Yeti Platform 安全漏洞

Yeti Platform is a daily threat intelligence platform open-sourced by Yeti Platform. A security vulnerability exists in Yeti Platform versions prior to 2.1.11, which stems from a denial-of-service attack in which remote user-controlled data tags can be Unicode normalized via the compatibility for...

PT-2024-31615 · Yeti · Yeti

Name of the Vulnerable Software and Affected Versions: Yeti versions prior to 2.1.11 Description: The issue concerns a denial of service vulnerability. Remote user-controlled data tags can lead to Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in...

undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass

A flaw was found in Undertow, where the servlet container causes the servletPath to normalize incorrectly by truncating the path after the semicolon. The flaw may lead to application mapping, resulting in a security bypass...

OESA-2024-2043 python-webob security update

WebOb provides wrappers around the WSGI request environment, and an object to help create WSGI responses. The objects map much of the specified behavior of HTTP, including header parsing and accessors for other standard parts of the environment. Security Fixes: WebOb provides objects for HTTP...

GO-2023-2426 ewen-lbh/ffcss Late-Unicode normalization vulnerability in github.com/ewen-lbh/ffcss

ewen-lbh/ffcss Late-Unicode normalization vulnerability in github.com/ewen-lbh/ffcss...

CVE-2024-42353

A vulnerability was found in the WebOb package. WebOb normalizes the HTTP Location header using urlparse and urljoin. If the URL starts with //, urlparse treats the following part as the hostname, and replaces the original request's hostname. This issue, combined with user interaction, may become...

PYSEC-2024-188

WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. urlparse however treats a // at the...

CVE-2024-42353 WebOb's location header normalization during redirect leads to open redirect

WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. urlparse however treats a // at the...

USN-6891-1 python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12 vulnerabilities

It was discovered that Python incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 18.04 LTS. CVE-2015-20107 It was discovered that Python incorrectly used regular expressions vulnerable to...

Path Traversal

Weblate is vulnerable to Path Traversal. The vulnerability is caused due to a lack of proper normalization and validation of filenames when restoring project backups. This could allow an attacker to use a crafted ZIP file containing arbitrary paths to gain unauthorized access to files on the serv...

Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued the permission model is an experimental feature of Node.js.

...

PT-2024-26903 · Unknown · Reposilite

Name of the Vulnerable Software and Affected Versions: Reposilite versions 3.5.10 through 3.5.11 Description: The issue is related to an Arbitrary File Read vulnerability via path traversal while serving expanded javadoc files. This occurs because the GET /javadoc/repository//raw/ route uses the...

webpack-dev-middleware: lack of URL validation may lead to file leak

A flaw was found in the webpack-dev-middleware package, where it failed to validate the supplied URL address sufficiently before returning local files. This flaw allows an attacker to craft URLs to return arbitrary local files from the developer's machine. The lack of normalization before calling...

CVE-2024-32983 Misskey allows the impersonation and takeover of remote accounts with unnormalized signed activities

Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the author...

Oceanic allows unsanitized user input to lead to path traversal in URLs

Impact Input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/id being normalized into the url /api/v10/channels/id, and deleting a channel rather than removing a ban. Workarounds Sanitizing user input, ensuring...

CVE-2024-34712

Oceanic (NodeJS) vulnerability CVE-2024-34712 affects versions prior to 1.10.4. Input to functions like Client.rest.channels.removeBan is not URL-encoded, allowing crafted input such as ../../../channels/{id} to be normalized into /api/v10/channels/{id}, potentially causing unintended channel act...

[SECURITY] Fedora 40 Update: php-wikimedia-utfnormal-4.0.0-1.fc40

utfnormal is a library that contains unicode normalization functions. It was split out of MediaWiki core during the 1.25 development cycle...

Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service

Important: Exploiting this vulnerability requires the attacker to have access to your Frigate instance, which means they could also just delete all of your recordings or perform any other action. If you have configured authentication in front of Frigate via a reverse proxy, then this vulnerabilit...

PT-2024-24930 · Frigate · Frigate

Name of the Vulnerable Software and Affected Versions: Frigate versions prior to 0.13.2 Description: The issue arises from the lack of limitation on the length of filenames and the costly use of Unicode normalization with the form NFKD under the hood of the secure filename function. This can lead...

HTML Injection

html-sanitizer is vulnerable to HTML injection. The vulnerability is due to improper handling of unicode normalization, which results in certain unicode characters normalizing to chevrons enabling specially crafted HTML to evade sanitization...