36119 matches found
Improper Neutralization of Special Elements in Data Query Logic
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic in the Neo4jProducer.retrieveNodes and deleteNode processes when JSON property names from the CamelNeo4jMatchProperties header are interpolated into the Cypher WHERE clause...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview org.apache.camel:camel-mail is a Camel Mail support. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through MailProducer.getSender in the mail component. An attacker can weaken SMTP transport security or...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the operationName and operationNamespace headers, which are not properly filtered by the HTTP header filter. An attacker can cause the backend SOAP servi...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the operationName and operationNamespace headers, which are not properly filtered by the HTTP header filter. An attacker can cause the backend SOAP servi...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the operationName and operationNamespace headers, which are not properly filtered by the HTTP header filter. An attacker can cause the backend SOAP servi...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the operationName and operationNamespace headers, which are not properly filtered by the HTTP header filter. An attacker can cause the backend SOAP servi...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the operationName and operationNamespace headers, which are not properly filtered by the HTTP header filter. An attacker can cause the backend SOAP servi...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the VertxWebsocketConsumer inbound header mapping in components/camel-vertx/camel-vertx-websocket. An attacker can redirect server-side HTTP requests and disclose sensitive values by sending WebSocke...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the LuceneConstants.HEADERQUERY and LuceneConstants.HEADERRETURNLUCENEDOCS headers in the Lucene producer. An attacker can override the intended Lucene search by sending an HTTP...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the improper handling of HTTP headers with the SolrParam. and SolrField. prefixes. An attacker can manipulate Solr query parameters or...
Information Exposure
Overview org.apache.camel:camel-netty-http is a versatile open-source integration framework based on known Enterprise Integration Patterns. Affected versions of this package are vulnerable to Information Exposure via the muteException handling in the NettyHttpConfiguration and NettyHttpComponent...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the DnsConstants header handling in components/camel-dns/src/main/java/org/apache/camel/component/dns/DnsConstants.java and the DNS producers that consume those headers. An attacker can redirect DNS...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via the improper handling of Exchange message headers in the JIRA component. An attacker can perform unauthorized JIRA operations by supplying specially crafted HTTP headers, leveraging the endpoint's configure...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the kafka.OVERRIDETOPIC and other kafka. headers that bypass the upstream HTTP header filter. An attacker can redirect messages to arbitrary Kafka topics...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the improper handling of HTTP headers in the process. An attacker can manipulate internal Salesforce operation parameters, such as SOQL...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via the DaprPubSubConsumer process. An attacker can redirect or exfiltrate messages and bypass intended routing and topic-level access controls by publishing specially crafted CloudEvents with manipulated...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via the DaprPubSubConsumer process. An attacker can redirect or exfiltrate messages and bypass intended routing and topic-level access controls by publishing specially crafted CloudEvents with manipulated...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the handling of gridfs. HTTP headers, which are not properly filtered and can be set by an HTTP client to control the GridFS operation performed by the...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the irc.sendTo header and other irc. headers in HTTP requests. An attacker can redirect outgoing IRC messages to arbitrary channels or users by injecting...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication in the KeycloakSecurityPolicy process. An attacker can gain unauthorized access to protected routes by supplying any non-null value in the Authorization: Bearer header, which is accepted without cryptographic...
Information Exposure
Overview org.apache.camel:camel-netty-http is a versatile open-source integration framework based on known Enterprise Integration Patterns. Affected versions of this package are vulnerable to Information Exposure in the muteException option handling of the HTTP consumer. An attacker can obtain...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure in the muteException option handling of the HTTP consumer. An attacker can obtain sensitive internal information, such as Java stack traces containing credentials, hostnames, IP addresses, filesystem paths, and...
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement 'Expression Language Injection' due to the lack of an inbound filter rule in Sns2HeaderFilterStrategy. An attacker cannot manipulate internal headers o...
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement 'Expression Language Injection' due to the lack of an inbound filter rule in Sns2HeaderFilterStrategy. An attacker cannot manipulate internal headers o...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the mapping of externally-supplied message user-headers into the Exchange without applying a header filtering process. An attacker can manipulate internal control headers by injecting specially craft...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the mapping of externally-supplied message user-headers into the Exchange without applying a header filtering process. An attacker can manipulate internal control headers by injecting specially craft...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the WebsocketConsumer.service process. An attacker can redirect server-side HTTP requests to arbitrary destinations and access sensitive environment variables, application properties, or vault secret...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the WebsocketConsumer.service process. An attacker can redirect server-side HTTP requests to arbitrary destinations and access sensitive environment variables, application properties, or vault secret...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the WebsocketConsumer.service process. An attacker can redirect server-side HTTP requests to arbitrary destinations and access sensitive environment variables, application properties, or vault secret...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the mapping of externally-supplied message user-headers into the Exchange without applying a header filtering process. An attacker can manipulate internal control headers by injecting specially craft...
Command Injection
Overview react-dev-utils is an includes some utilities used by Create React App. Affected versions of this package are vulnerable to Command Injection via the startBrowserProcess function in react-dev-utils/openBrowser.js. An attacker can execute arbitrary operating system commands by supplying...
Protection Mechanism Failure
Overview Affected versions of this package are vulnerable to Protection Mechanism Failure in the client.go process of the Docker API component. An attacker can escape the intended sandbox restrictions by sending crafted requests to the affected API endpoint. Remediation A fix was pushed into the...
Protection Mechanism Failure
Overview Affected versions of this package are vulnerable to Protection Mechanism Failure in the client.go process of the Docker API component. An attacker can escape the intended sandbox restrictions by sending crafted requests to the affected API endpoint. Remediation A fix was pushed into the...
Authorization Bypass Through User-Controlled Key
Overview langgraph is a Building stateful, multi-actor applications with LLMs Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to a key collision in the defaultcachekey and freeze functions of langgraph/internal/cache.py, where freeze reduce...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the MethodRouter.Handle process of the WebSocket RPC handler. An attacker can gain unauthorized access to sensitive information or perform unauthorized actions by exploiting improper authorization checks...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the MethodRouter.Handle process of the WebSocket RPC handler. An attacker can gain unauthorized access to sensitive information or perform unauthorized actions by exploiting improper authorization checks...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the MethodRouter.Handle process of the WebSocket RPC handler. An attacker can gain unauthorized access to sensitive information or perform unauthorized actions by exploiting improper authorization checks...
Improper Validation of Consistency within Input
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Validation of Consistency within Input due to improper validation of the emailverified claim in the...
UNIX Symbolic Link (Symlink) Following
Overview mcp-markdownify-server is a Model Context Protocol MCP server that converts various file types and web content to Markdown format. It provides a set of tools to transform PDFs, images, audio files, web pages, and more into easily readable and shareable Markdown text. Affected versions of...
Insecure Randomness
Overview mcp-markdownify-server is a Model Context Protocol MCP server that converts various file types and web content to Markdown format. It provides a set of tools to transform PDFs, images, audio files, web pages, and more into easily readable and shareable Markdown text. Affected versions of...
Memory Allocation with Excessive Size Value
Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the decodeFromCompressedByteBuffer function due to improper handling of the lengthOfCompressedContents argument. An attacker can cause excessive memory allocation by supplying a crafted...
Memory Allocation with Excessive Size Value
Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the decodeFromByteBuffer function due to improper handling of the numberOfSignificantValueDigits argument. An attacker can cause excessive memory consumption by supplying crafted input...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code, and its content was removed from the official package manager. It was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Malicious Package
Overview @thymelab/logfx is a malicious package. This package contains malicious code and is part of a coordinated npm supply-chain campaign. It ships an obfuscated postinstall payload that downloads and executes a Rust-compiled infostealer binary. Impact The infostealer targets crypto wallets,...
Malicious Package
Overview @petitcode/eb-retry is a malicious package. This package contains malicious code and is part of a coordinated npm supply-chain campaign. It ships an obfuscated postinstall payload that downloads and executes a Rust-compiled infostealer binary. Impact The infostealer targets crypto wallet...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code and was identified as part of the PolinRider supply chain campaign, linked to North Korean threat actors associated with the Contagious Interview/Famous Chollima activity...
Malicious Package
Overview @briskforge/envcheck is a malicious package. This package contains malicious code and is part of a coordinated npm supply-chain campaign. It ships an obfuscated postinstall payload that downloads and executes a Rust-compiled infostealer binary. Impact The infostealer targets crypto...
Malicious Package
Overview @zynkit/jwtbytes is a malicious package. This package contains malicious code and is part of a coordinated npm supply-chain campaign. It ships an obfuscated postinstall payload that downloads and executes a Rust-compiled infostealer binary. Impact The infostealer targets crypto wallets,...
Malicious Package
Overview @lazyutil/dater is a malicious package. This package contains malicious code and is part of a coordinated npm supply-chain campaign. It ships an obfuscated postinstall payload that downloads and executes a Rust-compiled infostealer binary. Impact The infostealer targets crypto wallets,...