33123 matches found
Denial of Service (DoS) in Jackson Dataformat CBOR
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 2.8.0-rc1 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception...
Server-Side Forgery Request can be activated unmarshalling with XStream
Impact The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15...
Memory leak in Tensorflow
Impact If a user passes a list of strings to dlpack.todlpack there is a memory leak following an expected validation failure: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.ccL100-L104 The allocated memory is from...
Apache HTTP Server via mod_proxy_uwsgi HTTP response smuggling
HTTP Response Smuggling vulnerability in Apache HTTP Server via modproxyuwsgi. This issue affects Apache HTTP Server from 2.4.30 through 2.4.55 and the uWSGI PyPI package prior to version 2.0.22. Special characters in the origin response header can truncate/split the response forwarded to the...
Directus vulnerable to Server-Side Request Forgery On File Import
Summary Directus versions =9.22.4 is vulnerable to Server-Side Request Forgery SSRF when importing a file from a remote web server POST to /files/import. An attacker can bypass the security controls that were implemented to patch vulnerability CVE-2022-23080 by performing a DNS rebinding attack a...
jackson-databind mishandles the interaction between serialization gadgets and typing
FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig aka ibatis-sqlmap...
Request smuggling leading to endpoint restriction bypass in Gunicorn
Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling HRS vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handli...
XSS Vulnerability in Markdown Editor
Impact InvenTree uses EasyMDE for displaying markdown text in various places e.g. for the various "notes" fields associated with various models. By default, EasyMDE does not sanitize input data, and it is possible for malicious code to be injected into the markdown editor, and executed in the use...
Renderers can obtain access to random bluetooth device without permission in Electron
Impact This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device...
HTTP Response Splitting (Early Hints) in Puma
Impact If an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting...
Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
Path Equivalence: 'file.Name' Internal Dot leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through...
Spring Framework vulnerable to denial of service
In Spring Framework versions prior to 5.2.24.release+ , 5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted Spring Expression Language SpEL expression that may cause a denial-of-service DoS condition...
Improper Handling of Missing Values in kaml
Impact Attackers that could provide arbitrary YAML input to an application that uses kaml could cause the application to endlessly loop while parsing the input. This could result in resource starvation and denial of service. This only affects applications that use polymorphic serialization with t...
DOMPurify allows tampering by prototype pollution
It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid XSS attack. Fixed by...
Jenkins CSRF protection bypass vulnerability
Jenkins provides context menus for various UI elements, like links to jobs and builds, or breadcrumbs. In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided value...
XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights
Impact The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the...
Untrusted data can lead to DoS attack due to hash collisions and stack overflow in MessagePack
Impact When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by either of two vectors: 1. hash collisions - leading to large CPU consumption disproportionate to the size of the data being deserialized. 1. stack overflow -...
pyca/cryptography has a vulnerable OpenSSL included in cryptography wheels
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-43.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20240903.txt. If you are...
openssl npm package vulnerable to command execution
The openssl aka node-openssl NPM package through 2.0.0 was characterized as "a nonsense wrapper with no real purpose" by its author, and accepts an opts argument that contains a verb field used for command execution. NOTE: This vulnerability only affects products that are no longer supported by t...
dio vulnerable to CRLF injection with HTTP method string
Impact The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669. Patches The vulnerability has been resolved by https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984, and included sinc...
Exposure of Sensitive Information to an Unauthorized Actor in Apache Santuario
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any...
elFinder unsafe upload filtering leading to remote code execution
Impact Before elFinder 2.1.58, the upload filter did not disallow the upload of .phar files. As several Linux distributions are now shipping Apache configured in a way it will process these files as PHP scripts, attackers could gain arbitrary code execution on the server hosting the PHP connector...
Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validateipv4address, and validateipv46address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. validateipv4address and...
Deserialization of Untrusted Data in PyYAML
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and loadall functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342...
Possible request smuggling in HTTP/2 due missing validation
Impact If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the...
Withdrawn Advisory: Incorrect Authorization in cross-fetch
Withdrawn Advisory This advisory has been withdrawn because the vulnerability originates from a dependency. For more information, see the Maintainer comments in https://huntr.com/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac. Original Description When fetching a remote url with Cookie if it get...
Improper Restriction of XML External Entity Reference in Liquibase
The XMLChangeLogSAXParser function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference...
Embedded malware in ua-parser-js
The npm package ua-parser-js had three versions published with malicious code. Users of affected versions 0.7.29, 0.8.0, 1.0.0 should upgrade as soon as possible and check their systems for suspicious activity. See this issue for details as they unfold. Any computer that has this package installe...
md2pdf allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename
converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename...
go.mongodb.org/mongo-driver improperly validates cstrings when marshalling Go objects into BSON
Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to and...
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Summary A Regular Expression Denial of Service ReDoS vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processin...
Undici proxy-authorization header not cleared on cross-origin redirect in fetch
Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers. Patches This is patched in v5.28.3 and v6.6.1 Workarounds There are no known workarounds. References - https://fetch.spec.whatwg.org/authentication-entries -...
Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation
When using the Vault and Vault Enterprise Vault approle auth method, any authenticated user with access to the /auth/approle/role/:rolename/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999, has...
Misinterpretation of malicious XML input
Impact xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. Patches Update to one of the fixed versions of @xmldom/xmld...
Deserialization of Untrusted Data in Flask-Caching
Flask-Cache adds easy cache support to Flask. The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage e.g., filesystem, Memcached, Redis, etc., they...
.NET Core Information Disclosure
An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0...
IPC messages delivered to the wrong frame in Electron
Impact IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app does ANY of the following, then it is impacted by this issue: - Uses...
Remote Code Execution (RCE) vulnerability in dropwizard-validation
Summary A server-side template injection was identified in the self-validating @SelfValidating feature of dropwizard-validation enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution RCE vulnerability. If you're using a self-validating bean via @SelfValidatin...
laravel framework SQL Injection via limit and offset functions
Impact Those using SQL Server with Laravel and allowing user input to be passed directly to the limit and offset functions are vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability. Patches This problem has been patched on Laravel...
efs-utils and aws-efs-csi-driver have race condition during concurrent TLS mounts
Impact A potential race condition issue exists within the Amazon EFS mount helper in efs-utils versions v1.34.3 and below, and aws-efs-csi-driver versions v1.4.7 and below. When using TLS to mount file systems, the mount helper allocates a local port for stunnel to receive NFS connections prior t...
hoek subject to prototype pollution via the clone function.
hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the proto key is passed to clone the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1...
Cross-site Scripting in org.owasp.esapi:esapi
Impact There is a potential for an XSS vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the antisamy-esapi.xml configuration file that can cause URLs with the "javascript:" scheme to NOT be sanitized. See the reference below for full details. Patches Patched in...
Reflected Cross-Site Scripting in Apache CXF
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting XSS attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploit...
Cross-site scripting vulnerability in TinyMCE
Impact A cross-site scripting XSS vulnerability was discovered in: the core parser, paste and visualchars plugins. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are...
DNN (aka DotNetNuke) has Remote Code Execution via a cookie
DNN aka DotNetNuke before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 Critical Possible remote code execution on DNN sites."...
Yii 2 Redis may expose AUTH parameters in logs in case of connection failure
Impact On failing connection extension writes commands sequence to logs. AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs...
Grafana Forward OAuth Identity Token can allow users to access some data sources
When a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token and no other user credentials will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have...
HTTP/2 Stream Cancellation Attack
HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RSTSTREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The clie...
HashiCorp Vault's revocation list not respected
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and...
Protobuf Java vulnerable to Uncontrolled Resource Consumption
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown...