Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the UploadAllFiles function during S3 restore operations when processing tar headers from a supplied backup archive. An attacker can cause the daemon to crash and disrupt the contr...

CVE-2026-28377

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to williamgoodfellow for reporting this vulnerability...

Unspecified Vulnerability in StudioCMS (CNVD-2026-18150)

StudioCMS is StudioCMS open source a content management system . A security vulnerability exists in StudioCMS that can be exploited by an attacker to cause an authenticated user to perform arbitrary file operations on S3 storage buckets...

GHSA-MM78-FGQ8-6PGR StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check

Summary The S3 storage manager's isAuthorized function is declared async returns Promise but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorizedtype always evaluates to false, completely bypassing the authorization check...

[SECURITY] Fedora 43 Update: rclone-1.72.0-1.fc43

"rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Driv e, Swift, Hubic, Wasabi, Google Cloud Storage, Azure Blob, Azure Files, Yandex Files...

EUVD-2024-3195

Malicious code in bioql PyPI...

EUVD-2023-26855

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2023-51651

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AWS SDK for PHP is the Amazon Web Services software development kit for PHP. Within the scope of requests to S3 object keys and/or prefixes containing a Unix...

CVE-2025-25297

Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's S3 storage integration feature contains a Server-Side Request Forgery SSRF vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a cust...

GHSA-M238-FMCW-WH58 Label Studio allows Server-Side Request Forgery in the S3 Storage Endpoint

Description Label Studio's S3 storage integration feature contains a Server-Side Request Forgery SSRF vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a custom S3 endpoint URL via the s3endpoint parameter. This endpoint U...

CVE-2024-36403 Denial of service/high operating costs through unauthenticated downloads in Matrix Media Repo

Matrix Media Repo MMR is a highly configurable multi-homeserver media repository for Matrix. MMR before version 1.3.5 is vulnerable to unbounded disk consumption, where an unauthenticated adversary can induce it to download and cache large amounts of remote media files. MMR's typical operating...

CVE-2024-36403

CVE-2024-36403 affects Matrix Media Repo (MMR) before 1.3.5. An unauthenticated attacker can cause unbounded disk consumption by triggering MMR to download and cache large volumes of remote media. Deployments using file-backed storage or self-hosted S3 storage are vulnerable to a disk-fill denial...

Denial Of Service (DoS)

github.com/foxcpp/maddy is vulnerable to Denial Of Service DoS. The vulnerability is due to the lack of proper error handling during write operations in S3 storage, when write operations encounter errors, they are not aborted, allowing the system to continue consuming memory without limit...

Virtuozzo Hybrid Infrastructure 6.1 Update 1 (6.1.1-35)

In this release, Virtuozzo Hybrid Infrastructure enables virtual CPU and RAM overcommitment per node, as well as provides stability and performance improvements, and addresses issues found in previous releases. Vulnerability id: VSTOR-49565 Network errors occur when migrating a VM that was...

Security Bulletin: IBM App Connect Enterprise Certified Container Dashboard operands that use S3 storage are vulnerable to security restrictions bypass due to [CVE-2023-46234]

Summary Node.js module browserify-sign is used by IBM App Connect Enterprise Certified Container Dashboards for accessing S3 storage. IBM App Connect Enterprise Certified Container Dashboard operands that access bar files in S3 storage are vulnerable to security restrictions bypass. This bulletin...

CVE-2023-22735

Zulip is an open-source team collaboration tool. In versions of zulip prior to commit 2f6c5a8 but after commit 04cf68b users could upload files with arbitrary Content-Type which would be served from the Zulip hostname with Content-Disposition: inline and no Content-Security-Policy header, allowin...

Design/Logic Flaw

Zulip is an open-source team collaboration tool. In versions of zulip prior to commit 2f6c5a8 but after commit 04cf68b users could upload files with arbitrary Content-Type which would be served from the Zulip hostname with Content-Disposition: inline and no Content-Security-Policy header, allowin...

CVE-2023-22735 User uploads proxied from S3 lack `Content-Security-Policy` headers, may be served with `Content-Disposition: inline` in zulip

Zulip is an open-source team collaboration tool. In versions of zulip prior to commit 2f6c5a8 but after commit 04cf68b users could upload files with arbitrary Content-Type which would be served from the Zulip hostname with Content-Disposition: inline and no Content-Security-Policy header, allowin...

CVE-2023-22735

CVE-2023-22735 affects Zulip: prior to commit 2f6c5a8 but after 04cf68b, files uploaded with arbitrary Content-Type could be served from the Zulip hostname with Content-Disposition: inline and without a Content-Security-Policy header, enabling execution of arbitrary JavaScript in the Zulip contex...

CVE-2023-22735 User uploads proxied from S3 lack `Content-Security-Policy` headers, may be served with `Content-Disposition: inline` in zulip

Zulip is an open-source team collaboration tool. In versions of zulip prior to commit 2f6c5a8 but after commit 04cf68b users could upload files with arbitrary Content-Type which would be served from the Zulip hostname with Content-Disposition: inline and no Content-Security-Policy header, allowin...