Etcd embed auto compaction retention negative value causing a compaction loop or a crash

Data Validation...

Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only

Vulnerability type Logging Detail etcd users who have no password can authenticate only through a client certificate. When such users try to authenticate into etcd using the Authenticate endpoint, errors are logged with insufficient information regarding why the authentication failed, and may be...

Duplicate

This advisory duplicates another...

Etcd embed auto compaction retention negative value causing a compaction loop or a crash

Impact Data Validation Detail The parseCompactionRetention function in embed/etcd.go allows the retention variable value to be negative and causes the node to execute the history compaction in a loop, taking more CPU than usual and spamming logs. References Find out more on this vulnerability in...

Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only

Vulnerability type Logging Detail etcd users who have no password can authenticate only through a client certificate. When such users try to authenticate into etcd using the Authenticate endpoint, errors are logged with insufficient information regarding why the authentication failed, and may be...

Etcd Gateway TLS endpoint validation only confirms TCP reachability

Vulnerability type Cryptography Workarounds Refer to the gateway documentation. The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. Detail Secure endpoint validation is performed by the etcd gateway start command when the --discovery-srv fla...

Etcd Gateway TLS endpoint validation only confirms TCP reachability

Vulnerability type Cryptography Workarounds Refer to the gateway documentation. The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. Detail Secure endpoint validation is performed by the etcd gateway start command when the --discovery-srv fla...

Etcd pkg Insecure ciphers are allowed by default

Vulnerability type Cryptography Detail The TLS ciphers list supported by etcd contains insecure cipher suites. Users can configure the desired ciphers using the “--cipher-suites” flag, and a default list of secure cipher suites is used if empty. Workarounds By default, no action is required. If...

Missing Authentication for Critical Function

In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints...

Missing Release of Resource after Effective Lifetime

In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requestin...

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input e.g. by redirecting...

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It's possible to leverage the...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to an authenticated arbitrary command execution via CRLF attack when changing the value of testconfigcmd or startcmd. This vulnerability exists due to an incomplete fix for CVE-2024-22197 and CVE-2024-22198. This...

Out-of-bounds Write

In GNOME GdkPixbuf aka gdk-pixbuf through 2.42.10, the ANI Windows animated cursor decoder encounters heap memory corruption in aniloadchunk in io-ani.c when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or...

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

chasquid before 1.13 allows SMTP smuggling because LF-terminated lines are accepted...

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The Home Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. While the UI does not...

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Nginx-UI is an online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. This issue may lead to information disclosure. By using DefaultQuery, the "desc" and "id" values are used as default values if the query parameters are not set. Thu...

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Nginx-ui is online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. The Home Preference page exposes a small list of nginx settings such as Nginx Access Log Path and Nginx Error Log Path. However, the API also exposes testconfigcmd,...

Vapor contains an integer overflow in URI leading to potential host spoofing

Vapor's vaporurlparserparse function uses uint16t indexes when parsing a URI's components, which may cause integer overflows when parsing untrusted inputs. This vulnerability does not affect Vapor directly but could impact applications relying on the URI type for validating user input. The URI ty...

Potential CSV export data leak

Impact In ActiveAdmin versions prior to 2.12.0, a concurrency issue was found that could allow a malicious actor to be able to access potentially private data that belongs to another user. The bug affects the functionality to export data as CSV files, and was caused by a variable holding the...

hutool-core discovered to contain an infinite loop in the StrSplitter.splitByRegex function

hutool-core v5.8.23 was discovered to contain an infinite loop in the StrSplitter.splitByRegex function. This vulnerability allows attackers to cause a Denial of Service DoS via manipulation of the first two parameters...

hutool-core was discovered to contain a stack overflow via NumberUtil.toBigDecimal method

The NumberUtil.toBigDecimal method in hutool-core v5.8.23 was discovered to contain a stack overflow...

Open redirect vulnerability in Flask-Security-Too

An open redirect vulnerability in the python package Flask-Security-Too =2.1.0 the autocorrectlocationheader configuration was changed to False - which means that location headers in redirects are relative by default. Thus, this issue may impact applications that were previously not impacted, if...

ActiveAdmin vulnerable to CSV injection

csvbuilder.rb in ActiveAdmin aka Active Admin before 3.2.0 allows CSV injection...

@adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity

Impact @adobe/css-tools version 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS. Patches The issue has been resolved in 4.3.2. Workarounds None References N/A...

NULL Pointer Dereference

cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSONInsertItemInArray at cJSON.c...

NULL Pointer Dereference

cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSONSetValuestring at cJSON.c...

pubnub Insufficient Entropy vulnerability

Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0;...

pubnub Insufficient Entropy vulnerability

Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0;...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ajax.NET Professional AjaxPro is an AJAX framework for Microsoft ASP.NET which will create proxy JavaScript classes that are used on client-side to invoke methods on the web server. Affected versions of this package is vulnerable cross site scripting attacks. Releases before version 21.12.22.1 ar...

Logback is vulnerable to an attacker mounting a Denial-Of-Service attack by sending poisoned data

A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data...

Incorrect Permission Assignment for Critical Resource

In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions...

Incorrect Authorization

Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication...

Exposure of Sensitive Information to an Unauthorized Actor

Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss or another extension to a URL...

logback serialization vulnerability

A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html...

logback serialization vulnerability

A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html...

Out-of-bounds Write

Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c...

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious plugin to an application running the APM Java agent. By using this vulnerability, an attacker could execute code at a potentially higher level of permissions than their user...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Admidio v4.2.12 and below is vulnerable to Cross Site Scripting XSS...

@adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS

Impact @adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS. Patches The issue has been resolved in 4.3.1. Workarounds None References N/A...

Missing Authorization

An attacker is able to read any file on the server hosting the H2O dashboard without any authentication...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

H2O is vulnerable to stored XSS vulnerability which can lead to a Local File Include attack...

Improper Control of Generation of Code ('Code Injection')

An attacker is able to gain remote code execution on a server hosting the H2O dashboard through it's POJO model import feature...

S3 Bucket can lead to spread of malicious R package

H2O included a reference to an S3 bucket that no longer existed allowing an attacker to take over the S3 bucket URL...

otelgrpc DoS vulnerability due to unbound cardinality metrics

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the server's potential memory exhaustio...

SaToken authentication bypass vulnerability

An issue in Dromara SaToken version 1.3.50RC and before when using Spring dynamic controllers, a specially crafted request may cause an authentication bypass...

SaToken privilege escalation vulnerability

An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL...

Bunkum tokens cached in the AuthenticationService are susceptible to a use-after-free

Bunkum is an open-source protocol-agnostic request server for custom game servers. First, a little bit of background. So, in the beginning, Bunkum's AuthenticationService only supported injecting IUsers. However, as Refresh and SoundShapesServer implemented permissions systems support for injecti...

Allocation of Resources Without Limits or Throttling

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...

Allocation of Resources Without Limits or Throttling

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...