59 matches found
PT-2022-27012 · Unknown · Stackstorm
Name of the Vulnerable Software and Affected Versions: StackStorm versions prior to 3.8.0 Description: A cross-site scripting XSS issue in the Web UI allows logged-in users with write access to pack rules to inject arbitrary script or HTML, which may be executed in the Web UI for other logged-in...
StackStorm 跨站脚本漏洞
StackStorm is an event-driven automation platform. The platform is primarily used for automated remediation, security response, troubleshooting, and program deployment functions. A security vulnerability exists in StackStorm versions prior to 3.8.0, which originates in the Web UI that allows a...
CVE-2022-44009
Improper access control in Key-Value RBAC in StackStorm version 3.7.0 didn't check the permissions in Jinja filters, allowing attackers to access K/V pairs of other users, potentially leading to the exposure of sensitive Information...
CVE-2022-43706
CVE-2022-43706 affects StackStorm Web UI prior to 3.8.0. The vulnerability is a cross-site scripting (XSS) flaw where a logged-in user with write access to pack rules can inject script/HTML that may execute in the Web UI for other users. The issue stems from insufficient input sanitization in the...
CVE-2022-43706
Cross-site scripting XSS vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users...
PT-2022-27071 · Unknown · Stackstorm
Name of the Vulnerable Software and Affected Versions: StackStorm version 3.7.0 Description: The issue is related to improper access control in Key-Value RBAC, where permissions in Jinja filters are not checked, allowing attackers to access Key-Value pairs of other users. This could potentially...
CVE-2022-43706
Cross-site scripting XSS vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users...
GHSA-39MJ-FPG2-3JRG StackStorm st2 Infinite Loop Condition
StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data from an action or rule name...
StackStorm st2 Infinite Loop Condition
StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data from an action or rule name...
@stackstorm/st2-build (>=2.3.1 <=2.4.3), ccxt-without-theocean (=1.18.151) +3 more potentially affected by CVE-2021-23518 via cached-path-relative (=1.0.2)
cached-path-relative NPM version =1.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on cached-path-relative and may be impacted: - @stackstorm/st2-build =2.3.1, =1.0.0, =1.18.173, =1.18.242 Source cves: CVE-2021-23518 Source advisory:...
@stackstorm/st2-build (>=2.3.1 <=2.4.3), ccxt-without-theocean (=1.18.151) +3 more potentially affected by CVE-2021-23518 via cached-path-relative (=1.0.2)
cached-path-relative NPM version =1.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on cached-path-relative and may be impacted: - @stackstorm/st2-build =2.3.1, =1.0.0, =1.18.173, =1.18.242 Source cves: CVE-2021-23518 Source advisory:...
CVE-2021-44657
In StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to backwards compatibility. Stackstorm now sets sandboxed mode for jinja by default...
CVE-2021-44657
In StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to backwards compatibility. Stackstorm now sets sandboxed mode for jinja by default...
Default credentials
In StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to backwards compatibility. Stackstorm now sets sandboxed mode for jinja by default...
CVE-2021-44657
In StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to backwards compatibility. Stackstorm now sets sandboxed mode for jinja by default...
CVE-2021-44657
CVE-2021-44657 affects StackStorm versions before 3.6.0, where the Jinja interpreter was not run in sandbox mode, enabling unsafe system command execution. The issue stems from Jinja not enabling sandboxed mode by default for backwards compatibility; StackStorm now forces sandboxed Jinja by defau...
StackStorm 安全漏洞
StackStorm is an event-driven automation platform. The platform is used for automated remediation, security response, troubleshooting and program deployment, etc. An injection vulnerability exists in StackStorm, which stems from the failure of a network system or product to properly filter specia...
CVE-2021-28667
StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data from an action or rule name...
CVE-2021-28667
StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data from an action or rule name...
CVE-2021-28667
StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data from an action or rule name...