71 matches found
CVE-2023-32559
CVE-2023-32559 describes a privilege-escalation vulnerability in Node.js via the experimental policy mechanism. The attack leverages the deprecated API process.binding(), potentially bypassing policy.json and abusing process.binding('spawn_sync') to run arbitrary code outside policy limits. The i...
CVE-2023-32559
A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding'spawnsync' to run arbitrary code outside of the limits defined in a...
SUSE CVE-2023-32559
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API process.binding can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding'spawnsyn...
CVE-2023-32558
A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding can bypass the permission model through path traversal. Mitigation Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product...
PT-2023-4549 · Node.Js +9 · Node.Js +9
Name of the Vulnerable Software and Affected Versions: Node.js versions 16.x through 20.x Description: A privilege escalation issue exists in the experimental policy mechanism due to inadequate access controls. This can be exploited by a remote attacker to bypass existing security restrictions. T...
PT-2023-9603 · Node.Js · Node.Js
Name of the Vulnerable Software and Affected Versions: Node.js versions 20.x Description: The use of the deprecated API process.binding can bypass the permission model through path traversal, potentially allowing a remote attacker to bypass security restrictions and gain unauthorized access to...
Spring Cloud Azure 5.0 is now Generally Available
Were very pleased to announce that Spring Cloud Azure 5.0 is now generally available. This major release includes the following features, improvements, and documentation updates: Compatible with Spring Boot 3 and Spring Cloud 2022.0.0 Supports Passwordless Connections Updated Azure for Spring...
Spring Cloud Azure 5.0 is now Generally Available
We're very pleased to announce that Spring Cloud Azure 5.0 is now generally available. This major release includes the following features, improvements, and documentation updates: Compatible with Spring Boot 3 and Spring Cloud 2022.0.0 Supports Passwordless Connections Updated Azure for Spring...
Lack of validation on price feeds
Lines of code Vulnerability details Impact Lack of validation on Chainlink price feeds may result in incorrectly functioning or non-functioning protocol. For example: during high volatility a price feed may be suspended or become stale; on L2 networks the sequencer might be down on L2 networks th...
GHSA-5Q86-62XR-3R57 Uses of deprecated API can be used to cause DoS in user-facing endpoints
Impact Several HandleRoute endpoints make use of the deprecated ioutil.ReadAll. ioutil.ReadAll reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. Eventsources susceptible to an out-of-memor...
Uses of deprecated API can be used to cause DoS in user-facing endpoints
Impact Several HandleRoute endpoints make use of the deprecated ioutil.ReadAll. ioutil.ReadAll reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. Eventsources susceptible to an out-of-memor...
CVE-2022-31054 Uses of deprecated API can be used to cause DoS in user-facing endpoints in Argo Events
Argo Events is an event-driven workflow automation framework for Kubernetes. Prior to version 1.7.1, several HandleRoute endpoints make use of the deprecated ioutil.ReadAll. ioutil.ReadAll reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server wil...
CVE-2022-31054 Uses of deprecated API can be used to cause DoS in user-facing endpoints in Argo Events
Argo Events is an event-driven workflow automation framework for Kubernetes. Prior to version 1.7.1, several HandleRoute endpoints make use of the deprecated ioutil.ReadAll. ioutil.ReadAll reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server wil...
Phabricator: Deprecated owners.query API bypasses object view policy
The deprecated owners.query API does not check object view policy. A user is able to view some information about an owner package which they do not have permission to see by calling this API. Since the API is deprecated, it could just be removed. Impact An attacker is able to view some informatio...
Chainlink pricer is using a deprecated API
Lines of code Vulnerability details Impact According to Chainlink's documentation, the latestAnswer function is deprecated. This function might suddenly stop working if Chainlink stop supporting deprecated APIs. And the old API can return stale data. Proof of Concept Tools Used None Recommended...
Deprecated CHAINLINK API usage
Lines of code Vulnerability details Impact Usage of deprecated chainlink function to get collateral price. Proof of Concept The Chainlink API latestAnswer used in the FungibleAssetVaultForDAO contract is deprecated: This method returns the last value but that value cannot be fully updated. New V3...
Use of deprecated oracle API in _collateralPriceUsd
Lines of code Vulnerability details Likelihood low, impact high. The Chainlink latestAnswer function included in IAggregatorV3Interface and called in FungibleAssetVaultForDAOcollateralPriceUsd is considered deprecated and no longer included in the Chainlink API documentation. It's considered best...
Use of deprecated API for chainlink aggregator
Lines of code Vulnerability details Impact Price returned by oracle could be stale Proof of Concept The use of aggregator.latestAnswer is deprecated and could lead to stale data if the data wasn't recently updated. This is especially important for checking NFT prices since prices can change quick...
CVE-2022-0862
A lack of password change protection vulnerability in a depreciated API of McAfee Enterprise ePolicy Orchestrator ePO prior to 5.10 Update 13 allows a remote attacker to change the password of a compromised session without knowing the existing user's password. This functionality was removed from...
CVE-2022-0862
A lack of password change protection vulnerability in a depreciated API of McAfee Enterprise ePolicy Orchestrator ePO prior to 5.10 Update 13 allows a remote attacker to change the password of a compromised session without knowing the existing user's password. This functionality was removed from...