Lucene search
K

57 matches found

Snyk
Snyk
added 2026/05/29 10:54 p.m.8 views

Malicious Package

Overview @cloudplatform-single-spa/svp-s3-storage is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organizati...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/27 5:12 p.m.2 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the UploadAllFiles function during S3 restore operations when processing tar headers from a supplied backup archive. An attacker can cause the daemon to crash and disrupt the contr...

7.1CVSS5.9AI score0.00022EPSS
Exploits1References2
NVD
NVD
added 2026/03/26 10:16 p.m.1 views

CVE-2026-28377

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to williamgoodfellow for reporting this vulnerability...

7.5CVSS0.00009EPSS
Exploits0References1
CNVD
CNVD
added 2026/03/17 12:0 a.m.3 views

Unspecified Vulnerability in StudioCMS (CNVD-2026-18150)

StudioCMS is StudioCMS open source a content management system . A security vulnerability exists in StudioCMS that can be exploited by an attacker to cause an authenticated user to perform arbitrary file operations on S3 storage buckets...

7.6CVSS5.5AI score0.00053EPSS
Exploits1
OSV
OSV
added 2026/03/12 2:49 p.m.1 views

GHSA-MM78-FGQ8-6PGR StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check

Summary The S3 storage manager's isAuthorized function is declared async returns Promise but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorizedtype always evaluates to false, completely bypassing the authorization check...

7.6CVSS5.9AI score0.00053EPSS
Exploits1References3
CVE
CVE
added 2026/03/11 8:3 p.m.6 views

CVE-2026-32101

CVE-2026-32101 affects StudioCMS S3 Storage Manager prior to version 0.3.1. The isAuthorized() function is async but is called without await in both the POST and PUT handlers, causing the authorization check to always evaluate to bypass due to Promise objects being truthy. As a result, any authen...

7.6CVSS5.8AI score0.00053EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/11 8:3 p.m.1 views

CVE-2026-32101 StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized function is declared async returns Promise but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in...

7.6CVSS5.8AI score0.00053EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2025/12/18 6:52 p.m.9 views

AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue

Summary S3 Encryption Client for PHP is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3. When the encrypted data key EDK is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders...

6CVSS7AI score0.00017EPSS
Exploits0References7Affected Software1
Fedora
Fedora
added 2025/12/03 12:59 a.m.6 views

[SECURITY] Fedora 43 Update: rclone-1.72.0-1.fc43

"rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Driv e, Swift, Hubic, Wasabi, Google Cloud Storage, Azure Blob, Azure Files, Yandex Files...

7.5CVSS7AI score0.00044EPSS
Exploits0
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2023-0392

Malicious code in bioql PyPI...

7.6CVSS5.9AI score0.00365EPSS
Exploits0References8
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2024-3195

Malicious code in bioql PyPI...

2.3CVSS6.4AI score0.00104EPSS
Exploits0References6
EUVD
EUVD
added 2025/10/03 8:7 p.m.1 views

EUVD-2025-12479

Malicious code in bioql PyPI...

4.9CVSS6.5AI score0.00034EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.1 views

EUVD-2023-26855

Malicious code in bioql PyPI...

4.6CVSS5.2AI score0.00299EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2025/09/03 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2023-51651

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AWS SDK for PHP is the Amazon Web Services software development kit for PHP. Within the scope of requests to S3 object keys and/or prefixes containing a Unix...

6CVSS5.4AI score0.0011EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/03/26 4:49 p.m.9 views

CVE-2025-30350 Directus's S3 assets become unavailable after a burst of HEAD requests

Directus is a real-time API and App dashboard for managing SQL database content. The @directus/storage-driver-s3 package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unavailability after a...

5.3CVSS7.6AI score0.00208EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/02/16 8:20 p.m.6 views

CVE-2025-25297

Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's S3 storage integration feature contains a Server-Side Request Forgery SSRF vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a cust...

8.6CVSS6.8AI score0.00051EPSS
Exploits1References1
NVD
NVD
added 2025/02/14 8:15 p.m.14 views

CVE-2025-25297

Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's S3 storage integration feature contains a Server-Side Request Forgery SSRF vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a cust...

8.6CVSS0.00051EPSS
Exploits1References2
CVE
CVE
added 2025/02/14 7:25 p.m.107 views

CVE-2025-25297

Label Studio (Open Source) contains a CVE-2025-25297 SSRF in the S3 storage endpoint configuration prior to version 1.16.0. The s3_endpoint parameter is passed directly to the boto3 AWS SDK without validation, allowing an authenticated user to trigger HTTP requests to arbitrary internal services ...

8.6CVSS7AI score0.00051EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2025/02/14 3:26 p.m.23 views

Label Studio allows Server-Side Request Forgery in the S3 Storage Endpoint

Description Label Studio's S3 storage integration feature contains a Server-Side Request Forgery SSRF vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a custom S3 endpoint URL via the s3endpoint parameter. This endpoint U...

8.6CVSS6.5AI score0.00051EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2025/02/14 3:26 p.m.11 views

GHSA-M238-FMCW-WH58 Label Studio allows Server-Side Request Forgery in the S3 Storage Endpoint

Description Label Studio's S3 storage integration feature contains a Server-Side Request Forgery SSRF vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a custom S3 endpoint URL via the s3endpoint parameter. This endpoint U...

8.6CVSS8.6AI score0.00051EPSS
Exploits1References4
Rows per page
Query Builder