Unlimited transforms allowed for signed nodes

Impact A malicious SAML payload can require transforms that consume significant system resources to process, thereby resulting in reduced or denied service. This would be an effective way to perform a denial-of-service attack. Patches This has been resolved in version 3.1.0. The resolution is to...

kubernetes: Docker config secrets leaked when file is malformed and loglevel >= 4

A flaw was found in kubernetes. In Kubernetes, if the logging level is to at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This can occur with client tools like...

Untrusted Search Path in Nextcloud Desktop Client

None...

[SECURITY] Fedora 34 Update: rust-pulldown-cmark-0.8.0-4.fc34

Pull parser for CommonMark...

DEBIAN-CVE-2021-32760

containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access t...

Docker daemon crash during image pull of malicious image

...

Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands.

...

XSS in Nextcloud Text application

None...

Lack of ratelimit on public DAV endpoint

None...

Filenames not escaped by default in controllers using DownloadResponse

None...

Security Scorecards - Security Health Metrics For Open Source

Security Health Metrics For Open Source Motivation A short motivational video clip to inspire us: https://youtu.be/rDMMYT3vkTk "You passed! All D's ... and an A!" Goals 1. Automate analysis and trust decisions on the security posture of open source projects. 2. Use this data to proactively improv...

GHSA-PHJ8-4CQ3-794G Unencrypted storage of client side sessions

Impact The default configuration of client side sessions results in unencrypted, but signed, data being set as cookie values. This means that if something sensitive goes into the session, it could be read by something with access to the cookies. Note: the documentation does point this out and...

rug pull possible via SafetyWithdraw

Handle gpersoon Vulnerability details Impact The contract TracerPerpetualSwaps inherits from SafetyWithdraw, which means the function withdrawERC20Token is possible, This allows the projectowners to withdraw the ERC20 tokens from the contract, which can be seen as a rug pull Also the tvl variable...

PT-2021-24355 · Pterodactyl · Pterodactyl Wings

Name of the Vulnerable Software and Affected Versions: Pterodactyl Wings versions prior to 1.11.2 Description: An authenticated user with access to a game server can bypass previously implemented access control, potentially accessing resources on local networks that would otherwise be inaccessibl...

Malicious Android application can crash the Nextcloud Android Client

None...

SUSE: Security Advisory (SUSE-SU-2021:1108-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

metasploit-framework

This repository is an offensive tool for Metasploit Framework. The Metasploit Framework is a powerful tool for penetration testing and vulnerability assessment. It provides a comprehensive platform for identifying and exploiting vulnerabilities in various systems and applications. The framework...

GHSA-JM56-5H66-W453 Repository index file allows for duplicates of the same chart entry in helm

Impact During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs...

monkey

This is a Python script repository for a tool called "Infection Monkey". The tool is designed to simulate a cyber attack on a network by injecting malware into the network and observing the behavior of the malware as it spreads. The script is written in Python and uses the "monkey" framework to...

GHSA-HF44-3MX6-VHHW Navigate endpoint is vulnerable to regex injection that may lead to Denial of Service.

Impact The regex injection that may lead to Denial of Service. Patches Will be patched in 2.4 and 3.0 Workarounds Versions lower than 2.x are only affected if the navigation module is added References See this pull request for the fix: https://github.com/graphhopper/graphhopper/pull/2304 If you...