33190 matches found
CRLF Injection in RestSharp's `RestRequest.AddHeader` method
Summary The second argument to RestRequest.AddHeader the header value is vulnerable to CRLF injection. The same applies to RestRequest.AddOrUpdateHeader and RestClient.AddDefaultHeader. Details The way HTTP headers are added to a request is via the HttpHeaders.TryAddWithoutValidation method: This...
Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go
Impact This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information. Patches The issue first appeared in 1.64.0 and is patched in 1.64.1 and...
ClassGraph XML External Entity Reference
ClassGraph before 4.8.112 was not resistant to XML eXternal Entity XXE attacks...
Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC
Summary An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. Details The OpenTelemetry Collector handles compressed HTTP requests by recognizing the Content-Encoding header, rewriting the HTTP request body, and allowing...
Grafana Email addresses and usernames can not be trusted
Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes moderate severity security fixes for CVE-2022-39306. We are also releasing security patches for Grafana 8.5.15 to fix these issues. Release 9.2.4, latest patch, also containing security fix: - Download...
Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31130 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also...
Litestar and Starlite vulnerable to Path Traversal
Summary Local File Inclusion via Path Traversal in LiteStar Static File Serving A Local File Inclusion LFI vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to...
Uptime Kuma's authenticated path traversal via plugin repository name may lead to unavailability or data loss
Summary A path traversal vulnerability via the plugin repository name allows an authenticated attacker to delete files on the server leading to unavailability and potentially data loss. Details Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This featur...
vyper performs multiple eval of `sqrt()` argument built in
Summary Using the sqrt builtin can result in multiple eval evaluation of side effects when the argument has side-effects. The bug is more difficult but not impossible! to trigger as of 0.3.4, when the unique symbol fence was introduced https://github.com/vyperlang/vyper/pull/2914. A contract sear...
Arbitrary Code Execution in Gitea
The git hook feature in Gitea 1.1.0 through 1.12.5 allows for authenticated remote code execution...
Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations
aimhubio/aim is vulnerable to Cross-Site Request Forgery CSRF, allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboar...
[TagAwareCipher] - Decryption Failure (Regex Match)
Impact Vulnerability in SecureProps involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data has been encoded with NullEncoder and passed to TagAwareCipher, and contains special characters such as \n. As a result, the decryption process is...
Go JOSE vulnerable to Improper Handling of Highly Compressed Data (Data Amplification)
Impact An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size whichever is larger. Thanks to Enze...
pgx SQL Injection via Protocol Message Size Overflow
Impact SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. Patches The problem is resolved in v4.18....
jose4j denial of service via specifically crafted JWE
The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service CPU consumption via a large p2c aka PBES2 Count value...
Connection leaking on idle timeout when TCP congested
Impact If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as closed, and then a GOAWAY frame is queued to be written. However it is not written because the connection is TCP congested. When another idle timeout period elapses, it is then supposed ...
Rack CORS Middleware has Insecure File Permissions
rack-cors aka Rack CORS Middleware 2.0.1 has 0666 permissions for the .rb files...
Path traversal vulnerability in Jenkins Matrix Project Plugin
Jenkins Matrix Project Plugin 822.v01b8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects submitted through the config.xml REST API endpoint. This allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins...
PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption
PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack...
Pedroetb TTS-API OS Command Injection
A vulnerability has been found in pedroetb tts-api up to 2.1.4 and classified as critical. This vulnerability affects the function onSpeechDone of the file app.js. The manipulation leads to os command injection. Upgrading to version 2.2.0 is able to address this issue. The patch is identified as...
Zip slip in mleap
FileUtil.extract enumerates all zip file entries and extracts each file without validating whether file paths in the archive are outside the intended directory. When creating an instance of TensorflowModel using the savedmodel format and an exported tensorflow model, the apply function invokes th...
Kubernetes csi-proxy vulnerable to privilege escalation due to improper input validation
Kubernetes is vulnerable to privilege escalation when a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes running kubernetes-csi-proxy...
OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics
Summary This handler wrapper https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.goL63-L65 out of the box adds labels - http.useragent - http.method that have unbound cardinality. It leads to the server...
Grafana privilege escalation vulnerability
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and...
kube-apiserver authentication bypass vulnerability
An authentication bypass vulnerability was discovered in kube-apiserver. This issue could allow a remote, authenticated attacker who has been given permissions "update, patch" the "pods/ephemeralcontainers" subresource beyond what the default is. They would then need to create a new pod or patch...
sudo-rs Session File Relative Path Traversal vulnerability
Background Sudo-rs allows users to not have to enter authentication at every sudo attempt, but instead only requiring authentication every once in a while in every terminal or process group. Only once a configurable timeout has passed will the user have to re-authenticate themselves. Supporting...
Apache Superset Deserialization of Untrusted Data vulnerability
If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only accessible directly by t...
Apache Airflow denial of service vulnerability
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests,...
snappy-java's Integer Overflow vulnerability in shuffle leads to DoS
Summary Due to unchecked multiplications, an integer overflow may occur, causing a fatal error. Impact Denial of Service Description The function shuffleint inputhttps://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.javaL107...
rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements
NOTE: rails-ujs is part of Rails/actionview since 5.1.0. There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML...
Synapse has improper checks for deactivated users during login
Impact It may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: JSON Web Tokens are enabled for login via the jwtconfig.enabled configuration setting The local password database is enabled via the...
avo vulnerable to Stored XSS (Cross Site Scripting) in html content based fields
Summary Some avo fields are vulnerable to XSS when rendering html based content. Details During the analysis of the web application, a rendered field was discovered that did not filter JS / HTML tags in a safe way and can be abused to execute js code on a client side. The trix field uses the trix...
vm2 Sandbox Escape vulnerability
There exists a vulnerability in source code transformer exception sanitization logic of vm2 for versions up to 3.9.15, allowing attackers to bypass handleException and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. Impact A threat...
Nginx alias path traversal allows unauthenticated attackers to read all files on /label_studio/core/
Summary The vulnerability resides on the Nginx config file: https://github.com/heartexlabs/label-studio/blob/53944e6bcede75ca5c102d655013f2e5238e85e6/deploy/default.confL119 The pattern on location /static indicates a popular misconfiguration on Nginx servers presented in 2018 originally by Orang...
crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb
Our use of flate.NewReader does not limit the size of the input. The user could pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possib...
Jettison vulnerable to infinite recursion
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown...
Moodle vulnerable to Server-Side Request Forgery
In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk...
Opencontainers runc Incorrect Authorization vulnerability
runc 1.0.0-rc95 through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfslinux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue...
teler-waf subject to Bypass of Common Web Attack Threat Rule with HTML Entities Payload
Description teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. Versions prior to v0.1.1 are vulnerable to bypassing common web attack rules when a specific HTML entities payload is used. This vulnerability allows an attacker to execute...
Undertow client not checking server identity presented by server certificate in https connections
The undertow client is not checking the server identity presented by the server certificate in https connections. This should be performed by default in https and in http/2...
High resource usage when parsing multipart form data with many fields
Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form,...
CakePHP Database\\Query::offset() and limit() methods are vulnerable to SQL injection
Impact The Cake\Database\Query::limit and Cake\Database\Query::offset methods are vulnerable to SQL injection if passed un-sanitized user request data. Patches This issue has been fixed in 4.2.12, 4.3.11, 4.4.10 Workarounds Using CakePHP's Pagination library will mitigate this issue, as will...
KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys
Summary The jwt authentication function of kubepi = v1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Details session.go, the use of...
Apache Kylin vulnerable to Command injection by Useless configuration
In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf...
liquidjs may leak properties of a prototype
The package liquidjs before 10.0.0 is vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable this functionality is provided...
Passeo uses insecure random number generator
Impact Everyone below v1.0.5 is impacted by this flaw, of confidentiality being at risk due to the passwords being easily able to be guessed with Passeo's use of the random library. It is recommended to change any passwords made with Passeo before v1.0.5 and upgrade to v1.0.5, and v1.0.5 patches...
Silverstipe CMS Stored XSS in custom meta tags
A malicious content author could create a custom meta tag and execute an arbitrary JavaScript payload. This would require convincing a legitimate user to access a page and enter a custom keyboard shortcut. This requires CMS access to exploit...
Missing Authorization to enable or disable users in org.xwiki.platform:xwiki-platform-user-profile-ui
Impact Any user logged in or not with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki. Patches The problem has been patched in XWiki 13.10.7, 14.5R...
Arbitrary file read vulnerability in Jenkins Pipeline Utility Steps Plugin
Pipeline Utility Steps Plugin implements a readProperties Pipeline step that supports interpolation of variables using the Apache Commons Configuration library. Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of this...
Istio may allow identity impersonation if user has localhost access
Impact User can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Patches 1.15.3 Workarounds No. If using 1.15.2 please upgrade to 1.15.3 or later. References None at this time. For more information If you have any questions or...