5612 matches found
tripleo-ansible may disclose important configuration details from an OpenStack deployment
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of...
Saleor Unauthenticated Information Disclosure Vulnerability via Python Exceptions
ImpactSome internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated requests.Affected versions: Saleor ≥ 2.0.0 WorkaroundsNone For more informationIf you hav...
TensorFlow has Floating Point Exception in TFLite in conv kernel
ImpactConstructing a tflite model with a paramater filterinputchannel of less than 1 gives a FPE. PatchesWe have patched the issue in GitHub commit 34f8368c535253f5c9cb3a303297743b62442aaa.The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1. For...
TensorFlow vulnerable to Out-of-Bounds Read in GRUBlockCellGrad
ImpactOut of bounds read in GRUBlockCellGradpythonfunc = tf.rawops.GRUBlockCellGradpara = 'x': 21.1, 156.2, 83.3, 115.4, 'hprev': array136.5, 136.6, 'wru': array26.7, 0.8, 47.9, 26.1, 26.2, 26.3, 'wc': array 0.4, 31.5, 0.6, 'bru': array0.1, 0.2 , dtype=float32, 'bc': 0x41414141, 'r': array0.3, 0....
openstack-neutron uncontrolled resource consumption flaw
An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significa...
TensorFlow has Segfault in Bincount with XLA
ImpactWhen running with XLA, tf.rawops.Bincount segfaults when given a parameter weights that is neither the same shape as parameter arr nor a length-0 tensor.pythonimport tensorflow as tffunc = tf.rawops.Bincountpara='arr': 6, 'size': 804, 'weights': 52, [email protected]=Truedef fuzzjit...
Apache HTTP Server via mod_proxy_uwsgi HTTP response smuggling
HTTP Response Smuggling vulnerability in Apache HTTP Server via modproxyuwsgi. This issue affects Apache HTTP Server from 2.4.30 through 2.4.55 and the uWSGI PyPI package prior to version 2.0.22. Special characters in the origin response header can truncate/split the response forwarded to the...
tripleo-ansible may disclose important configuration details from an OpenStack deployment
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information...
TensorFlow has null dereference on ParallelConcat with XLA
ImpactWhen running with XLA, tf.rawops.ParallelConcat segfaults with a nullptr dereference when given a parameter shape with rank that is not greater than zero.pythonimport tensorflow as tffunc = tf.rawops.ParallelConcatpara = 'shape': 0, 'values': [email protected]=Truedef test: y = funcpa...
Sentry SDK leaks sensitive session information when `sendDefaultPII` is set to `True`
ImpactWhen using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their...
Saleor has Staff-Authenticated Error Message Information Disclosure Vulnerability via Python Exceptions
ImpactSome internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staff-authenticated requests.This issue has been patched in versions 3.1.48, 3.7.59, 3.8.30, 3.9.27, 3.10.14...
Open redirect in web2py
Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack...
Cross-site Scripting in django-ajax-utilities
A vulnerability was found in Mobile Vikings Django AJAX Utilities and classified as problematic. This issue affects the function Pagination of the file djangoajax/static/ajax-utilities/js/pagination.js of the component Backslash Handler. The manipulation of the argument url leads to cross site...
Improper Restriction of Excessive Authentication Attempts in modoboa
Improper Restriction of Excessive Authentication Attempts in GitHub repository modoboa/modoboa-installer prior to 2.0.4...
Apache Airflow AWS Provider Generates Error Message Containing Sensitive Information
Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1...
Apache AGE: Python and Golang drivers allow data manipulation and exposure due to SQL injection
There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python drivers in addition t...
OpenStack Cinder, glance, and Nova vulnerable to Path Traversal
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, a...
Denial of service vulnerability on Password reset page
ImpactPrevious versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt denial-of-service attacks against the Password reset page. An attacker could potentially send a large number of emails if they know the email addresses of users in Kiwi TCMS. Additionally that may stra...
Vulnerable OpenSSL included in cryptography wheels
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and...
Cross-site Scripting in pyload-ng
Cross-site Scripting XSS - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42...
Path traversal in binwalk
A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 inclusive. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode -e option. Remo...
Improper Input Validation in pyload-ng
Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40...
OpenStack Swift XML external entities (XXE) Injection
An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data...
Apache Superset vulnerable to Cross-Site Request Forgery via legacy REST API endpoints
Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...
nsupdate.info has Sensitive Cookie Without 'HttpOnly' Flag
A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file src/nsupdate/settings/base.py of the component CSRF Cookie Handler. The manipulation of the argument CSRFCOOKIEHTTPONLY leads to cookie without httponly flag. It is possible to...
Apache Superset's SQL Alchemy connector vulnerable to SQL Injection
A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the featur...
Apache Superset vulnerable to Cross-site Scripting
Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...
pyLoad vulnerable to Improper Restriction of Rendered UI Layers or Frames
Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33...
Apache Superset has Improper Access Control
When explicitly enabling the feature flag DASHBOARDCACHE disabled by default, the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...
Apache Superset is vulnerable to Cross-Site Scripting (XSS)
Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...
Pyload Insufficient Session Expiration vulnerability
Pyload 0.5.0b3.dev35 has an Insufficient Session Expiration vulnerability. A patch is available and anticipated to be part of version 0.5.0b3.dev36...
Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32. The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. This issue is...
sviehb/jefferson vulnerable to path traversal
A vulnerability has been found in the sviehb/jefferson JFFS2 filesystem extraction tool. This vulnerability affects unknown code of the file src/scripts/jefferson. The manipulation leads to path traversal. The attack can be initiated remotely. Upgrading to version 0.4 is able to address this issu...
pgAdmin 4 Open Redirect vulnerability
Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL...
binwalk vulnerable to UNIX Symbolic Link (Symlink) Following
A vulnerability, which was classified as problematic, was found in ReFirm Labs binwalk up to 2.3.2. Affected is an unknown function of the file src/binwalk/modules/extractor.py of the component Archive Extraction Handler. The manipulation leads to symlink following. It is possible to launch the...
`FractionalMaxPoolGrad` Heap out of bounds read
ImpactIf FractionMaxPoolGrad is given outsize inputs rowpoolingsequence and colpoolingsequence, TensorFlow will crash.pythonimport tensorflow as tftf.rawops.FractionMaxPoolGrad originput = 1, 1, 1, 1, 1, origoutput = 1, 1, 1, outbackprop = 3, 3, 6, rowpoolingsequence = -0x4000000, 1, 1,...
FractionalMaxPool and FractionalAVGPool heap out-of-bounds acess
ImpactAn input poolingratio that is smaller than 1 will trigger a heap OOB in tf.rawops.FractionalMaxPool and tf.rawops.FractionalAvgPool. PatchesWe have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48.The fix will be included in TensorFlow 2.11.0. We will also cherry...
Buffer overflow in `CONV_3D_TRANSPOSE` on TFLite
ImpactThe reference kernel of the CONV3DTRANSPOSE TensorFlow Lite operator wrongly increments the dataptr when adding the bias to the result.Instead of dataptr += numchannels; it should be dataptr += outputnumchannels; as if the number of input channels is different than the number of output...
TensorFlow vulnerable to segfault in `QuantizedInstanceNorm`
ImpactIf QuantizedInstanceNorm is given xmin or xmax tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack.pythonimport tensorflow as tfoutputrangegiven = Falsegivenymin = 0givenymax = 0varianceepsilon = 1e-05minseparation = 0.001x =...
TensorFlow vulnerable to `CHECK` fail in `CollectiveGather`
ImpactWhen CollectiveGather receives an scalar input input, it gives a CHECK fails that can be used to trigger a denial of service attack.pythonimport tensorflow as tfarg0=1arg1=1arg2=1arg3=1arg4=3, 3,3arg5='auto'arg6=0arg7=''tf.rawops.CollectiveGatherinput=arg0, groupsize=arg1, groupkey=arg2,...
TensorFlow vulnerable to `CHECK` fail in `SetSize`
ImpactWhen SetSize receives an input setshape that is not a 1D tensor, it gives a CHECK fails that can be used to trigger a denial of service attack.pythonimport tensorflow as tfarg0=1arg1=1,1arg2=1arg3=Truearg4=''tf.rawops.SetSizesetindices=arg0, setvalues=arg1, setshape=arg2,...
TensorFlow vulnerable to `CHECK` fail in `TensorListFromTensor`
ImpactWhen TensorListFromTensor receives an elementshape of a rank greater than one, it gives a CHECK fail that can trigger a denial of service attack.pythonimport tensorflow as tfarg0=tf.random.uniformshape=6, 6, 2, dtype=tf.bfloat16, maxval=Nonearg1=tf.random.uniformshape=6, 9, 1, 3,...
TensorFlow vulnerable to integer overflow in math ops
ImpactWhen RangeSize receives values that do not fit into an int64t, it crashes.cpp auto size = std::isintegral::value ? Eigen::numext::abslimit - start + Eigen::numext::absdelta - T1 / Eigen::numext::absdelta : Eigen::numext::ceil Eigen::numext::abslimit - start / delta; // This check does not...
TensorFlow vulnerable to null dereference on MLIR on empty function attributes
ImpactEig can be fed an incorrect Tout input, resulting in a CHECK fail that can trigger a denial of service attack.pythonimport tensorflow as tfimport numpy as np arg0=tf.constantvalue=np.random.randomsize=2, 2, shape=2, 2, dtype=tf.float32arg1=tf.complex128arg2=Truearg3=''tf.rawops.Eiginput=arg...
TensorFlow vulnerable to `CHECK` fail in `FakeQuantWithMinMaxVarsPerChannel`
ImpactIf FakeQuantWithMinMaxVarsPerChannel is given min or max tensors of a rank other than one, it results in a CHECK fail that can be used to trigger a denial of service attack.pythonimport tensorflow as tfnumbits = 8narrowrange = Falseinputs = tf.constant0, shape=4, dtype=tf.float32min =...
TensorFlow vulnerable to `CHECK` fail in `RaggedTensorToVariant`
ImpactIf RaggedTensorToVariant is given a rtnestedsplits list that contains tensors of ranks other than one, it results in a CHECK fail that can be used to trigger a denial of service attack.pythonimport tensorflow as tfbatchedinput = Truertnestedsplits = tf.constant0,32,64, shape=3,...
TensorFlow vulnerable to `CHECK` fail in `QuantizeAndDequantizeV3`
ImpactIf QuantizeAndDequantizeV3 is given a nonscalar numbits input tensor, it results in a CHECK fail that can be used to trigger a denial of service attack.pythonimport tensorflow as tfsignedinput = Truerangegiven = Falsenarrowrange = Falseaxis = -1input = tf.constant-3.5, shape=1,...
Uncontrolled Resource Consumption in asyncua and opcua
All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service DoS due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited numb...
TensorFlow vulnerable to `CHECK` fail in `Conv2DBackpropInput`
ImpactWhen Conv2DBackpropInput receives empty outbackprop inputs e.g. 3, 1, 0, 1, the current CPU/GPU kernels CHECK fail one with dnnl, the other with cudnn. This can be used to trigger a denial of service attack.pythonimport tensorflow as tfimport numpy as npinputsizes = 3, 1, 1, 2filter =...
Apache Superset allows authenticated users to access metadata they have no permission to
Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics...