33227 matches found
Remote code execution in Apache ActiveMQ
A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack - A remote client could create a...
Cross-site Scripting in Keycloak
A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks...
Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle MITM attack...
SQL Injection in Apache Kylin
Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue...
jsx-slack insufficient patch for CVE-2021-43838 ReDoS
We found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient to save from Regular Expression Denial of Service ReDoS attack. This vulnerability affects to jsx-slack v4.5.1 and earlier versions. Impact If attacker can put a lot of JSX elements into tag with including multibyte...
Incorrect validation of parties IDs leaks secret keys in Secret-sharing scheme
Summary In the threshold signature scheme, participants start by dividing secrets into shares using a secret sharing scheme. The Verifiable Secret Sharing scheme generates shares from the user’s IDs but does not properly validate them. Using a malicious ID will make other users reveal their secre...
Insecure permissions on user namespace / fakeroot temporary rootfs in Singularity
Impact Insecure permissions on temporary directories used in fakeroot or user namespace container execution. When a Singularity action command run, shell, exec is run with the fakeroot or user namespace option, Singularity will extract a container image to a temporary sandbox directory. Due to...
Excessive Platform Resource Consumption within a Loop in Kubernetes
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML...
Deserialization of Untrusted Data in logback
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers...
Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration in RunC
Impact In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the C portion of our code responsible for the based namespace setup of containers. In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an...
OS Command Injection in ssh2
ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted...
Server-Side Request Forgery in UReport
UReport v2.2.9 contains a Server-Side Request Forgery SSRF in the designer page which allows attackers to detect intranet device ports...
Deserialization of Untrusted Data in ParlAI
Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0...
Code injection in nbgitpuller
Impact Due to an unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. Patches 0.10.2 Workarounds None, other than upgrade to 0.10.2 or downgrade to 0.8.x. For more information If you have any questions or comments about this...
openssl-src NULL pointer Dereference in signature_algorithms processing
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signaturealgorithms extension where it was present in the initial ClientHello, but includes a signaturealgorithmscert extension then a NU...
XStream is vulnerable to an Arbitrary Code Execution attack
Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required...
Cross-site Scripting in curly-bracket-parser
This affects all versions of package curly-bracket-parser. When used as a template library, it does not properly sanitize the user input...
URL Redirection to Untrusted Site ('Open Redirect') in Products.isurlinportal
Impact Various parts of Plone use the 'is url in portal' check for security, mostly to see if it is safe to redirect to a url. A url like https://example.org is not in the portal. But the url https:example.org without slashes tricks our code and it is considered to be in the portal. When...
Observable Timing Discrepancy in aaugustin websockets library
The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basicauthprotocolfactorycredentials=.... An attacker may be able to guess a password via a timing attack...
Cross-site scripting in Plone
Plone through 5.2.4 allows XSS via the inlinediff methods in Products.CMFDiffTool...
Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd/v2
Impact When using SSO with the Argo CD CLI, a malicious SSO provider could have sent specially crafted error message that would result in XSS on the client by means of executing arbitrary JavaScript code. We believe the exploitation of this vulnerability is only be possible when Argo CD is...
Null dereference in Grappler's `TrySimplify`
Impact The implementation of TrySimplify has undefined behavior due to dereferencing a null pointer in corner cases that result in optimizing a node with no inputs. Patches We have patched the issue in GitHub commit e6340f0665d53716ef3197ada88936c2a5f7a2d3. The fix will be included in TensorFlow...
Division by zero in TFLite's implementation of Split
Impact The implementation of the Split TFLite operator is vulnerable to a division by zero error: cc TFLITEENSUREMSGcontext, inputsize % numsplits == 0, "Not an even split"; const int slicesize = inputsize / numsplits; An attacker can craft a model such that numsplits would be 0. Patches We have...
Allocation of Resources Without Limits or Throttling in Hashicorp Consul
HashiCorp Consul and Consul Enterprise include an HTTP API introduced in 1.2.0 and DNS introduced in 1.4.3 caching feature that was vulnerable to denial of service. Specific Go Packages Affected github.com/hashicorp/consul/agent/config Fix The vulnerability is fixed in versions 1.6.6 and 1.7.4...
Duplicate Advisory: k8s.io/kube-state-metrics Exposure of Sensitive Information
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c92w-72c5-9x59. This link is maintained to preserve external references. Original Description A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0...
Use of "infinity" as an input to datetime and date fields causes infinite loop in pydantic
Impact Passing either 'infinity', 'inf' or float'inf' or their negatives to datetime or date fields causes validation to run forever with 100% CPU usage on one CPU. Patches Pydantic is be patched with fixes available in the following versions: v1.8.2 v1.7.4 v1.6.2 All these versions are available...
Prototype Pollution in doc-path
This affects the package doc-path before 2.1.2...
Server-Side Request Forgery in phantomjs-seo
This affects all versions of package phantomjs-seo. It is possible for an attacker to craft a url that will be passed to a PhantomJS instance allowing for an SSRF attack...
Command injection in get-git-data
get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data...
Buffer overflow in canvas
A buffer overflow is present in canvas versions before 1.6.11, which could lead to a Denial of Service or execution of arbitrary code when it processes a user-provided image...
SQL Injection in odata4j
odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection. NOTE, this product is apparently discontinued...
Prototype Pollution in nis-utils
All versions of package nis-utils up to and including 0.6.10 are vulnerable to Prototype Pollution via the setValue function...
LinkedIn Oncall vulnerable to Cross-Site Scripting
LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the "No results found for" message in the search bar...
Timing side channel vulnerability in endpoint request handler in Vaadin 15-19
Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 Vaadin 15.0.0 through 18.0.6, and com.vaadin:fusion-endpoint version 6.0.0 Vaadin 19.0.0 allows attacker to guess a security token for Fusion endpoints via timing attack....
OS Command Injection in curling
npm package curling before version 1.1.0 is vulnerable to Command Injection via the run function. The command argument can be controlled by users without any sanitization...
Out-of-bounds write
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1138, CVE-2019-1217, CVE-2019-1298, CVE-2019-1300...
SQL Injection in moodle
In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10...
Privilege Context Switching Error in Elasticsearch
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documen...
Code injection in nobelprizeparser
Code injection through use of eval...
/user/sessions endpoint allows detecting valid accounts
This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the respons...
botframework-connector vulnerable to Improper Authentication
Impact A maliciously crafted claim may be incorrectly authenticated by the bot. Impacts bots that are not configured to be used as a Skill. This vulnerability requires an attacker to have internal knowledge of the bot. Patches The problem has been patched in all affected versions. Please see the...
Token verification bug in next-auth
Impact Implementations using the Prisma database adapter with the Email provider are impacted. Implementations using the Prisma database adapter that are not using the Email provider are not impacted. Implementations using the default database adapter TypeORM with the Email provider are not...
Command injection in samba-client
The samba-client package before 4.0.0 for Node.js allows command injection because of the use of process.exec...
Open redirect in Slashify
The package is an Express middleware that normalises routes by stripping any final slash, redirecting, for example, bookings/latest/ to bookings/latest. However, it does not validate the path it redirects to in any way. In particular, if the path starts with two slashes or two backslashes, or a...
Command Injection Vulnerability in Mechanize
This security advisory has been created for public disclosure of a Command Injection vulnerability that was responsibly reported by @kyoshidajp Katsuhiko YOSHIDA. Impact Mechanize = v2.0, v2.7.7 allows for OS commands to be injected using several classes' methods which implicitly use Ruby's...
Code Injection in mquery
lib/utils.js in mquery before 3.2.3 allows a pollution attack because a special property e.g., proto can be copied during a merge or clone operation...
Vulnerability in RPKI manifest validation
A vulnerability in RPKI manifest validation exists when objects on the manifest are hidden, or expired objects are replayed. An attacker successfully exploiting this vulnerability could prevent new ROAs from being received or selectively hide ROAs, causing routes to become INVALID. To exploit thi...
malicious SVG attachment causing stored XSS vulnerability
Impact An attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Patches Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 ha...
Out of bounds write in tensorflow-lite
Impact In TensorFlow Lite models using segment sum can trigger a write out bounds / segmentation fault if the segment ids are not sorted. Code assumes that the segment ids are in increasing order, using the last element of the tensor holding them to determine the dimensionality of output tensor:...
Integer truncation in Shard API usage
Impact The Shard API in TensorFlow expects the last argument to be a function taking two int64 i.e., long long arguments: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/util/worksharder.hL59-L60 However, there are several places in TensorFlo...