905962 matches found
GHSA-Q8R6-XJ3F-WRRM SimpleSAMLphp SP accepts a response from an unexpected IdP when unsigned `Response/InResponseTo` is combined with a signed assertion lacking `SubjectConfirmationData/InResponseTo`
Summary SimpleSAMLphp's SAML SP ACS path does not enforce the IdP selected for an SP-initiated login. If a saved SP state contains ExpectedIssuer = IdP A, but the ACS receives a valid response from IdP B, the code logs a warning and continues processing instead of rejecting the response. That...
GHSA-MM6C-5J6X-HQ8M Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename
Summary Algernon selects its file handler from filepath.Ext engine/handlers.go:134, which does not treat the NTFS-equivalent names x.lua::$DATA, x.lua., or x.lua as .lua. On Windows, an unauthenticated client appends one of these suffixes to any server-side script on a public path and receives it...
GHSA-5PMV-RX8R-WMV5 jxl-grid on 32-bit platforms has an out-of-bounds writes due to integer overflow
Summary On 32-bit platforms, decoding a crafted image may lead to out-of-bounds writes due to integer overflow in length calculation. Details & PoC The test listed below fail under miri with command cargo +nightly miri test --release -p jxl-grid Or you can use Address Sanitizer, which ignores...
GHSA-66M8-C62J-H6V5 jxl-oxide: `FrameBuffer::new` creates out-of-bounds slices on overflow
Summary jxl-oxide exposes a public safe API that can construct an undersized FrameBuffer due to unchecked usize multiplication, which immediately trigger panic while initializing the buffer in normal decoding path. Additionally, calling the safe grouped buffer accessors afterward can create inval...
GHSA-2V8P-FQPX-2Q3W jxl-oxide: integer subtraction overflow panic in cluster_from_table via crafted JXL input (DoS)
Summary Logic bug in decodesimpletableslow may cause integer arithmetic overflow when decoding Modular image with certain kind of MA tree, which may panic with overflow-checks enabled. Impact Denial of service: any application passing untrusted JXL data to JxlImage::renderframe or equivalent can ...
GHSA-J5MC-P8QG-39J7 Kimai Favorite Timesheet Add and Remove Endpoints Allows Cross-User Bookmark Manipulation
Summary Kimai 2.56.0 contains an authenticated improper authorization / IDOR vulnerability in the favorite timesheet add and remove endpoints. A low-privileged user who knows another user's timesheet.id can add that record to, or remove it from, the victim's favorite/recent bookmark list. This...
GHSA-794G-X443-36F7 Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
Keycloak's SAML broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response, injecting an encrypted assertion for an arbitrary principal, leading...
GHSA-RXW2-PC8J-VXWM fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection
Summary fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The verifier rejects the exact reserved token telegram, but it does not reject path separators or normalize the path before checking whether the session file exists. A remote HTTP clie...
MINI-HQH7-Q6HC-RP46
Bulletin has no description...
MINI-Q7WG-27CH-W786
Bulletin has no description...
MINI-F94X-5383-C856
Bulletin has no description...
MINI-99WP-J478-R9G4
Bulletin has no description...
MINI-7X74-GWH8-HMG7
Bulletin has no description...
MINI-H95R-RVFP-38C6
Bulletin has no description...
MINI-HXHC-VXW4-538V
Bulletin has no description...
MINI-P3MP-J65G-J3H9
Bulletin has no description...
MINI-X587-R445-PFJP
Bulletin has no description...
MINI-J8GV-2588-3FP6
Bulletin has no description...
MINI-CRR3-CCW6-5GX2
Bulletin has no description...
MINI-FQXC-RVM9-Q4G6
Bulletin has no description...
MINI-HXR8-88WW-XJJ2
Bulletin has no description...
GHSA-4J9M-H44M-2HV8 Steeltoe: OAEP setting silently selects PKCS#1 v1.5 padding
Summary Configuring encrypt:rsa:algorithm=OAEP does not enable OAEP encryption. Due to an incorrect BouncyCastle transformation string, the OAEP setting selects PKCS1 v1.5, which is the same algorithm as the DEFAULT setting. Impact Operators who configure encrypt:rsa:algorithm=OAEP to obtain...
GHSA-RXRH-4J9H-XGG9 Steeltoe: TLS private keys written to /tmp with default permissions, never deleted
Summary When MySQL or PostgreSQL service bindings from VCAPSERVICES include TLS client credentials, the Connectors library writes those credentials to temporary files in Path.GetTempPath using File.CreateText. On Linux, File.CreateText creates files with mode 0644 world-readable under the process...
GHSA-7FQC-P256-7PWJ Steeltoe's static JWKS cache shared across schemes and never invalidated
Summary The JWT signing key cache in TokenKeyResolver uses kid as the sole cache key without namespacing by authority. In applications with multiple JwtBearer schemes pointing to different identity providers, a key fetched for one scheme can satisfy token validation for another. Additionally,...
GHSA-227R-JM2G-7CP4 Steeltoe's sensitive actuators (heapdump/env) only require Restricted permission
Summary All Steeltoe actuator endpoints default to EndpointPermissions.Restricted, which is mapped to Cloud Foundry's readbasicdata permission granted to Space Auditors and similar low-trust roles. Sensitive actuators including heap dump, environment, and thread dump do not raise this to...
GHSA-Q62H-354G-5R85 Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords
Summary The Sanitizer component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list password, secret, key, token, .credentials., vcapservices does not cover the standard .NET pattern ConnectionStrings: or Steeltoe...
GHSA-J8PH-6FXJ-G533 Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch
Summary DataCenterInfo.FromJson throws ArgumentException for any name value other than "MyOwn" or "Amazon", despite the Java Eureka specification defining a third valid value: "Netflix". The exception propagates through the entire registry deserialization chain and is swallowed by the periodic...
GHSA-58F6-6RJ2-3V8R Steeltoe vulnerable to management-port isolation bypass via spoofed Host header
Summary When Steeltoe management endpoints are configured to listen on an alternate port Management:Endpoints:Port is configured, the middleware responsible for restricting access to the endpoints uses the Host HTTP header rather than the actual network socket port. Impact An unauthenticated remo...
GHSA-5CJR-MXJ5-WMRX SimpleSAMLphp has Possible DoS via XPath Transform
Summary This library turned out to be vulnerable to Denial-of-Service attacks using XPath transforms. A mitigation has been put in place to restrict the number of transforms and to restrict transforms to only the transform-algorithms mentioned in the SAML 2.0 Core Specifications and specifically...
GHSA-63WG-WJJJ-7CP8 Zebra Address Book Aborted by IPv4-Mapped Mempool Misbehavior Update
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node listens on the default :: address on a Linux host the standard deployment configuration — net.ipv6.bindv6only=0 is the default on all common Linux distributions. 3. Your node is synced near the chain tip...
GHSA-6929-8P9F-26JX SimpleSAMLphp HTTP-Artifact TLS validator confusion allows cross-IdP authentication bypass
Summary SimpleSAMLphp's HTTP-Artifact receive path can treat an unsigned embedded SAML Response as cryptographically valid for the wrong IdP. In the HTTPArtifact::receive flow, the SOAP ArtifactResponse receives a TLS-based validator from SOAPClient::addSSLValidator. The embedded SAML Response th...
MINI-RCXF-W62M-PRWF
Bulletin has no description...
ECHO-C4CE-3570-7D06
Bulletin has no description...
ECHO-F301-3BAE-8FC2
Bulletin has no description...
ECHO-1A7D-6048-6715
Bulletin has no description...
ECHO-4429-8097-B109
Bulletin has no description...
ECHO-C8E7-731E-B0F8
Bulletin has no description...
ECHO-1888-E250-4427
Bulletin has no description...
ECHO-319A-CD5A-1244
Bulletin has no description...
GHSA-8W6W-23MQ-H8RG Linuxfabrik Monitoring Plugins: Sudoers may be able to obtain privilege escalation via /usr/bin/apt-get arguments
Summary In the Debian.sudoers file, apt-get is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user: PoC By choosing a particular argument, you can get as a nagios...
MINI-RP6G-JHMC-R625
Bulletin has no description...
MINI-WGV7-GGPC-342V
Bulletin has no description...
MINI-G6GG-HR7C-J228
Bulletin has no description...
MINI-P2P4-4WFH-GMV7
Bulletin has no description...
MINI-5GRX-9VW8-FMQR
Bulletin has no description...
MINI-HX7W-WJ5G-85J9
Bulletin has no description...
GHSA-X4HG-HFWF-P9MW @asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation
Summary The HTMLInputElement.checkValidity method constructed a RegExp directly from the user-controlled pattern property without any sanitization or timeout protection. This allowed an attacker to inject a regex with catastrophic backtracking, freezing the event loop. Fix Fixed in commit...
MINI-RC7C-F928-895P
Bulletin has no description...
GHSA-322X-V876-G883 @asymmetric-effort/nogginlessdom's Path Traversal in matchFileSnapshot allows arbitrary file write
Summary The matchFileSnapshot function in src/assertions/snapshots.ts accepted a filePath parameter with zero validation. When snapshot update mode was active UPDATESNAPSHOTS=1 or setUpdateMode'all', an attacker who controls test input could write arbitrary content to any filesystem path the...
GHSA-G6G7-PVMX-M74P 9router: Missing Authorization and OS Command Injection
Unauthenticated RCE via /api/tunnel/tailscale-install Affected: 9router npm package — current master v0.4.39. Summary POST /api/tunnel/tailscale-install accepts a JSON body with a sudoPassword field and pipes it, followed by the body of https://tailscale.com/install.sh, into a child process spawn...