33225 matches found
FPE in LSH in TFLite
Impact An attacker can craft a TFLite model that would trigger a division by zero error in LSH implementation. cc int RunningSignBitconst TfLiteTensor input, const TfLiteTensor weight, float seed int inputitembytes = input-bytes / SizeOfDimensioninput, 0; // ... There is no check that the first...
Cross-site scripting in Dutchcoders transfer.sh
Dutchcoders transfer.sh before 1.2.4 allows XSS via an inline view...
Automatic room upgrade handling can be used maliciously to bridge a room non-consentually
Impact If a bridge has room upgrade handling turned on in the configuration the roomUpgradeOpts key when instantiating a new Bridge instance., any m.room.tombstone event it encounters will be used to unbridge the current room and bridge into the target room. However, the target room m.room.create...
Expression Language Injection in Apache Syncope
A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution RCE vulnerability. Apache Syncope uses Java Bean Validation JSR 380 custom constraint validators. When...
Cross-site scripting in Jenkins Kiuwan Plugin
Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting XSS vulnerability. Only older releases of Jenkins are affected by this vulnerability. Jenkins 2.275 and newer, LTS 2.263.2 and...
Insufficiently random values in Ansible
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords a...
SQL Injection in tribalsystems/zenario
SQL Injection in the "adminboxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to obtain sesnitive database information by injecting SQL commands into the "cID" parameter when creating a new HTML component...
Cross-site Scripting (XSS) in baserCMS
Improper neutralization of JavaScript input in the page editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors...
Legacy Node API Allows Impersonation in github.com/spiffe/spire/pkg/server/endpoints/node
Summary In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy Node API github.com/spiffe/spire/pkg/server/endpoints/node can result in the possible issuance of an X.509 certificate with a URI...
Division by zero in TFLite's implementation of hashtable lookup
Impact The TFLite implementation of hashtable lookup is vulnerable to a division by zero error: cc const int numrows = SizeOfDimensionvalue, 0; const int rowbytes = value-bytes / numrows; An attacker can craft a model such that values's first dimension would be 0. Patches We have patched the issu...
Integer overflow in TFLite concatentation
Impact The TFLite implementation of concatenation is vulnerable to an integer overflow issue: cc for int d = 0; d dims-size; ++d if d == axis sumaxis += t-dims-dataaxis; else TFLITEENSUREEQcontext, t-dims-datad, t0-dims-datad; An attacker can craft a model such that the dimensions of one of the...
Division by zero in TFLite's implementation of `OneHot`
Impact The implementation of the OneHot TFLite operator is vulnerable to a division by zero error: cc int prefixdimsize = 1; for int i = 0; i dims-datai; const int suffixdimsize = NumElementsopcontext.indices / prefixdimsize; An attacker can craft a model such that at least one of the dimensions ...
CHECK-fail due to integer overflow
Impact An attacker can trigger a denial of service via a CHECK-fail in caused by an integer overflow in constructing a new tensor shape: python import tensorflow as tf inputlayer = 260-1 sparsedata = tf.rawops.SparseSplit splitdim=1, indices=0, 0, 0, 1, 0, 2, 4, 3, 5, 0, 5, 1, values=1.0, 1.0, 1....
Heap buffer overflow in `MaxPoolGrad`
Impact The implementation of tf.rawops.MaxPoolGrad is vulnerable to a heap buffer overflow: python import tensorflow as tf originput = tf.constant0.0, shape=1, 1, 1, 1, dtype=tf.float32 origoutput = tf.constant0.0, shape=1, 1, 1, 1, dtype=tf.float32 grad = tf.constant, shape=0, 0, 0, 0,...
github.com/tidwall/gjson is vulnerable to Denial of service
GJSON 1.6.5 allows attackers to cause a denial of service remote via crafted JSON...
SQL Injection in Cloud Native Computing Foundation Harbor
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform...
Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in eventlet
Impact A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. Patches Version 0.31.0 restricts websocket frame to reasonable limits. Workarounds Restricting memory usa...
Prototype Pollution in deeps
All versions of package deeps up to and including version 1.4.5 are vulnerable to Prototype Pollution via the set function...
Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby
Impact An editor with write access to the Kirby Panel can upload an SVG or XML file that contains harmful content like tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script wi...
Open Redirect in autobahn
Autobahn|Python before 20.12.3 allows redirect header injection...
VVE-2021-0001: Memory corruption using function calls within arrays
Impact When performing a function call inside an array, there is a memory corruption issue that occurs because of an incorrect pointer to the the tip of the stack. Patches This issue was partially fixed in VVE-2020-0004, however the fix did not update similar code for arrays, which had a similar...
Arbitrary code execution in kill-by-port
This affects the package kill-by-port before 0.0.2. If attacker-controlled user input is given to the killByPort function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...
Path Traversal in node-red-contrib-huemagic
node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file...
Prototype Pollution in iniparserjs
This affects all versions of package iniparserjs. This vulnerability relates when iniparser.js is concentrating arrays. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program...
Command Injection in async-git
The package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters back-ticks. For example: git.reset'atouch HACKEDb'...
Out-of-bounds write
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916...
Out-of-bounds write
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1307, CVE-2019-1308, CVE-2019-1335...
Insecure temporary file in Netflix OSS Hollow
ID: NFLX-2021-001 Title: Local information disclosure in Hollow Release Date: 2021-03-23 Credit: Security Researcher @JLLeitschuh Overview Security researcher @JLLeitschuh reported that Netflix Hollow a Netflix OSS project available here: https://github.com/Netflix/hollow writes to a local...
XStream is vulnerable to an Arbitrary Code Execution attack
Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required...
PHP Code Injection by malicious function name in smarty
Template authors could inject php code by choosing a malicous function name. Sites that cannot fully trust template authors should update as soon as possible. Please upgrade to 3.1.39 or higher...
Environment Variable Injection in GitHub Actions
Impact The @actions/core npm module addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modifie...
Segfault in Tensorflow
Impact In eager mode, TensorFlow does not set the session state. Hence, calling tf.rawops.GetSessionHandle or tf.rawops.GetSessionHandleV2 results in a null pointer dereference:...
Heap buffer overflow in Tensorflow
Impact The implementation of SparseFillEmptyRowsGrad uses a double indexing pattern: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/sparsefillemptyrowsop.ccL263-L269 It is possible for reverseindexmapi to be an index outside of bound...
Memory corruption in Tensorflow
Impact The implementation of dlpack.todlpack can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor:...
Denial of Service in Tensorflow
Impact The RaggedCountSparseOutput does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the splits tensor has the minimum required number of elements. Code uses this quantity to initialize a different data structure:...
Cross-Site Scripting in swagger-ui
Versions of swagger-ui prior to 2.2.1 are vulnerable to Cross-Site Scripting XSS. The package fails to encode output in GET requests. The request is meant to respond with Content-Type application/json which does not trigger the vulnerability but if the web server changes the header to text/html i...
Regular Expression Denial of Service in markdown
All versions of markdown are vulnerable to Regular Expression Denial of Service ReDoS. The markdown.toHTML function has significantly degraded performance when parsing long strings containing underscores. This may lead to Denial of Service if the parser accepts user input. Recommendation No fix i...
Path Traversal in decompress
Versions of decompress prior to 4.2.1 are vulnerable to Arbitrary File Write. The package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing../. Recommendation Upgrade to version 4.2.1 or later...
False-positive validity for NFT1 genesis transactions
Impact In the npm package named "slp-validate", versions prior to 1.2.2 are vulnerable to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any o...
Exposure of Sensitive Information to an Unauthorized Actor in TYPO3 CMS
Meta CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C 7.5 CWE-20, CWE-200 Problem In case an attacker manages to generate a valid cryptographic message authentication code HMAC-SHA1 - either by using a different existing vulnerability or in case the internal encryptionKey was...
Out-of-bounds reads in Pillow
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c...
Out-of-bounds reads in Pillow
In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file...
Multiple stored XSS in RBAC Admin screens in Apache Airflow
An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks...
XXE attack in Mapfish Print
Impact A user can do to an XML External Entity XXE attack with the provided SDL style. Patches Use version = 3.24 Workarounds No References https://cwe.mitre.org/data/definitions/611.html https://github.com/mapfish/mapfish-print/pull/1397/commits/e1d0527d13db06b2b62ca7d6afb9e97dacd67a0e For more...
Exposure of Sensitive Information to an Unauthorized Actor and SQL Injection in Spring Data JPA
This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ?startingWith?, ?endingWith? or ?containing? could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE...
Improper Input Validation python-gnupg
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting...
org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service vulnerable to Improper Certificate Validation
Apache Hive JDBC + HiveServer2 implements SSL for plain TCP and HTTP connections it supports both transport modes. While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name...
Critical severity vulnerability that affects Haraka
Haraka version 2.8.8 and earlier comes with a plugin for processing attachments for zip files. Versions 2.8.8 and earlier can be vulnerable to command injection...
Improper Authentication in Keycloak
The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack...
Buffer Overflow in pycrypto
Heap-based buffer overflow in the ALGnew function in blocktemplace.c in Python Cryptography Toolkit aka pycrypto allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py...