103 matches found
Input validation
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. OpenTelemetry Java Instrumentation prior to version 1.28.0 contains an issue related to the instrumentation of Java applications using the AWS SDK v2 with Amazon Simple Email...
CVE-2023-39951 Instrumentation for AWS SDK v2 captures email content when using Amazon Simple Email Service (SES) v1 API, exposing that content to the telemetry backend
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. OpenTelemetry Java Instrumentation prior to version 1.28.0 contains an issue related to the instrumentation of Java applications using the AWS SDK v2 with Amazon Simple Email...
CVE-2023-39951
CVE-2023-39951 affects OpenTelemetry Java Instrumentation prior to 1.28.0. When instrumenting AWS SDK v2 calls to SES v1, the request query parameters are inserted into the trace url.path, causing the HTTP body (subject and message) to be exposed in telemetry backends. This information disclosure...
CVE-2023-39951 Instrumentation for AWS SDK v2 captures email content when using Amazon Simple Email Service (SES) v1 API, exposing that content to the telemetry backend
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. OpenTelemetry Java Instrumentation prior to version 1.28.0 contains an issue related to the instrumentation of Java applications using the AWS SDK v2 with Amazon Simple Email...
CVE-2023-39951 Instrumentation for AWS SDK v2 captures email content when using Amazon Simple Email Service (SES) v1 API, exposing that content to the telemetry backend
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. OpenTelemetry Java Instrumentation prior to version 1.28.0 contains an issue related to the instrumentation of Java applications using the AWS SDK v2 with Amazon Simple Email...
MAL-2023-1118 Malicious code in aws-sdk-js-v3 (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis e64c49f08b91cb456113ae44bbd8efc8280a1c79aa45ca1bd0f019c4af6ad873 The OpenSSF Package Analysis project identified 'aws-sdk-js-v3' @ 1.3.7 npm as malicious. It is considered malicious because: - The package...
Security Bulletin: IBM Storage Protect server is vulnerable to a file system access attack due to AWS SDK for Java (CVE-2022-31159)
Summary The AWS SDK for Java is used by IBM Storage Protect server as part of its AWS cloud support. Vulnerability Details CVEID:CVE-2022-31159 DESCRIPTION: AWS SDK for Java could allow a remote authenticated attacker to traverse directories on the system, caused by a flaw in the downloadDirector...
Cross-Site Scripting (XSS)
github.com/pydio/cells is vulnerable to Cross-Site Scripting XSS attacks. The Amazon AWS SDK for JavaScript is used to create presigned URLs for Pydio Cells. It is feasible to create valid signatures for any download URLs since the secrets required to sign these URLs are hardcoded and made...
Security Bulletin: There is a security vulnerability in AWS SDK for Java used by Maximo Asset Management (CVE-2022-31159)
Summary There is a security vulnerability in AWS SDK for Java used by Maximo Asset Management. This only affects systems configured to store attachments in a Simple Storage Service S3 cloud object storage. Vulnerability Details CVEID:CVE-2022-31159 DESCRIPTION: AWS SDK for Java could allow a remo...
CVE-2023-32751
Pydio Cells through 4.1.2 allows XSS. Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript 1. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it i...
Cross site scripting
Pydio Cells through 4.1.2 allows XSS. Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript 1. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it i...
CVE-2023-32751
Pydio Cells through 4.1.2 allows XSS. Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript 1. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it i...
CVE-2023-32751
Pydio Cells through 4.1.2 allows XSS. Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript 1. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it i...
@aws-amplify/geo (>=2.0.13-push-notification-dryrun.43 <=2.0.35-unstable.15353e0.2), @aws-amplify/interactions (>=5.0.13-push-notification-dryrun.43 <=5.1.1-unstable.15353e0.2) +98 more potentially affected by CVE-2023-34104 via fast-xml-parser (>=4.1.3 <=4.2.3)
fast-xml-parser NPM version =4.1.3, =2.0.13-push-notification-dryrun.43, =5.0.13-push-notification-dryrun.43, =1.0.13-push-notification-dryrun.43, =5.0.13-push-notification-dryrun.43, =5.1.3-push-notification-dryrun.43, =1.1.6-exodus.1, =6.2.44, =9.1.0, =9.1.0, =9.53.0 and more Source cves:...
Pydio Cells 4.1.2 Cross Site Scripting
Advisory: Pydio Cells: Cross-Site Scripting via File Download Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript 1. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web...
Security Bulletin: There is a vulnerability in AWS SDK for Java used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-31159)
Summary There is a vulnerability in AWS SDK for Java used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2022-31159 DESCRIPTION: AWS SDK for Java could allow a remote authenticated attacker to traverse directories on the system, caused by a flaw ...
Security Bulletin: IBM Security Guardium is affected by an AWS SDK vulnerability (CVE-2022-31159)
Summary IBM Security Guardium has fixed this vulnerability. Instructions for obtaining the fix are below. Vulnerability Details CVEID:CVE-2022-31159 DESCRIPTION: AWS SDK for Java could allow a remote authenticated attacker to traverse directories on the system, caused by a flaw in the...
AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending
The awssigv4::SigningParams struct had a derived Debug implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, SigningParams is printed, thereby revealing those credentials to...
CVE-2023-30610
aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The awssigv4::SigningParams struct had a derived Debug implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is...
CVE-2023-30610 AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending
aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The awssigv4::SigningParams struct had a derived Debug implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is...