33225 matches found
Header dropping in traefik
Impact There exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to prevent any potentia...
Out-of-bounds write in ChakraCore
A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828...
Out-of-bounds write in ChakraCore
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828,...
Improper Restriction of Excessive Authentication Attempts in Argo API
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence. Specific Go Packages Affected...
Unencrypted storage of client side sessions
Impact The default configuration of client side sessions results in unencrypted, but signed, data being set as cookie values. This means that if something sensitive goes into the session, it could be read by something with access to the cookies. Note: the documentation does point this out and...
Open Redirect
Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirectto parameter, related to the function isValidRedirect in routes/user/auth.go...
Improper Privilege Management in HashiCorp Nomad
HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. Fixed in 0.12.10, and 1.0.3...
Elliptic Curve Key Disclosure in go-jose
go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making ...
Cross-site Scripting in Wildfly
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity...
XML Entity Expansion and Improper Input Validation in Kubernetes API server
Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming...
Autobinding vulnerability in MITREid Connect
org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment aka Autobinding vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in...
Uncontrolled Memory Allocation in Apache PDFBox
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions...
Cross-site Scripting in PrimeFaces
An XSS issue was discovered in tooltip/tooltip.js in PrimeTek PrimeFaces 7.0.11. In a web application using PrimeFaces, an attacker can provide JavaScript code in an input field whose data is later used as a tooltip title without any input validation...
"Deserialization errors in MyBatis"
MyBatis before 3.5.6 mishandles deserialization of object streams leading to potential cache poisoning...
Sydent vulnerable to denial of service attack via memory exhaustion
Impact Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to disk space exhaustion and denial of service. Sydent also does not limit response size for requests it makes to remote Matrix homeservers....
Improper Authentication in react-adal
This affects versions of react-adal 0.5.1. It is possible for a specially crafted JWT token and request URL can cause the nonce, session and refresh values to be incorrectly validated, causing the application to treat an attacker-generated JWT token as authentic. The logical defect is caused by h...
Indico Tampering with links (e.g. password reset) in sent emails
Impact An external audit of the Indico codebase has discovered a vulnerability in Indico's URL generation logic which could have allowed an attacker to make Indico send a password reset link with a valid token pointing to an attacker-controlled domain by sending that domain in the Host header. Ha...
Client TLS credentials sent raw to server in npm package nats
Nats is a Node.js client for the NATS messaging system. Problem Description Preview versions of two NPM packages and one Deno package from the NATS project contain an information disclosure flaw, leaking options to the NATS server; for one package, this includes TLS private credentials. The...
Prototype Pollution in highlight.js
Impact Affected versions of this package are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsin...
Authorization bypass in Spree
Impact The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree 3.7 are not affected. References Pull request with a fix and in-depth explanati...
API Admin Auth Weakness in tomato
Versions of tomato prior to 0.0.6 are affected by a somewhat complex authentication bypass vulnerability in the admin service when only a single access key is configured on the server. The vulnerability allows an attacker to guess the password for the admin service, no matter how complex that...
ECDSA signature validation vulnerability by accepting wrong ASN.1 encoding in jsrsasign
Impact Jsrsasign supports ECDSA signature validation which signature value is represented by ASN.1 DER encoding. This vulnerablity may accept a wrong ASN.1 DER encoded ECDSA signature such as: - wrong multi-byte ASN.1 length of TLV ex. 0x820045 even though 0x45 is correct - prepending zeros with...
Information Exposure in Snyk Broker
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG...
Cross-Site Scripting in BookStack
Impact A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machine...
Improper Verification of Cryptographic Signature in PySAML2
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping XSW. The signature information and the node/object that is signed can be in different places and thus the signature...
Improper Input Validation in Apache Solr
Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially...
Catastrophic backtracking in regex allows Denial of Service in Waitress
Impact When waitress receives a header that contains invalid characters it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This would allow an attacker to send a single request with an invalid...
Unsafe deserialization in SmtpTransport in CakePHP
An issue was discovered in SmtpTransport in CakePHP 3.7.6. An unserialized object with modified internal properties can trigger arbitrary file overwriting upon destruction...
Installation information leak in Eclipse Jetty
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches...
XML External Entity Reference in mchange:c3p0
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization...
Tornado has an HTTP cookie parsing DoS vulnerability
The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. See...
Apache MINA SSHD: integrity check bypass
Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with...
view_component Cross-site Scripting vulnerability
Impact What kind of vulnerability is it? Who is impacted? This is an XSS vulnerability that has the potential to impact anyone rendering a component directly from a controller with the viewcomponent gem. Note that only components that define a call method i.e. instead of using a sidecar template...
Logback is vulnerable to an attacker mounting a Denial-Of-Service attack by sending poisoned data
A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data...
TorchServe Server-Side Request Forgery vulnerability
Impact Remote Server-Side Request Forgery SSRF Issue: TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity of the system and...
Cipher.update_into can corrupt memory if passed an immutable python object as the outbuf
Previously, Cipher.updateinto would accept Python objects which implement the buffer protocol, but provide only immutable buffers: pycon outbuf = b"\x00" 32 c = ciphers.CipherAESb"\x00" 32, modes.ECB.encryptor c.updateintob"\x00" 16, outbuf 16 outbuf...
Gitops Run insecure communication
Impact GitOps run has a local S3 bucket which it uses for synchronising files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local s3 bucket is not encrypted. This allows privileged users or process to tap the local traffic to gain information...
SnakeYaml Constructor Deserialization Remote Code Execution
Summary SnakeYaml's Constructor class, which inherits from SafeConstructor, allows any type be deserialized given the following line: new Yamlnew ConstructorTestDataClass.class.loadyamlContent; Types do not have to match the types of properties in the target class. A ConstructorException is throw...
Code injection in Apache NiFi and NiFi Registry
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the...
Jenkins Google Cloud Messaging Notification Plugin stores credentials in plain text
Jenkins Google Cloud Messaging Notification Plugin 1.0 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system...
SQL Injection in Django
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate, aggregate, and extra methods are subject to SQL injection in column aliases via a crafted dictionary with dictionary expansion as the passed kwargs...
Command injection in simple-git
simple-git maintained as git-js named repository on GitHub is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch...
Privilege Escalation in Docker
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors...
Apache CXF JMX Integration is vulnerable to a MITM attack
Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the createMBServerConnectorFactory property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle MITM style attack. An attack...
Out-of-bounds write in ChakraCore
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829,...
Cross-Site Scripting
A reflected Cross-Site Scripting XSS flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The...
REXML round-trip instability
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing...
Allocation of Resources Without Limits or Throttling in Undertow
A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service...
Apache Airflow cross-site scripting due to incomplete fix for CVE-2020-13944
The origin parameter passed to some of the endpoints like /trigger was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.15. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely...
Directory Traversal in Django
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability...