Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationServer and IntegrationRuntime operands are vulnerable to denial of service due to [CVE-2023-34104]

Summary Node.js module fast-xml-parser is used by IBM App Connect Enterprise Certified Container for parsing XML. IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationServer and IntegrationRuntime operands are vulnerable to denial of service. This bulletin provides patch...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationServer and IntegrationRuntime operands are vulnerable to arbitrary code execution due to [CVE-2023-26920]

Summary Node.js module fast-xml-parser is used by IBM App Connect Enterprise Certified Container for parsing XML data. IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationServer and IntegrationRuntime operands are vulnerable to arbitrary code execution. This bulletin...

Debian dla-3470 : owslib-doc - security update

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3470 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3470-1 [email protected] https://www.debian.org/lts/security/...

Prototype Pollution

fast-xml-parser is vulnerable to Prototype Pollution. This vulnerability is due to not sanitizing user input or the proto field leading to polluting the global prototype object which can be used to mount denial of service DoS, RCE Remote Code Execution , Privilege Escalation Attacks...

Advisory ROSA-SA-2023-2168

Software: firefox 102.10.0 OS: rosa-server79 packageevrstring: 102.10.0-1.res7 CVE-ID: CVE-2022-40674 BDU-ID: 2023-02596 CVE-Crit: HIGH CVE-DESC: A vulnerability in the doContent function of the xmlparse.c file of the libexpat XML parser library is related to a post-release exploit. Exploitation ...

Advisory ROSA-SA-2023-2166

Software: thunderbird 102.10.0 OS: rosa-server79 packageevrstring: 102.10.0-2.res7 CVE-ID: CVE-2022-40674 BDU-ID: 2023-02596 CVE-Crit: HIGH CVE-DESC: A vulnerability in the doContent function of the xmlparse.c file of the libexpat XML parser library is related to a post-release exploit...

Security Bulletin: IBM Cloud Pak for Network Automation 2.5.0 fixes multiple security vulnerabilities

Summary IBM Cloud Pak for Network Automation 2.5.0 fixes multiple security vulnerabilities, listed in the CVEs below. Vulnerability Details CVEID:CVE-2023-31047 DESCRIPTION: Django could allow a remote attacker to bypass security restrictions. By sending a specially-crafted request, an attacker...

@activepieces/piece-amazon-s3 (=0.0.2), @adobe/helix-admin-support (>=2.1.22 <=2.1.23) +471 more potentially affected by unknown CVE via fast-xml-parser (=4.2.4)

fast-xml-parser NPM version =4.2.4 is affected by a known vulnerability. The following packages have a transitive dependency on fast-xml-parser and may be impacted: - @activepieces/piece-amazon-s3 =0.0.2 - @adobe/helix-admin-support =2.1.22, =9.0.39, =2.1.1, =2.1.15, =1.11.158, =1.0.4-0, =1.2.39-...

Debian DSA-5426-1 : owslib - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5426 advisory. - OWSLib is a Python package for client programming with Open Geospatial Consortium OGC web service interface standards, and their related content models. OWSLib's XML...

1337-docs (>=1.0.10 <=1.0.16), 1pointfixed1 (=1.3.5) +3704 more potentially affected by CVE-2023-26920 via fast-xml-parser (>=2.3.1 <=4.1.1)

fast-xml-parser NPM version =2.3.1, =1.0.10, =2.0.0, =1.0.0, =7.0.35, =2.0.0, =1.0.0, =3.0.0-beta.0, =3.0.0-beta.0, =2.73.2, =1.6.66, =0.5.0, =0.9.2 - @adamkac/gus-api-regon =1.0.2 and more Source cves: CVE-2023-26920 Source advisory: OSV:GHSA-X3CC-X39P-42QX...

GHSA-X3CC-X39P-42QX fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name

Impact As a part of this vulnerability, user was able to se code using proto as a tag or attribute name. js const XMLParser, XMLBuilder, XMLValidator = require"fast-xml-parser"; let XMLdata = "hacked" const parser = new XMLParser; let jObj = parser.parseXMLdata; console.logjObj.polluted // should...

The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9.

...

Regular Expression Denial Of Service (ReDoS)

fast-xml-parser is vulnerable to Regular Expression Denial Of Service ReDoS. The vulnerability exists in the readDocType function at DocTypeReader.js which allows an attacker to cause an application crash by submitting an entity name with bad preforming regex because entity names are not sanitize...

Security Bulletin: IBM Operational Decision Manager May 2023 - Multiple CVEs

Summary This Security Bulletin addresses the security vulnerabilities that have been fixed within the IBM Operational Decision Manager. This product now includes fixes for the following security vulnerabilities. Vulnerability Details CVEID:CVE-2023-20862 DESCRIPTION: VMware Tanzu Spring Security...

CVE-2023-34104

fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denia...

Code injection

fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denia...

CVE-2023-34104

CVE-2023-34104 is a ReDoS vulnerability in the Natural Intelligence fast-xml-parser used by IBM Cloud Pak for Data (and related IBM products). The flaw arises from unescaped/sanitized special characters in entity names that are used to build a regex for entity replacement in DOCTYPE parsing, enab...

CVE-2023-34104

fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denia...

@aws-amplify/geo (>=2.0.13-push-notification-dryrun.43 <=2.0.35-unstable.15353e0.2), @aws-amplify/interactions (>=5.0.13-push-notification-dryrun.43 <=5.1.1-unstable.15353e0.2) +98 more potentially affected by CVE-2023-34104 via fast-xml-parser (>=4.1.3 <=4.2.3)

fast-xml-parser NPM version =4.1.3, =2.0.13-push-notification-dryrun.43, =5.0.13-push-notification-dryrun.43, =1.0.13-push-notification-dryrun.43, =5.0.13-push-notification-dryrun.43, =5.1.3-push-notification-dryrun.43, =1.1.6-exodus.1, =6.2.44, =9.1.0, =9.1.0, =9.53.0 and more Source cves:...

fast-xml-parser vulnerable to Regex Injection via Doctype Entities

Impact "fast-xml-parser" allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for DoS attacks. By crafting an entity name that results in an...