MAL-2022-7351 Malicious code in yhps (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 318bee0ce2d48822bd65011c120d5d4572bc064eeb3a8c013bda1eaf6ff7bbc1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in idnnnms-widget-auth-service (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c2d88993f3efd7188328e5518c6b2c91a51f857df272820e8a2c4fced28c1fcc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in datadog-serverless-macro (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ba2ee7b3443a0229199bf0f65989cd56d3cc784e7f184562cd9a3d74c8501f4e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in maps-theme (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 77941a159908349eb82d90ae8105f74c66d5bfaeb4879e9e0f96bffcdd1b4b9b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in zlpypfaaisdmzcc (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3a9c44cbfb71d11359d53e52f5a6e5c124d8844c95b07a08339fb2facbe577e6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

UBUNTU-CVE-2014-125005

A vulnerability, which was classified as problematic, was found in FFmpeg 2.0. This affects the function decodevolheader of the file libavcodec/mpeg4videodec.c. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix...

UBUNTU-CVE-2014-125002

A vulnerability was found in FFmpeg 2.0. It has been classified as problematic. Affected is the function dnxhdinitrc of the file libavcodec/dnxhdenc.c. The manipulation leads to memory corruption. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue...

UBUNTU-CVE-2014-125015

A vulnerability classified as critical has been found in FFmpeg 2.0. Affected is the function readvarblockdata. The manipulation leads to memory corruption. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue...

UBUNTU-CVE-2014-125012

A vulnerability was found in FFmpeg 2.0. It has been classified as problematic. Affected is an unknown function of the file libavcodec/dxtroy.c. The manipulation leads to integer coercion error. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue...

PT-2022-3231 · Unknown · Edgexfoundry

Name of the Vulnerable Software and Affected Versions: EdgeXFoundry versions prior to 2.1.1 Description: The /api/v2/config endpoint exposes message bus credentials to local unauthenticated users, bypassing access controls on message bus credentials when running in security-enabled mode. This...

Malicious code in ptmproc (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1cabaacc4115ee94b13ad9119f1cfe48993495c7c68966977d13b123749035a7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2022-31051 Exposure of Sensitive Information to an Unauthorized Actor in semantic-release

semantic-release is an open source npm package for automated version management and package publishing. In affected versions secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by encodeURI...

CVE-2022-29227 Use after free in Envoy

Envoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers, there’s a lifetime bug which can be triggered. If while replaying the request Envoy sends a local...

CVE-2022-29226 Trivial authentication bypass in Envoy

Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current...

CVE-2022-29225 Zip bomb vulnerability in Envoy

Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed...

CVE-2022-31038 XSS vulnerability in repository issue list in Gogs

Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 DisplayName does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes DisplayName...

CVE-2022-31027 Authorization Bypass Through User-Controlled Key when using CILogonOAuthenticator in oauthenticator

OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub only to users of a given institute. The allowedidps...

GHSA-929W-Q433-4H9X Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins

The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes. Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary...

CVE-2022-24831 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in OpenClinica

OpenClinica is an open source software for Electronic Data Capture EDC and Clinical Data Management CDM. Versions prior to 3.16.1 are vulnerable to SQL injection due to the use of string concatenation to create SQL queries instead of prepared statements. No known workarounds exist. This issue has...

CVE-2022-1766

Anchore Enterprise anchorectl version 0.1.4 improperly stored credentials when generating a Software Bill of Materials. anchorectl will add the credentials used to access Anchore Enterprise API in the Software Bill of Materials SBOM generated by anchorectl. Users of anchorectl version 0.1.4 shoul...