R Programming Language implementations are vulnerable to arbitrary code execution during deserialization of .rds and .rdx files

Overview A vulnerability in the R language that allows for arbitrary code to be executed directly after the deserialization of untrusted data has been discovered. This vulnerability can be exploited through RDS R Data Serialization format files and .rdx files. An attacker can create malicious RDS...

RHEL 7 : rh-maven35-jackson-databind (RHSA-2019:4192)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2019:4192 advisory. The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fixe...

Quarkus: security checks in resteasy reactive may trigger a denial of service

A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has knowledge of any...

GHSA-MV64-86G8-CQQ7 Quarkus: security checks in resteasy reactive may trigger a denial of service

A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has knowledge of any...

CVE-2024-1726

A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has knowledge of any...

CVE-2024-1726 Quarkus: security checks for some inherited endpoints performed after serialization in resteasy reactive may trigger a denial of service

A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has knowledge of any...

CVE-2024-32876

NewPipe is an Android app for video streaming written in Java. It supports exporting and importing backups, as a way to let users move their data to a new device effortlessly. However, in versions 0.13.4 through 0.26.1, importing a backup file from an untrusted source could have resulted in...

CVE-2024-32876 NewPipe has potential security vulnerability when importing settings

NewPipe is an Android app for video streaming written in Java. It supports exporting and importing backups, as a way to let users move their data to a new device effortlessly. However, in versions 0.13.4 through 0.26.1, importing a backup file from an untrusted source could have resulted in...

CVE-2024-32876

CVE-2024-32876 concerns NewPipe (Android, Java) backups. In versions 0.13.4–0.26.1, importing a backup from an untrusted source could lead to Arbitrary Code Execution because the app deserializes backups via Java Object Serialization Stream Protocol. Attackers must craft a malicious backup and co...

CVE-2024-32876 NewPipe has potential security vulnerability when importing settings

NewPipe is an Android app for video streaming written in Java. It supports exporting and importing backups, as a way to let users move their data to a new device effortlessly. However, in versions 0.13.4 through 0.26.1, importing a backup file from an untrusted source could have resulted in...

CVE-2024-32876 NewPipe has potential security vulnerability when importing settings

NewPipe is an Android app for video streaming written in Java. It supports exporting and importing backups, as a way to let users move their data to a new device effortlessly. However, in versions 0.13.4 through 0.26.1, importing a backup file from an untrusted source could have resulted in...

HTML attributes vs DOM properties

Attributes and properties are fundamentally different things. You can have an attribute and property of the same name set to different values. For example: … const div = document.querySelector'divfoo=bar'; console.logdiv.getAttribute'foo'; // 'bar' console.logdiv.foo; // undefined div.foo = 'hell...

HTML attributes vs DOM properties

Attributes and properties are fundamentally different things. You can have an attribute and property of the same name set to different values. For example: … const div = document.querySelector'divfoo=bar'; console.logdiv.getAttribute'foo'; // 'bar' console.logdiv.foo; // undefined div.foo = 'hell...

[SECURITY] Fedora 40 Update: python-cbor2-5.6.2-1.fc40

This library provides encoding and decoding for the Concise Binary Object Representation CBOR RFC 7049 serialization format...

[SECURITY] Fedora 39 Update: python-cbor2-5.6.2-1.fc39

This library provides encoding and decoding for the Concise Binary Object Representation CBOR RFC 7049 serialization format...

[SECURITY] Fedora 38 Update: python-cbor2-5.6.2-1.fc38

This library provides encoding and decoding for the Concise Binary Object Representation CBOR RFC 7049 serialization format...

Fedora 39 : python-cbor2 (2024-4bbd13d425)

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-4bbd13d425 advisory. Update to latest upstream release closes rhbz2261550, closes rhbz2245361 Tenable has extracted the preceding description block directly from the Fedora...

Fedora 38 : python-cbor2 (2024-0c9aaeb447)

The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-0c9aaeb447 advisory. Update to latest upstream release closes rhbz2261550, closes rhbz2245361 Tenable has extracted the preceding description block directly from the Fedora...

Keras 2 Lambda Layers Allow Arbitrary Code Injection in TensorFlow Models

Overview Lambda Layers in third party TensorFlow-based Keras models allow attackers to inject arbitrary code into versions built prior to Keras 2.13 that may then unsafely run with the same permissions as the running application. For example, an attacker could use this feature to trojanize a...

CVE-2024-29452

CVE-2024-29452 relates to ROS2 Humble Hawksbill, with insecure deserialization vulnerabilities in ROS2 Humble Hawksbill versions 2 and 3. The issue enables an attacker to execute arbitrary code and obtain sensitive information via crafted input affecting the Data Serialization and Deserialization...