with the default admin credentials. This can be mitigated by deactivating the default admin user …

Credentials Management

When Rancher starts for the first time, it creates a default admin user with a well-known password. After initial setup, the Rancher administrator may choose to delete this default admin user. If Rancher is restarted, the default admin user will be recreated with the well-known default password. An attacker could exploit this by logging in with the default admin credentials. This can be mitigated by deactivating the default admin user …

Improper Restriction of XML External Entity Reference in ladon

Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.

Improper Input Validation

lodash is vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

SQL Injection

The package marginalia is affected by an SQL injection vulnerability enabling attackers to inject HTTP parameters/Headers into SQL queries.

NULL Pointer Dereference

In libnasm.a in Netwide Assembler (NASM), asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.

Infinite Loop in scapy

scapy is affected by a Denial of Service vulnerability resulting in an infinite loop and resource consumption rendering the program unresponsive. The component is: _RADIUSAttrPacketListField.getfield(self..). The attack vector is over the network or in a pcap. both work.

Cross-site Scripting

Firefly III is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page.

Path Traversal

A path traversal vulnerability in Jenkins in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.

field_test gem contains injection vulnerability

The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS).

Cross-site scripting invenio-records

A Cross-Site Scripting (XSS) vulnerability was discovered when rendering JSON for a record in the administration interface. The vulnerability could be exploited by e.g. a user who had access to upload a new record, that an admin user would then later view in the admin interface.

Cross-site Scripting in invenio-previewer

Several Cross-Site Scripting (XSS) vulnerabilities have been found in the JSON, Markdown and iPython Notebook previewers. The vulnerabilities would allow a malicous user to upload a JSON, Markdown or Notebook file with embedded scripts that would be executed by a victims browser.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1062, CVE-2019-1103, CVE-2019-1106, CVE-2019-1107.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1062, CVE-2019-1092, CVE-2019-1106, CVE-2019-1107.

Out-of-bounds Write

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1004, CVE-2019-1056, CVE-2019-1059.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1107.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1106.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1092, CVE-2019-1103, CVE-2019-1106, CVE-2019-1107.

Improper Certificate Validation

An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka 'WCF/WIF SAML Token Authentication Bypass Vulnerability'.

Command Injection

Slanger is affected by a remote code execution. A remote attacker can execute arbitrary commands by sending a crafted request to the server.

Information Exposure

A missing permission check in Jenkins Docker Plugin in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Cross-Site Request Forgery (CSRF)

A cross-site request forgery vulnerability in Jenkins Docker Plugin in DockerAPI.DescriptorImpl#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Prototype Pollution in lodash

Versions of lodash lower than are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Prototype Pollution in lodash

Versions of lodash lower than are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Out-of-bounds Write

An issue has been found in third-party PNM decoding associated with libpng It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.

HPACK Denial of Service vulnerability (HPACK Bomb)

A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted for a denial of service attack, specifically a so-called "HPACK Bomb" attack. This attack occurs when an attacker inserts a header field that is exactly the size of the HPACK dynamic header table into the dynamic header table. The attacker can then send a header block that is simply repeated requests …

Denial of Service in mem

Versions of mem are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.

Insufficient Entropy

DNN (aka DotNetNuke) incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.

Django Incorrect HTTP detection with reverse-proxy connecting via HTTPS

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.

Improper Verification of Cryptographic Signature in django-rest-registration

The vulnerability is a high severity one. Anyone using Django REST Registration library versions 0.2.* - 0.4.* with e-mail verification option (which is recommended, but needs additional configuration) is affected. In the worst case, the attacker can take over any Django user by resetting his/her password without even receiving the reset password verification link, just by guessing the signature from publicly available data (more detailed description below).

Arbitrary file overwrite

fstream is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Cross-site Scripting

An issue was discovered in mxGraph related to the draw.io Diagrams plugin for Confluence and other products. Improper input validation/sanitization of a color field leads to XSS. This is associated with javascript/examples/grapheditor/www/js/Dialogs.js.

Command Injection

Centreon allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).

Jun 2019

Improper Input Validation

In numbers.c in libxslt, which is used by nokogiri, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

Improper Input Validation

In numbers.c in libxslt, which is used by nokogiri, an xsl:number with certain format strings could lead to an uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters [AaIi0], or any other character.

Improper Certificate Validation

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak …

SQL Injection

In Couchbase Sync Gateway, an attacker with access to the Sync Gateway's public REST API was able to issue additional N1QL statements and extract sensitive data or call arbitrary N1QL functions through the parameters startkey and endkey on the _all_docs endpoint. By issuing nested queries with CPU-intensive operations they may have been able to cause increased resource usage and denial of service conditions. The _all_docs endpoint is not required for …

Improper Locking

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Uncontrolled Resource Consumption

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Information Exposure

OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform.

HTTP/2 DoS

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Reverse Tabnapping in swagger-ui

Versions of swagger-ui prior to 3.18.0 are vulnerable to Reverse Tabnapping. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page. This is commonly used for phishing attacks. Recommendation Upgrade to version 3.18.0 or later.

Regular Expression Denial of Service

A Regular Expression Denial of Service vulnerability was discovered in esm The issue is that esm's find-indexes is using the unescaped identifiers in a regex, which, in this case, causes an infinite loop.

Out-of-bounds Read

Versions less than of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js ).

Information Disclosure

A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Low severity vulnerability that affects Gw2Sharp

Leaking cached authenticated requests Impact If you've been using one MemoryCacheMethod object in multiple instances of Gw2WebApiClient and are requesting authenticated endpoints with different access tokens, then you are likely to run into this bug. When using an instance of MemoryCacheMethod and using it with multiple instances of Gw2WebApiClient, there's a possibility that cached authenticated responses are leaking to another request to the same endpoint, but with a different Guild …

Injection Vulnerability

An issue was discovered in RubyGems. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.

Injection Vulnerability

An issue was discovered in RubyGems. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.

Improper Input Validation

A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is evaluated by ensure_loadable_spec during the pre-installation check.

Failure to sanitize quotes which can lead to sql injection in squel

All versions of squel are vulnerable to sql injection. The squel package does not properly escape user provided input when provided using the setFields method. This could lead to sql injection if the query was then executed. Proof of concept demonstrating the injection of a single quote into a generated sql statement from user provided input. > console.log(squel.insert().into('buh').setFields({foo: "bar'baz"}).toString()); INSERT INTO buh (foo) VALUES ('bar'baz') ``` ## Recommendation There is …

URL Redirection to Untrusted Site ('Open Redirect')

Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. …

Deserialization vulnerability exists in parso

** DISPUTED ** A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because "the cache directory is not under control of the attacker in any common …

Deserialization of Untrusted Data

In createInstanceFromNamedArguments in Shopware, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution.

URL Redirection to Untrusted Site (Open Redirect)

Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked …

SQL Injection in sql

All versions of sql are vulnerable to sql injection as it does not properly escape parameters when building SQL queries. No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0989, CVE-2019-0991, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1024, CVE-2019-1051, CVE-2019-1052.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0989, CVE-2019-0991, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1003, CVE-2019-1051, CVE-2019-1052.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0989, CVE-2019-0991, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1003, CVE-2019-1024, CVE-2019-1051.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0989, CVE-2019-0991, CVE-2019-0992, CVE-2019-1002, CVE-2019-1003, CVE-2019-1024, CVE-2019-1051, CVE-2019-1052.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0991, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1003, CVE-2019-1024, CVE-2019-1051, CVE-2019-1052.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0989, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1003, CVE-2019-1024, CVE-2019-1051, CVE-2019-1052.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0989, CVE-2019-0991, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1003, CVE-2019-1024, CVE-2019-1052.

Out-of-bounds Read in npmconf

Versions of npmconf allocate and write to disk uninitialized memory contents when a typed number is passed as input on Node.js Update to or later. Consider switching to another config storage mechanism, as npmconf is deprecated and should not be used.

Information Exposure

An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t,exchange).

Improper Certificate Validation

The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols (http or ldap) and hence the caller should verify the signature and possibly the certification path. Keycloak currently does not validate signatures on CRL, which …

Improper Authentication

It was found that Keycloak's Node.js adapter did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.

Twisted CRLF Injection

In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.

Remotely exploitable flaw

Ruby OpenID (aka ruby-openid) has a remotely exploitable flaw. This library is used by Rails web applications to integrate with OpenID Providers. Severity can range from medium to critical, depending on how a web application developer chose to employ the ruby-openid library. Developers who based their OpenID integration heavily on the "example app" provided by the project are at highest risk.

Improper Input Validation

A vulnerability exists in Rancher in the login component, where the errorMsg parameter can be tampered to display arbitrary content, filtering tags but not special characters or symbols. There's no other limitation of the message, allowing malicious users to lure legitimate users to visit phishing sites with scare tactics, e.g., displaying a "This version of Rancher is outdated, please visit https://malicious.rancher.site/upgrading" message.

Improper Input Validation

A vulnerability exists in Rancher in the login component, where the errorMsg parameter can be tampered to display arbitrary content, filtering tags but not special characters or symbols. There's no other limitation of the message, allowing malicious users to lure legitimate users to visit phishing sites with scare tactics.

Django Cross-site Scripting in AdminURLFieldWidget

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

Rate Limiting Bypass in express-brute

All versions of express-brute are vulnerable to Rate Limiting Bypass. Concurrent requests may lead to race conditions that cause the package to incorrectly count requests. This may allow an attacker to bypass the rate limiting provided by the package and execute requests without limiting. No fix is currently available. Consider using an alternative module until a fix is made available.

Prototype Pollution

A vulnerability was found in querystringify It's possible to override built-in properties of the resulting query string object if a malicious string is inserted in the query string.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library before 3.8.0. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafted URL. (This module is not generally used in production systems so the attack surface is expected to be low, but affected systems are recommended to upgrade immediately.)

Code Injection in PyXDG

A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.

Timing Attack in express-basic-auth

Versions of express-basic-auth are vulnerable to Timing Attacks. The package uses nating string comparison instead of a constant time string compare which may lead to Timing Attacks. Timing Attacks can be used to increase the efficiency of brute-force attacks by removing the exponential increase in entropy gained from longer secrets.

SQL Injection in typeorm

Versions of typeorm before 0.1.15 are vulnerable to SQL Injection. Field names are not properly validated allowing attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation Upgrade to version 0.1.15

Signature Verification Bypass in jwt-simple

Versions of jwt-simple prior to 0.5.3 are vulnerable to Signature Verification Bypass. If no algorithm is specified in the decode() function, the packages uses the algorithm in the JWT to decode tokens. This allows an attacker to create a HS256 (symmetric algorithm) JWT with the server's public key as secret, and the package will verify it as HS256 instead of RS256 (asymmetric algorithm). Recommendation Upgrade to version 0.5.3 or later.

Regular Expression Denial of Service in braces

Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 2.3.1 or higher.

Path Traversal

A Directory Traversal issue was discovered in RubyGems. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems …

Improper Access Controls

In Rancher, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.

Regular Expression Denial of Service in marked

Versions of marked prior to 0.6.2 and later than 0.3.14 is vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion. Recommendation Upgrade to version 0.6.2 or later.

Regular Expression Denial of Service in clean-css

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Regular Expression Denial of Service in clean-css

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Regular Expression Denial of Service in clean-css

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Regular Expression Denial of Service in clean-css

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

High severity vulnerability that affects gun

Urgent Upgrade The static file server module included with GUN had a serious vulnerability: Using curl –path-as-is allowed reads on any parent directory or files. This did not work via the browser or via curl without as-is option. Fixed This has been fixed since version 0.2019.416 and higher. Who Was Effected? Most NodeJS users who use the default setup, such as: npm start node examples/http.js Heroku 1-click-deploy Docker Now If …

Denial of Service in url-relative

All versions of url-relative are vulnerable to Denial of Service. If the values to and from are equal, the function hangs and never returns. This may cause a Denial of Service. No fix is currently available. Consider using an alternative module until a fix is made available.

Denial of Service in js-yaml

Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service. Recommendation Upgrade to version 3.13.0.

Denial of Service in canvas

Versions of canvas prior to 1.6.10 are vulnerable to Denial of Service. Processing malicious JPEGs or GIFs could crash the node process. Recommendation Upgrade to version 1.6.10

Cross-site Scripting

XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafted URL. (This module is not generally used in production systems so the attack surface is expected to be low, but affected systems are recommended to upgrade immediately.)

Cross-Site Request Forgery (CSRF)

A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.

Sensitive Data Exposure in pem

Versions of pem expose sensitive data when the readPkcs12 is used. The readPkcs12 function reads the certificate and key data from a pkcs12 file using the encryption password. As part of this process it creates a globally readable file with a filename of random 0-f characters in the temporary directory containing the password which is then read by OpenSSL. The file containing the password is never cleaned up after it …

Remote Memory Exposure in floody

Versions of floody are vulnerable to remote memory exposure. . appending a chunk of uninitialized memory. Proof of Concept: var f = require('floody')(process.stdout); f.write(USERSUPPLIEDINPUT); 'f.stop(); ## Recommendation Update to or later.

NoSQL Injection in sequelize

Versions of sequelize prior to 4.12.0 are vulnerable to NoSQL Injection. Query operators such as $gt are not properly sanitized and may allow an attacker to alter data queries, leading to NoSQL Injection. Recommendation Upgrade to version 4.12.0 or later

NoSQL Injection in loopback-connector-mongodb

Versions of loopback-connector-mongodb are vulnerable to NoSQL injection. MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions …

Denial of Service in ws

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent. Proof of concept const WebSocket = require('ws'); const net = require('net'); const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor' const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', Sec-WebSocket-Extensions: ${payload}, 'Upgrade: websocket', '\r' …

Privilege Escalation in express-cart

Versions of express-cart before 1.1.6 are vulnerable to privilege escalation. This vulnerability can be exploited so that normal users can escalate their privilege and add new administrator users. Recommendation Update to version 1.1.6 or later.

Memory Exposure in tunnel-agent

Versions of tunnel-agent are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number. Proof-of-concept: require('request')({ method: 'GET', uri: 'http://www.example.com', tunnel: true, proxy:{ protocol: 'http:', host:'127.0.0.1', port:8080, auth:USERSUPPLIEDINPUT // number } }); ``` Update to or later.

Memory Exposure in concat-stream

Versions of concat-stream is vulnerable to memory exposure if userp provided input is passed into write() are not affected due to not using unguarded Buffer constructor. Update to or later. If you are unable to update make sure user provided input into the write() function is not a number.

Memory Exposure in bl

Versions of bl before 0.9.5 and 1.0.1 are vulnerable to memory exposure. bl.append(number) in the affected bl versions passes a number to Buffer constructor, appending a chunk of uninitialized memory Recommendation Update to version 0.9.5, 1.0.1 or later.

Improper Access Control

An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.

May 2019

Insecure Credential Storage in web3

All versions of web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key. No fix is currently available. Consider using an alternative module until a fix is made available.

Directory Traversal in ltt.js

Affected versions of ltt.js resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo ``` No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …

Server-Side Request Forgery in terriajs-server

Versions of terriajs-server are vulnerable to Server-Side Request Forgery (SSRF). If an attacker has access to a server allow listed by the terriajs-server proxy or if the attacker is able to modify the DNS records of a domain allow listed by the terriajs-server proxy, the attacker can use the terriajs-server proxy to access any HTTP-accessible resources that are accessible to the server, including private resources in the hosting environment. Upgrade …

Improper Authentication in Buildbot

Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim.

Cross-site Scripting

The SSI printenv command in Apache Tomcat echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Cross-site Scripting

The SSI printenv command in Apache Tomcat echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Cross-site Scripting

In PrestaShop, the shop_country parameter in the `install/index.Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link.

Remote Memory Exposure in mysql

Versions of mysql before 2.14.0 is vulnerable to remove memory exposure. Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password. Only mysql running on Node.js versions below 6.0.0 is affected due to a throw added in newer node.js versions. Proof of Concept: require('mysql').createConnection({ host: 'localhost', user: 'user', password : USERPROVIDEDINPUT, // number database : 'my_db' }).connect(); Recommendation …

Information disclosure

ZooKeeper's getACL() command does not check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Empty passwords validation issue

Validating a user password with a UserPassword constraint but with no NotBlank constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a NotBlank constraint, but as it worked before without, it's considered as a backward compatibility break and a security issue.

Empty passwords validation issue

Validating a user password with a UserPassword constraint but with no NotBlank constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a NotBlank constraint, but as it worked before without, it's considered as a backward compatibility break and a security issue.

Empty passwords validation issue

Validating a user password with a UserPassword constraint but with no NotBlank constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a NotBlank constraint, but as it worked before without, it's considered as a backward compatibility break and a security issue.

Cross-site Scripting

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.

Information Exposure

A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs …

SQL Injection

In Symfony, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0933, CVE-2019-0937.

Out-of-bounds Write

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0884, CVE-2019-0918.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0937.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

Out-of-bounds Write

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

Command Injection

If the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Server Side Request Forgery in Apache Axis

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.

Improper Access Control

An issue was discovered in Singularity, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing/<user>/<instance>. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.

XSS via URLs

In remarkable lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters.

Cross-Site Scripting

If malicious input such as A["<img src=invalid onerror=alert('XSS')></img>"] is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.

Path Traversal

Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem.

Denial of Service

Axios allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Information Exposure

Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly.

Improper Input Validation

Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service.

Improper Link Resolution Before File Access ('Link Following')

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Apr 2019

Improper Input Validation

In Apache Archiva it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.

Improper Input Validation

In Apache Archiva, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

Improper Input Validation

In Apache Archiva it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.

Improper Input Validation

A vulnerability was found in tar-fs. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

Cross-Site Request Forgery (CSRF)

The request phase of the OmniAuth is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

SQL injection vulnerability

Both the search filter in the back end and the "listing" module in the front end are vulnerable to SQL injection. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.

SQL injection vulnerability

Both the search filter in the back end and the "listing" module in the front end are vulnerable to SQL injection. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.

OS Command Injection

LibreNMS allows remote attackers to execute arbitrary OS commands by using the community parameter to html/pages/addhost.inc.php during creation of a new device, and then making a /ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhostrequest that triggershtml/includes/output/capture.inc.php` command mishandling.

Information Exposure

Keycloak allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user's browser session.