GHSA-XV69-6RF3-W5G2 Missing permission check in Jenkins Cloud Statistics Plugin

Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages. Jenkins Cloud Statistics Plugin 0.27 requires...

Missing Initialization of Resource in Apache Arrow

While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory...

CVE-2022-29219

Lodestar is a TypeScript implementation of the Ethereum Consensus specification. Prior to version 0.36.0, there is a possible consensus split given maliciously-crafted AttesterSlashing or ProposerSlashing being included on-chain. Because the developers represent uint64 values as native javascript...

Code injection

Lodestar is a TypeScript implementation of the Ethereum Consensus specification. Prior to version 0.36.0, there is a possible consensus split given maliciously-crafted AttesterSlashing or ProposerSlashing being included on-chain. Because the developers represent uint64 values as native javascript...

CVE-2022-29219 Integer Overflow in Lodestar

Lodestar is a TypeScript implementation of the Ethereum Consensus specification. Prior to version 0.36.0, there is a possible consensus split given maliciously-crafted AttesterSlashing or ProposerSlashing being included on-chain. Because the developers represent uint64 values as native javascript...

CVE-2022-29219

Lodestar (TypeScript Ethereum Consensus) before v0.36.0 is vulnerable due to using native JavaScript numbers for uint64 values in AttesterSlashing/ProposerSlashing, causing rounding errors for large values (>2^53). This can yield consensus splits or valid Slashing being treated as invalid, pot...

CVE-2022-1848

Business Logic Errors in GitHub repository erudika/para prior to 1.45.11...

CVE-2022-1848

Business Logic Errors in GitHub repository erudika/para prior to 1.45.11...

Code injection

Business Logic Errors in GitHub repository erudika/para prior to 1.45.11...

CVE-2022-1848 Business Logic Errors in erudika/para

Business Logic Errors in GitHub repository erudika/para prior to 1.45.11...

CVE-2022-1848

CVE-2022-1848 affects the Erudika Para project prior to version 1.45.11. Multiple connected sources describe a business logic error, including a race condition in com.erudika:para-core (validateObject) that can allow a user to abuse account/app-related logic. This is documented across sources (Gi...

CVE-2022-1848 Business Logic Errors in erudika/para

Business Logic Errors in GitHub repository erudika/para prior to 1.45.11...

Missing Initialization of Resource in Apache Arrow

While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory...

GHSA-XH29-R2W5-WX8M Nokogiri Improperly Handles Unexpected Data Type

Summary Nokogiri = 1.13.6. JRuby users are not affected. Workarounds To avoid this vulnerability in affected applications, ensure the untrusted input is a String by calling tos or equivalent. Credit This vulnerability was responsibly reported by @agustingianni and the Github Security Lab...

Google TensorFlow Input Validation Error Vulnerability (CNVD-2022-44177)

Google TensorFlow is a suite of end-to-end open source platforms for machine learning from Google USA. An input validation error vulnerability exists in Google TensorFlow versions prior to 2.9.0, prior to 2.8.1, prior to 2.7.2, and prior to 2.6.4, which stems from the fact that...

The vulnerability of the Array method in Mozilla Firefox and Mozilla Firefox ESR browsers, as well as the Thunderbird email client, allows a malicious actor to execute arbitrary JavaScript code in a privileged context.

The vulnerability of the Array method in Mozilla Firefox and Mozilla Firefox ESR browsers, as well as the Thunderbird email client, is related to errors during code generation. Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript code in a privileged context...

The vulnerability in the JavaScript object indexing mechanism of Mozilla Firefox, Mozilla Firefox ESR, and the email client Thunderbird allows a malicious actor to execute arbitrary JavaScript code.

The vulnerability of the JavaScript object indexing mechanism in Mozilla Firefox, Mozilla Firefox ESR, and the email client Thunderbird is related to errors in processing input data. Exploiting this vulnerability allows a remote attacker to execute arbitrary JavaScript code...

MGASA-2022-0200 Updated ruby-nokogiri packages fix security vulnerability

Nokogiri did not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors segfault or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a...

Fslogix Roaming Profile Failing To Load On Windows 10 AWS Hosted VDA

Fslogix roaming profile failing to load on windows 10 AWS hosted VDA Issue was reprodubile in RDP session as well The below errors were logged in the event logs: Operation: FSLogixLogonPROFILE, SessionId: 3, ErrorCode: 1168, Detail: Logon failed, Please check logs and tracelogging and verify that...

CVE-2022-29181

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors segfault or reads from unrelated memory. Version 1.13.6...