CVE-2022-42856

A vulnerability was found in webkitgtk, where a type confusion issue was addressed with improved memory handling. By this security flaw processing maliciously crafted web content may lead to arbitrary code execution. Mitigation Setting the environment variable JSCuseFTLJIT=0 will disable the...

Airtable.js misconfiguration vulnerability

Airtable.js is Airtable open source an Airtable javascript client . Provides a simple way to access the data . A misconfiguration vulnerability exists in Airtable.js versions prior to 0.11.6 that stems from a misconfiguration in a script that binds environment variables to the build target of a...

Design/Logic Flaw

Airtable.js is the JavaScript client for Airtable. Prior to version 0.11.6, Airtable.js had a misconfigured build script in its source package. When the build script is run, it would bundle environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLEAPIKEY and...

Ian Dunn: Double evaluation in .bash_prompt of dotfiles allows a malicious repository to execute arbitrary commands

Summary Due to the improper usage of the PS1 environment variable in .bashprompt of dotfiles, a malicious repository can execute arbitrary commands when changed the current directory to it. Description The PS1 environment variable of bash supports command substitutions. For example, setting PS1 t...

Information disclosure

pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either PreparedStatement.setTextint, InputStream or PreparedStatemet.setByteaint, InputStream will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which...

CVE-2022-41946 TemporaryFolder on unix-like systems does not limit access to created files in pgjdbc

pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either PreparedStatement.setTextint, InputStream or PreparedStatemet.setByteaint, InputStream will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which...

Reflected XSS in querystring parameters

An attacker could inject a XSS payload in a Silverstripe CMS response by carefully crafting a return URL on a /dev/build or /Security/login request. To exploit this vulnerability, an attacker would need to convince a user to follow a link with a malicious payload. This will only affect projects...

SUSE SLED15 / SLES15 Security Update : go1.18 (SUSE-SU-2022:4055-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2022:4055-1 advisory. - Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In...

SUSE-SU-2022:4054-1 Security update for go1.19

This update for go1.19 fixes the following issues: Update to go 1.19.3 released 2022-11-01 bsc1200441: Security fixes: - CVE-2022-41716: Fixed unsanitized NUL in environment variables in syscalls, os/exec go56327 bsc1204941. Bugfixes: - runtime: lock count' fatal error when cgo is enabled go56308...

GHSA-FPPQ-MJ76-FPJ2 fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)

Impact A remote code execution RCE vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable FLUENTOJOPTIONMODE is explicitly set to object...

Code injection

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest stable, beta, and test-passed versions are now patched. As a...

CVE-2022-41716

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavi...

Code injection

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavi...

AZL-11396 CVE-2022-39379 affecting package rubygem-fluentd for versions less than 1.14.6-2

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution RCE vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads...

CVE-2022-39379 Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution RCE vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads...

CVE-2022-39379 Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution RCE vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads...

CVE-2022-39379 Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution RCE vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads...

PT-2022-24940 · Fluentd · Fluentd

Name of the Vulnerable Software and Affected Versions: Fluentd versions 1.13.2 through 1.15.2 Description: A remote code execution vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. This issue...

fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)

Impact A remote code execution RCE vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable FLUENTOJOPTIONMODE is explicitly set to object...

CVE-2022-39241 Possible Server-Side Request Forgery (SSRF) in webhooks

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest stable, beta, and test-passed versions are now patched. As a...