@nodosjs/view-extension (=0.0.43) potentially affected by CVE-2021-29624 via fastify-csrf (=2.0.0)

fastify-csrf NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on fastify-csrf and may be impacted: - @nodosjs/view-extension =0.0.43 Source cves: CVE-2021-29624 Source advisory: OSV:GHSA-RC4Q-9M69-GQP8...

Lack of protection against cookie tossing attacks in fastify-csrf

Impact Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Patches Version 3.1.0 of the fastify-csrf fixes it. See https://github.com/fastify/fastify-csrf/pull/51 and...

GHSA-RC4Q-9M69-GQP8 Lack of protection against cookie tossing attacks in fastify-csrf

Impact Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Patches Version 3.1.0 of the fastify-csrf fixes it. See https://github.com/fastify/fastify-csrf/pull/51 and...

PT-2021-18374 · Unknown · Fastify-Csrf

Name of the Vulnerable Software and Affected Versions: fastify-csrf versions prior to 3.1.0 Description: The issue affects applications using the fastify-csrf plugin with the "double submit" mechanism, particularly those deployed across multiple subdomains. To fully implement protection, users of...

@keep2zero/light (>=0.0.1 <=0.0.10), @logique/fastify-adapter (>=0.0.1 <=0.0.3-alpha.4) +9 more potentially affected by CVE-2020-8136 via fastify-multipart (>=0.2.0 <=0.8.2)

fastify-multipart NPM version =0.2.0, =0.0.1, =0.0.1, =0.0.1, =0.0.10, =1.0.20, =4.1.0, =9.0.0, =0.1.0, =5.4.1, =5.4.10 - nestjs-test =5.4.1 Source cves: CVE-2020-8136 Source advisory: OSV:GHSA-P9F8-GQJF-M75J...

Uncontrolled Resource Consumption in fastify-multipart

Prototype pollution vulnerability in fastify-multipart 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request...

GHSA-P9F8-GQJF-M75J Uncontrolled Resource Consumption in fastify-multipart

Prototype pollution vulnerability in fastify-multipart 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request...

Important: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.2.2 security and bug fix update

Red Hat Advanced Cluster Management for Kubernetes 2.2.2 General Availability release images, which fix several bugs and security issues. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a...

CVE-2021-21321

A flaw was found in fastify-reply-from. Escaping of the prefix of the proxied backend service is possible allowing an attacker, using a specially crafted URL, to gain access to directories that would otherwise be out of bounds. The highest threat from this vulnerability is to data confidentiality...

CVE-2021-21322

A flaw was found in fastify-http-proxy. Escaping the prefix of the proxied backend service is possible by an attacker using a specially crafted URL. The highest threat from this vulnerability is to data confidentiality and integrity...

Authorization Bypass

fastify-reply-from is vulnerable to authorization bypass. An attacker is able to escape the prefix of the proxied backend service and access restricted service such as the parent of the base URL...

Authorization Bypass

fastify-http-proxy is vulnerable to authorization bypass. An attacker is able to escape the prefix of the proxied backend service and access restricted service such as the parent of the base URL...

Prefix escape

Overview In fastify-http-proxy before version 4.3.1, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. Unfortunately, it is...

@ddot/ddot-plugin-webpack (>=0.0.3 <=0.0.14), @harmonyjs/controller-auth-jwt (>=1.0.0 <=1.0.0-rc2.6) +8 more potentially affected by CVE-2021-21322 via fastify-http-proxy (>=0.7.0 <=4.1.0)

fastify-http-proxy NPM version =0.7.0, =0.0.3, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =1.0.0-alpha.2, =0.2.0, =1.1.0, =1.5.5 Source cves: CVE-2021-21322 Source advisory: OSV:GHSA-C4QR-GMR9-V23W...

Prefix escape

Overview In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. Unfortunately, it is...

@ddot/ddot-plugin-webpack (>=0.0.3 <=0.0.14), @harmonyjs/controller-auth-jwt (>=1.0.0 <=1.0.0-rc2.6) +15 more potentially affected by CVE-2021-21321 via fastify-reply-from (>=0.1.0 <=3.5.0)

fastify-reply-from NPM version =0.1.0, =0.0.3, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =1.0.0-alpha.2, =1.0.1, =0.1.0, =0.1.0, =2.0.0, =0.2.0, =0.0.1, =0.0.6 and more Source cves: CVE-2021-21321 Source advisory: OSV:GHSA-QMW8-3V4G-GWJ4...

Prefix escape

Impact By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. Unfortunately, it is. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N...

GHSA-QMW8-3V4G-GWJ4 Prefix escape

Impact By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. Unfortunately, it is. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N...

CVE-2021-21321

fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server i...

CVE-2021-21322

fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessin...