GHSA-x52f-h5g4-8qv5: Marp Core allows XSS by improper neutralization of HTML sanitization

GHSA-76h9-2vwh-w278: Apache MINA Deserialization RCE Vulnerability

GHSA-vm62-9jw3-c8w3: Gogs has an argument Injection in the built-in SSH server

GHSA-9pp6-wq8c-3w2c: Gogs allows argument injection during the previewing of changes

GHSA-ccqv-43vm-4f3w: Gogs allows deletion of internal files

`SubjectAlternativeName` and `ExtendedKeyUsage` arguments were parsed using the OpenSSL function `X509V3_EXT_nconf`. This function parses all input using an OpenSSL mini-language which can perform arbitrary file reads.

Thanks to David Benjamin (Google) for reporting this issue.


**\`openssl\` \`SubjectAlternativeName\` and \`ExtendedKeyUsage::other\` allow arbitrary file read**

High severity GitHub Reviewed Published Mar 24, 2023 to the GitHub Advisory Database • Updated Mar 24, 2023

Headline

GHSA-9qwg-crg9-m2vc: `openssl` `SubjectAlternativeName` and `ExtendedKeyUsage::other` allow arbitrary file read

ghsa: Latest News