OSV-2022-1118 Security exception in java.base/jdk.internal.math.FloatingDecimal.readJavaFormatString

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52840 Crash type: Security exception Crash state: java.base/jdk.internal.math.FloatingDecimal.readJavaFormatString java.base/jdk.internal.math.FloatingDecimal.parseDouble java.base/java.lang.Double.parseDouble...

PT-2022-36722 · Git +1 · Radare2

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided description. Description: A heap-buffer-overflow READ 1 crash has been reported. The crash involves the functions parse classes 64, classes, and r bin object set items. No...

PT-2022-5322 · Nginx · Nginx Njs

Name of the Vulnerable Software and Affected Versions: Nginx NJS version 0.7.2 Description: The issue is related to a heap-use-after-free bug caused by an illegal memory copy in the njs json parse iterator call function at njs json.c. This bug can be exploited by a remote attacker to execute...

Nginx 资源管理错误漏洞

Nginx is a lightweight web server/reverse proxy server and email IMAP/POP3 proxy server from Nginx, Inc. njs is one of the scripting language components that supports extended NGINX functionality. A security vulnerability exists in Nginx NJS version 0.7.2, which stems from heap-based...

CVE-2022-25849 Cross-site Scripting (XSS)

The package joyqi/hyper-down from 0.0.0 are vulnerable to Cross-site Scripting XSS because the module of parse markdown does not filter the href attribute very well...

CVE-2022-25849

CVE-2022-25849 affects joyqi/hyper-down, a Markdown parser library. The vulnerability stems from improper filtering of href attributes in the markdown parser, enabling cross-site scripting (XSS). Affected versions start at 0.0.0 and continue thereafter. Public details describe an XSS vector in th...

CVE-2022-25849 Cross-site Scripting (XSS)

The package joyqi/hyper-down from 0.0.0 are vulnerable to Cross-site Scripting XSS because the module of parse markdown does not filter the href attribute very well...

golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension

A flaw was found in golang.org. In x/text, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension...

golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag

A flaw was found in golang.org. In x/text, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag...

Denial Of Service (DoS)

parse-server is vulnerable to denial of service. The vulnerability exists in multiple functions due to user inputs not properly validated which allows an attacker to send a file download request with an invalid byte range causing an application crash...

CVE-2022-39313

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been...

Design/Logic Flaw

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been...

CVE-2022-39313 Parse Server crashes when receiving file download request with invalid byte range

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been...

Parse Server 输入验证错误漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. An input validation error vulnerability exists in Parse Server prior to version 4.10.17 and version 5.x prior to version 5.2.8, which stems from a crash upon receiving a file download request...

CVE-2022-39313 Parse Server crashes when receiving file download request with invalid byte range

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been...

CVE-2022-39313

Parse Server is affected by a Denial of Service when handling a file download request with an invalid byte range. The issue occurs in versions prior to 4.10.17 and, on the 5.x branch, prior to 5.2.8, where such requests crash the server. Patches are available in v4.10.17 and v5.2.8. No workaround...

PT-2022-36705 · Git +1 · Radare2

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided description. Description: A heap-buffer-overflow READ 1 crash has been reported. The crash involves the functions parse classes 64, classes, and r bin object set items. No...

CVE-2022-39313 Parse Server crashes when receiving file download request with invalid byte range

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been...

Amazon Linux 2 : golang-github-gorilla-mux (ALAS-2022-1860)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2022-1860 advisory. 2023-05-11: CVE-2022-1996 has changed status to NOT AFFECTED for this package and has been removed from this advisory. A flaw was found in golang. The HTTP/1 client accepted invalid...

Amazon Linux 2 : golang-github-godbus-dbus (ALAS-2022-1858)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2022-1858 advisory. 2023-05-11: CVE-2022-1996 has changed status to NOT AFFECTED for this package and has been removed from this advisory. A flaw was found in golang. The HTTP/1 client accepted invalid...