GHSA-qg5g-gv98-5ffh: rustls network-reachable panic in `Acceptor::accept`

GHSA-rjjv-87mx-6x3h: @sveltejs/kit vulnerable to on dev mode 404 page

GHSA-mh2x-fcqh-fmqv: @sveltejs/kit has unescaped error message included on error page

GHSA-5xr6-xhww-33m4: Artifact poisoning vulnerability in action-download-artifact v5 and earlier

GHSA-7f6p-phw2-8253: Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws

### Impact

Versions of `actions/download-artifact` before 4.1.7 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames.

### Patches

Upgrade to version 4.1.7 or higher. Alternatively use 'v4' tag which points to the latest and secure version.

### References

- https://snyk.io/research/zip-slip-vulnerability
- https://github.com/actions/download-artifact/releases/tag/v4.1.7

### CVE

CVE-2024-42471

### Credits

Justin Taft from Google

**@actions/download-artifact has an Arbitrary File Write via artifact extraction**

High severity GitHub Reviewed Published Sep 2, 2024 in actions/download-artifact • Updated Sep 3, 2024

Headline

GHSA-cxww-7g56-2vh6: @actions/download-artifact has an Arbitrary File Write via artifact extraction

Impact

Patches

References

CVE

Credits

ghsa: Latest News