33225 matches found
Malicious package may avoid detection in python auditing
Python Auditing Vulnerability Demonstrates how a malicious package can insert a load-time poison pill to avoid detection by tools like Safety. Tools that are designed to find vulnerable packages can not ever run in the same python environment that they are trying to protect. Usage Install safety,...
SMTP Injection in PHPMailer
Impact Attackers could inject arbitrary SMTP commands via by exploiting the fact that valid email addresses may contain line breaks, which are not handled correctly in some contexts. Patches Fixed in 5.2.14 in this commit. Workarounds Manually strip line breaks from email addresses before passing...
Deserialization of Untrusted Data in Apache Olingo
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case...
Unrestricted upload of file with dangerous type in Apache Solr
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLEREMOTEJMXOPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and...
Possible Information Leak / Session Hijack Vulnerability in Rack
There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that...
Spring Security OAuth vulnerable to remote code execution (RCE) via specially crafted request using whitelabel views
When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the responsetype parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for responsetype...
Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass
Summary There is a high severity vulnerability in Traefik's domain-fronting protection SNICheck that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host.example.com with stricter TLS options for...
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
Denial of Service via proto Key in mergeConfig Summary The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse, causing...
Salt allows arbitrary directory creation or file deletion
Arbitrary directory creation or file deletion. In the findfile method of the GitFS class, a path is created using os.path.join using unvalidated input from the “tgtenv” variable. This can be exploited by an attacker to delete any file on the Master's process has permissions to...
JSONPath Plus Remote Code Execution (RCE) Vulnerability
Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution RCE due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. Note: There were several attempts to fix it in versions...
Undertow Denial of Service vulnerability
A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource...
Certifi removes GLOBALTRUST root certificate
Certifi 2024.07.04 removes root certificates from "GLOBALTRUST" from the root store. These are in the process of being removed from Mozilla's trust store. GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues...
ag-grid packages vulnerable to Prototype Pollution
ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component ModuleSupport.jsonApply. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service DoS via injecting arbitrary properties...
Elasticsearch vulnerable to stack overflow in the search API
A flaw was discovered in Elasticsearch affecting the search API that allowed a specially crafted query string to cause a stack overflow and ultimately a denial of service...
Spring-Kafka has Java Deserialization vulnerability When Improperly Configured
In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers...
Arbitrary file read via SQL injection
Impact It is possible for a user having access to the SQL Manager Advanced Options - Database to arbitrary read any file on the Operating system when using SQL function LOADFILE in a SELECT request. So It can access to critical information. Patches The patch will be on PS 8.0.4 and PS 1.7.8.9...
JWT audience claim is not verified
Impact All versions of Argo CD starting with v1.8.2 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an aud audience claim in signed tokens. The value of that claim specifies the intended audiences of the token i.e. the servi...
golang.org/x/net/http2/h2c vulnerable to request smuggling attack
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be...
.NET Remote Code Execution Vulnerability
Microsoft Security Advisory CVE-2022-41089: .NET Remote Code Execution Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1, .NET 6.0., and .NET 7.0. This advisory also provides guidance on what developers can ...
Improper handling of email input
Impact An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: [email protected], Before signing in, claim your money!. This was previously sent to...
pgjdbc Arbitrary File Write Vulnerability
Overview The connection properties for configuring a pgjdbc connection are not meant to be exposed to an unauthenticated attacker. While allowing an attacker to specify arbitrary connection properties could lead to a compromise of a system, that's a defect of an application that allows...
Directory Traversal in Docker
Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a 1 "docker load" operation or 2 "registry communications."...
Expression Language Injection in Netflix Conductor
Netflix Conductor uses Java Bean Validation JSR 380 custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being...
Unbounded memory usage on exposed HTTP/2 (non-gRPC) endpoints
Impact The net/http Go package has a reported vulnerability tracked under CVE-2021-44716 which allows attacker controlled HTTP/2 requests to trigger unbounded memory usage in HTTP/2 endpoints. gRPC endpoints are not vulnerable as they rely on their own HTTP/2 implementation instead of the net/htt...
jquery.terminal self XSS on user input
Impact This is low impact and limited XSS, because code for XSS payload is always visible, but attacker can use other techniques to hide the code the victim sees. Also if the application use execHash option and execute code from URL the attacker can use this URL to execute his code. The scope is...
Improper Input Validation and Injection in Apache Log4j2
Apache Log4j2 versions 2.0-beta7 through 2.17.0 excluding security fix releases 2.3.2 and 2.12.4 are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JN...
Prototype Pollution in Proto
This affects all versions of package Proto. It is possible to inject pollute the object property of an application using Proto by leveraging the merge function...
Remote code execution in ChakraCore
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-1172, CVE-2020-1180...
OS Command Injection in OpenTSDB
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. tsd/GraphHandler.java attempted to prevent comma...
Cross-site scripting in anchorme
All versions of package anchorme are vulnerable to Cross-site Scripting XSS via the main functionality...
Inconsistent Interpretation of HTTP Requests in github.com/gin-gonic/gin
When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header. This affects all versions of package github.com/gin-gonic/gin under 1.7.7...
Duplicate Advisory: Path Traversal in Zope
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5pr9-v234-jw36. This link is maintained to preserve external references. Original Description Zope is an open-source web application server. This advisory extends the previous advisory at...
StaticFile.fromUrl can leak presence of a directory
Impact StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns FNone, indicating no resource, if url.getFile is a directory, without first checking the...
Denial of service in Tendermint
Description Denial of Service 1 Tendermint 0.33.2 and earlier does not limit the number of P2P connection requests. For each p2p connection, Tendermint allocates XXX bytes. Even though this memory is garbage collected once the connection is terminated due to duplicate IP or reaching a maximum...
Apache Livy Cross-site scripting (XSS) in session names
Livy server version 0.7.0-incubating only is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users' sessions and run jobs with their privileges. This issue is fixed in Livy 0.7.1-incubating...
Deserialization of Untrusted Data in Archive_Tar
ArchiveTar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. See: https://github.com/pear/ArchiveTar/issues/33...
Uncontrolled Resource Consumption in Apache Thrift
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service...
Buffer not correctly recycled in Gzip Request inflation
Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an attacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request on the same connection will see...
Heap buffer overflow in CefSharp
Impact A memory corruption bugHeap overflow in the FreeType font rendering library. This can be exploited by attackers to execute arbitrary code by using specially crafted fonts with embedded PNG images . As per https://www.secpod.com/blog/chrome-zero-day-under-active-exploitation-patch-now/ Goog...
regular expression denial-of-service (ReDoS) in Bleach
Impact bleach.clean behavior parsing style attributes could result in a regular expression denial of service ReDoS. Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean..., attributes='a': 'style'. Patches 3.1.4 Workarounds d...
Users able to query database metadata in Apache Superset
In Apache Incubator Superset before 0.31 user could query database metadata information from a database he has no access to, by using a specially crafted complex query...
XSS in dojox due to insufficient escape in dojox.xmpp.util.xmlEncode
Impact What kind of vulnerability is it? Who is impacted? Potential XSS vulnerability for users of dojox/xmpp and dojox/dtl. Patches Has the problem been patched? What versions should users upgrade to? Yes, patches are available for the 1.11 through 1.16 versions. Users should upgrade to one of...
Improper input validation in Apache Olingo
The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack...
CSRF attack via CORS preflight requests with Spring MVC or Spring WebFlux
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC spring-webmvc module or Spring WebFlux spring-webflux module endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not inclu...
Improper Input Validation in Automattic Mongoose
Automattic Mongoose through 5.7.4 allows attackers to bypass access control in some applications because any query object with a bsontype attribute is ignored. For example, adding "bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around...
Apache Tomcat OS Command Injection vulnerability
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by...
chromedriver Downloads Resources over HTTP
Affected versions of chromedriver insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. This may result in arbitrary code execution if an attacker intercepts and modifies the downloaded binary fil...
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
Summary The tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences e.g., ../ or path separators in these parameters, attackers can cause file...
Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java BC Java before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of th...
aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
Summary An attacker can send a specially crafted POST multipart/form-data request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. Impact An attacker can stop the application from serving requests after sending a single...