Gitlab -- Multiple vulnerabilities

Gitlab reports: DAST analyzer sends custom request headers with every request Stored-XSS with CSP-bypass via scoped labels' color Maintainer can leak Datadog API key by changing integration URL Uncontrolled resource consumption when parsing URLs Issue HTTP requests when users view an OpenAPI...

OpenSSL -- Buffer overflows in Email verification

The OpenSSL project reports: X.509 Email Address 4-byte Buffer Overflow CVE-2022-3602 High: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. X.509 Email Address Variable Length Buffer Overflow CVE-2022-3786 High: A buffer overrun can b...

Tomcat -- Request Smuggling

Apache Tomcat reports: If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false the default for 8.5.x only, Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a...

chromium -- Type confusion in V8

Chrome Releases reports: This release contains 1 security fix: 1378239 High CVE-2022-3723: Type Confusion in V8. Reported by Jan Vojtešek, Milánek, and Przemek Gmerek of Avast on 2022-10-25...

curl -- multiple vulnerabilities

Daniel Stenberg reports: CVE-2022-32221: POST following PUT confusion When doing HTTPS transfers, libcurl might erroneously use the read callback CURLOPTREADFUNCTION to ask for data to send, even when the CURLOPTPOSTFIELDS option has been set, if the same handle previously was used to issue a PUT...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 14 security fixes, including: 1369871 High CVE-2022-3652: Type Confusion in V8. Reported by srodulv and ZNMchtss at S.S.L Team on 2022-09-30 1354271 High CVE-2022-3653: Heap buffer overflow in Vulkan. Reported by SeongHwan Park SeHwa on 2022-08-19...

Grafana -- Privilege escalation

Grafana Labs reports: Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to si...

gitea -- multiple issues

The Gitea team reports: Do not allow Ghost access to limited visible user/org Fix package access for admins and inactive users...

Grafana -- Username enumeration

Grafana Labs reports: When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message. The CVSS score for this vulnerability is 5.3 Moderate...

phpmyfaq -- multiple vulnerabilities

phpmyfaq developers report: a pre-auth SQL injection in then saving user comments a reflected cross-site scripting vulnerability in the search a stored cross-site scripting vulnerability in the meta data administration a weak password requirement...

traefik -- Use of vulnerable Go module x/net/http2

The Go project reports: A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, whi...

go -- multiple vulnerabilities

The Go project reports: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permitted access to Windows device files under that root. For example,...

nginx -- Two vulnerabilities

NGINX Development Team reports: Two security issues were identified in the ngxhttpmp4module, which might allow an attacker to cause a worker process crash or worker process memory disclosure by using a specially crafted mp4 file, or might have potential other impact CVE-2022-41741, CVE-2022-41742...

MySQL -- Multiple vulnerabilities

Oracle reports: This Critical Patch Update contains 37 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials...

go -- syscall, os/exec: unsanitized NUL in environment variables

The Go project reports: syscall, os/exec: unsanitized NUL in environment variables On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different...

freerdp -- clients using `/parallel` command line switch might read uninitialized data

MITRE reports: FreeRDP based clients on unix systems using /parallel command line switch might read uninitialized data and send it to the server the client is currently connected to. FreeRDP based server implementations are not affected...

freerdp -- clients using the `/video` command line switch might read uninitialized data

MITRE reports: All FreeRDP based clients when using the /video command line switch might read uninitialized data, decode it as audio/video and display the result. FreeRDP based server implementations are not affected...

OpenSSL -- Potential NULL encryption in NID_undef with Custom Cipher

The OpenSSL project reports: Using a Custom Cipher with NIDundef may lead to NULL encryption low...

chromium -- mulitple vulnerabilities

Chrome Releases reports: This release contains 6 security fixes: 1364604 High CVE-2022-3445: Use after free in Skia. Reported by Nan Wang @eternalsakura13 and Yong Liu of 360 Vulnerability Research Institute on 2022-09-16 1368076 High CVE-2022-3446: Heap buffer overflow in WebSQL. Reported by...

roundcube-thunderbird_labels -- RCE with custom label titles

The Roundcube project reports: Description: Remote code execution vulnerability in roundcube-thunderbirdlabels when tblabelmodifylabels is enabled. Workaround: If you cannot upgrade to roundcube-thunderbirdlabels-1.4.13 disable the tblabelmodifylabels config option...

py-dparse -- REDoS vulnerability

yeisonvargasf reports: dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by this vulnerability. Users unable to...

routinator -- potential DOS attack

Due to a mistake in error handling, data in RRDP snapshot and delta files that isn’t correctly base 64 encoded is treated as a fatal error and causes Routinator to exit. Worst case impact of this vulnerability is denial of service for the RPKI data that Routinator provides to routers. This may st...

go -- multiple vulnerabilities

The Go project reports: archive/tar: unbounded memory consumption when reading headers Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics...

strongswan -- DOS attack vulnerability

Lahav Schlesinger reported a bug related to online certificate revocation checking that can lead to a denial-of-service attack...

phpmyfaq -- CSRF vulnerability

phpmyfaq developers report: phpMyFAQ does not implement sufficient checks to avoid CSRF when logging out an user...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 3 security fixes, including: 1366813 High CVE-2022-3370: Use after free in Custom Elements. Reported by Aviv A. on 2022-09-22 1366399 High CVE-2022-3373: Out of bounds write in V8. Reported by Tibor Klajnscek on 2022-09-21...

Python -- multiple vulnerabilities

Python reports: gh-97616: Fix multiplying a list by an integer list = int: detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner. gh-97612: Fix a shell code injection vulnerability in the...

mediawiki -- multiple vulnerabilities

Mediawiki reports: T316304, CVE-2022-41767 SECURITY: reassignEdits doesn't update results in an IP range check on Special:Contributions.. T309894, CVE-2022-41765 SECURITY: HTMLUserTextField exposes existence of hidden users. T307278, CVE-2022-41766 SECURITY: On action=rollback the message...

Gitlab -- Multiple vulnerabilities

Gitlab reports: Denial of Service via cloning an issue Arbitrary PUT request as victim user through Sentry error list Content injection via External Status Checks Project maintainers can access Datadog API Key from logs Unsafe serialization of Json data could lead to sensitive data leakage Import...

Python -- multiple vulnerabilities

Python reports: gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .logmessage method to replace control characters with a \xHH hex esca...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 20 security fixes, including: 1358907 High CVE-2022-3304: Use after free in CSS. Reported by Anonymous on 2022-09-01 1343104 High CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. Reported by NDevTK on 2022-07-09 1319229...

gitea -- multiple issues

The Gitea team reports: Sanitize and Escape refs in git backend Bump golang.org/x/text Update bluemonday...

unbound -- Non-Responsive Delegation Attack

A vulnerability named 'Non-Responsive Delegation Attack' NRDelegation Attack has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for...

py39-joblib -- arbitrary code execution

jimlinntu reports: The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the predispatch flag in Parallel class due to the eval statement...

Matrix clients -- several vulnerabilities

Matrix developers report: Two critical severity vulnerabilities in end-to-end encryption were found in the SDKs which power Element, Beeper, Cinny, SchildiChat, Circuli, Synod.im and any other clients based on matrix-js-sdk, matrix-ios-sdk or matrix-android-sdk2...

Django -- multiple vulnerabilities

Django reports: CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs...

redis -- Potential remote code execution vulnerability

The Redis core team reports: Executing a XAUTOCLAIM command on a stream key in a specific state, with a specially crafted COUNT argument, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer...

jenkins -- XSS vulnerability

Jenkins Security Advisory: Description High SECURITY-2886 / CVE-2022-41224 Jenkins 2.367 through 2.369 both inclusive does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI. This results in a stored cross-site scripting XSS vulnerability exploitable...

zeek -- potential DoS vulnerabilities

Tim Wojtulewicz of Corelight reports: Fix a possible overflow and crash in the ICMP analyzer when receiving a specially crafted packet. Fix a possible overflow and crash in the IRC analyzer when receiving a specially crafted packet. Fix a possible overflow and crash in the SMB analyzer when...

py-tensorflow -- unchecked argument causing crash

Jingyi Shi reports: The 'AvgPoolOp' function takes an argument ksize that must be positive but is not checked. A negative ksize can trigger a CHECK failure and crash the program...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release includes 11 security fixes, including: 1358381 High CVE-2022-3195: Out of bounds write in Storage. Reported by Ziling Chen and Nan Wang @eternalsakura13 of 360 Vulnerability Research Institute on 2022-08-31 1358090 High CVE-2022-3196: Use after free in PDF...

expat -- Heap use-after-free vulnerability

Debian Security Advisory reports: Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed...

dendrite -- Signature checks not applied to some retrieved missing events

Dendrite team reports: Events retrieved from a remote homeserver using /getmissingevents did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint. Note that this does not apply to events...

Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Grafana Labs reports: On September 7th as a result of an internal security audit we have discovered that Grafana could leak the authentication cookie of users to plugins. After further analysis the vulnerability impacts data source and plugin proxy endpoints under certain conditions. We believe...

security/keycloak -- Multiple possible DoS attacks

CIRCL reports: CVE-2022-41966: XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. CVE-2022-40151: I...

Grafana -- Improper authentication

Grafana Labs reports: On September 7, as a result of an internal security audit, we discovered a security vulnerability in Grafana’s basic authentication related to the usage of username and email address. n Grafana, a user’s username and email address are unique fields, which means no other user...

go -- multiple vulnerabilities

The Go project reports: net/http: handle server errors after sending GOAWAY A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service. net/url: JoinPath does...

chromium -- insufficient data validation in Mojo

Chrome Releases reports: This release contains 1 security fix: 1358134 High CVE-2022-3075: Insufficient data validation in Mojo. Reported by Anonymous on 2022-08-30 Google is aware that an exploit of CVE-2022-3075 exists in the wild...

Matrix clients -- several vulnerabilities

Matrix developers report: The vulnerabilities give an adversary who you share a room with the ability to carry out a denial-of-service attack against the affected clients, making it not show all of a user's rooms or spaces and/or causing minor temporary corruption...

Gitlab -- multiple vulnerabilities

Gitlab reports: Remote Command Execution via GitHub import Stored XSS via labels color Content injection via Incidents Timeline description Lack of length validation in Snippets leads to Denial of Service Group IP allow-list not fully respected by the Package Registry Abusing Gitaly.GetTreeEntrie...