CVE-2022-40127 Apache Airflow <2.4.0 has an RCE in a bash example

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided runid parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0...

Link Preload XSS

Description Link preloads do not effectively confirm if the requested link is external. Parser differentials can be used to bypass existing external URL check. Root Cause payload.client.ts contains the following code on link prefetch: ts nuxtApp.hooks.hook'link:prefetch', url = if...

org.apache.iotdb:customize-mqtt-example (>=0.13.0 <=0.13.2), org.apache.iotdb:integration (>=0.13.0 <=0.13.2) +5 more potentially affected by CVE-2022-43766 via org.apache.iotdb:iotdb-server (>=0.12.2 <=0.13.2)

org.apache.iotdb:iotdb-server MAVEN version =0.12.2, =0.13.0, =0.13.0, =0.12.2, =0.12.2, =0.12.6, =0.13.0, =0.12.2, =0.13.2 Source cves: CVE-2022-43766 Source advisory: OSV:GHSA-G6HG-4V3C-6JQ7...

org.apache.iotdb:flink-example (>=0.12.2 <=0.13.2) potentially affected by CVE-2022-43766 via org.apache.iotdb:flink-tsfile-connector (>=0.12.2 <=0.13.2)

org.apache.iotdb:flink-tsfile-connector MAVEN version =0.12.2, =0.12.2, =0.13.2 Source cves: CVE-2022-43766 Source advisory: OSV:GHSA-G6HG-4V3C-6JQ7...

Malicious Package

Overview flight-example-app is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this packag...

Malicious code in example-jenkins (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a3960f0197c9f666fee1632db8f53719968870e24dbef66ebb5fcc024f017300 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in example-gke-workload-identity-app (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bf756302a9f2a9488535c736ec75f8361b533b587b93334a3460d149cd2bd128 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Java-Remote-Class-Loader - Tool to send Java bytecode to your victims to load and execute using Java ClassLoader together with Reflect API

This tool allows you to send Java bytecode in the form of class files to your clients or potential targets to load and execute using Java ClassLoader together with Reflect API. The client receives the class file from the server and return the respective execution output. Payloads must be written ...

ai.apiverse:apipulse (=1.0.1), com.contentgrid.spring:contentgrid-spring-boot-starter (>=0.4.2 <=0.6.1) +53 more potentially affected by CVE-2022-31679 via org.springframework.data:spring-data-rest-core (>=3.7.0 <=3.7.2)

org.springframework.data:spring-data-rest-core MAVEN version =3.7.0, =0.4.2, =0.4.2, =0.4.2, =5.12.1, =2.4.0, =2.4.0, =2.4.0, =3.0.3, =3.0.3, =3.0.3, =3.0.3, =3.0.3, =3.0.3, =3.1.0 - com.okta.spring.examples:okta-spring-boot-hosted-code-flow-example =2.1.6 and more Source cves: CVE-2022-31679...

Go-CVSS has Out-of-bounds Read vulnerability in ParseVector function

Impact When a full CVSS v2.0 vector string is parsed using ParseVector, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic. Patches The problem is patched in tag v0.4.0, by the commit d9d478ff0c13b8b09ace030db9262f3c2fe031f4. Workarounds The only way to avoid ...

Malicious Package

Overview pages-plugins-example is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...

Malicious code in example-yarn-package (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 49ed18b898074c0e0df3d8de17008d5edd7e275455865ce1592b1b4bcc76ccd8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-2914 Malicious code in example-yarn-package (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 49ed18b898074c0e0df3d8de17008d5edd7e275455865ce1592b1b4bcc76ccd8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview wagmi-example is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package was...

be.cylab.mark:client (>=0.0.20 <=2.6.0), be.cylab.mark:core (>=0.0.20 <=2.6.0) +3 more potentially affected by CVE-2022-38749 via be.cylab:snakeyaml (=1.25.1)

be.cylab:snakeyaml MAVEN version =1.25.1 is affected by a known vulnerability. The following packages have a transitive dependency on be.cylab:snakeyaml and may be impacted: - be.cylab.mark:client =0.0.20, =0.0.20, =1.3.1, =0.0.22, =0.0.20, =2.3.0 Source cves: CVE-2022-38749 Source advisory:...

Hyundai Uses Example Keys for Encryption System

This is a dumb crypto mistake I had not previously encountered: A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicles manufacturer had secured its system using keys that were not only publicly known but had been lifted from...

Internet Bug Bounty: CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag

Apache Airflow Docker's Provider shipped with an example DAG that was vulnerable to authenticated remote code exploit of code on the Airflow worker host. Vulnerability summary: In DAG script of airflow 2.3.3, there is a command injection vulnerability RCE in the script exampledockercopydata.py of...

CVE-2022-38362

Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to authenticated remote code exploit of code on the Airflow worker host...

CVE-2022-38362

Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to authenticated remote code exploit of code on the Airflow worker host...

CVE-2022-38362

CVE-2022-38362 affects the Apache Airflow Docker provider prior to 3.0.0. The issue stems from an example DAG shipped with the provider and is exploitable via authenticated remote code execution on the Airflow worker host, involving a BashOperator call and a template-controlled parameter (source_...