7 matches found
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure via the runPlaygroundServer process in cmd/run/run.go and the playground configuration in pkg/server/config/config.go. An attacker can recover the preshared API key by sending an unauthenticated request to the...
GHSA-68M9-983M-F3V5 OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response
Description When OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It...
Server-side Request Forgery (SSRF)
Overview crewai-tools is a Set of tools for the crewAI framework Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to the RAG search tools not properly validating user-supplied URLs at runtime. An attacker can access internal or cloud resources by supplying...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of resource-limiting controls in the gRPC, HTTPS, and HTTP3 server implementations. An attacker can exhaust memory and cause the server to degrade or crash by opening...
EUVD-2023-51733
Malicious code in bioql PyPI...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via Service Call functionality. A user with sufficient privileges to create Kyverno policies can expose all data from a Kubernetes cluster using a malicious Kyverno policy that makes external service cal...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via Service Call functionality. A user with sufficient privileges to create Kyverno policies can expose all data from a Kubernetes cluster using a malicious Kyverno policy that makes external service cal...