Octopus Deploy 信息泄露漏洞

Octopus Deploy is an automation tool for .NET, Java, and other application development and deployment from Octopus Deploy Australia. An information disclosure vulnerability exists in Octopus Deploy that stems from the exposure of sensitive variables...

PT-2022-14180 · Unknown · Octopus Deploy

Name of the Vulnerable Software and Affected Versions: Octopus Deploy affected versions not specified Description: The issue allows sensitive variables to be unmasked by utilizing the variable preview feature in affected versions of the software. Recommendations: At the moment, there is no...

Red Hat Enterprise Linux 信息泄露漏洞

Red Hat Enterprise Linux is a Linux operating system from Red Hat, Inc. for enterprise users. A security vulnerability exists in Red Hat Enterprise Linux 7 that stems from the inclusion of an incorrect version of podman, which could allow an attacker to access sensitive information stored in...

@actions/core has Delimiter Injection Vulnerability in exportVariable

Impact The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUBENV file may cause the path or other environment variables to be...

Qualys Cloud Agent 日志信息泄露漏洞

Qualys Cloud Agent is a lightweight application from Qualys USA, Inc. A single agent for real-time, global visibility and response. A log message disclosure vulnerability exists in Qualys Cloud Agent version 4.8.0-49 that originates from accidentally writing credentials from environment variables...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values t...

Analyzing the Hidden Danger of Environment Variables for Keeping Secrets

While DevOps practitioners use environment variables to regularly keep secrets in applications, these could be conveniently abused by cybercriminals for their malicious activities, as our analysis shows...

Design/Logic Flaw

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values t...

[H1] Some admins functions are unusable because of misuse of variables in upgradeable contracts

Lines of code Vulnerability details Impact ​ Admin functions in NFTCollectionFactor.sol are unusable through a proxy Proof of Concept ​ Upgradeable contracts cannot use neither constructors nor use immutable variables. The reason for that is they work behind a proxy which calls them using...

CVE-2022-35954 Delimiter injection vulnerability in @actions/core exportVariable

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values t...

Monero: Reentrancy attack in eth-monero atomic swap

A reentrancy vulnerability was found in the eth-xmr atomic swap smart contract, allowing an attacker to drain almost all of the ethers from the smart contract. The vulnerability was fixed in a later version of the smart contract...

PT-2022-23055 · Github · @Actions/Core

Name of the Vulnerable Software and Affected Versions: @actions/core versions prior to v1.9.1 Description: The core.exportVariable function uses a well-known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that writ...

USN-5182-1: Roundcube Webmail vulnerabilities

It was discovered that Roundcube Webmail allowed JavaScript code to be present in the CDATA of an HTML message. A remote attacker could possibly use this issue to execute a cross-site scripting XSS attack. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu 20.04 ESM...

[H1] MIMOProxy can be PWNED by malicious delegate call

Lines of code Vulnerability details Impact PBR proxy owner change protection can bypassed / DoS PoC PRBProxy has a protection to prevent malicious delegatecall to overwrite owner. function executeaddress target, bytes calldata data public payable override returns bytes memory response ... ... //...

CVE-2022-33716

An absence of variable initialization in ICCC TA prior to SMR Aug-2022 Release 1 allows local attacker to read uninitialized memory...

PT-2022-17922 · Git +2 · Planka +1

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: This issue allows an attacker to read sensitive files, including configuration files and the /proc/self/environ file, which contains environment variabl...

This Week in Spring - August 1st, 2022

Aloha, Spring fans! Welcome to another installment of This Week in Spring! Im still on vacation on the beautiful island of Maui, Hawaii, but I wanted to say hello "aloha!" and share this weeks latest roundup of all thats good and glorious in the wide and wonderful world of Springdom. Funny thing,...

npm heroku-env 命令注入漏洞

npm heroku-env is a package from npm USA. It is used to parse DATABASEURL from heroku configuration and split it into PG environment variables used by psql pgdump pgrestore and nodepostgres. A command injection vulnerability exists in versions of heroku-env prior to 2.0.2, which stems from the...

Fedora: Security Advisory for godotenv (FEDORA-2022-5ef0bd9a27)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora: Security Advisory for golang-github-a8m-envsubst (FEDORA-2022-5ef0bd9a27)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...