Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-9jxq-5x44-gx23: Keylime registrar is vulnerable to Denial-of-Service attack when updated to version 7.12.0

### Impact The Keylime `registrar` implemented more strict type checking on version 7.12.0. As a result, when updated to version 7.12.0, the `registrar` will not accept the format of the data previously stored in the database by versions >= 7.8.0, raising an exception. This makes the Keylime `registrar` vulnerable to a Denial-of-Service attack in an update scenario, as an attacker could populate the `registrar` database by creating multiple valid agent registrations with different UUIDs while the version is still < 7.12.0. Then, when the Keylime `registrar` is updated to the 7.12.0 version, any query to the database matching any of the entries populated by the attacker will result in failure. ### Patches Users should upgrade to versions >= 7.12.1 ### Workarounds - Remove the registrar database and re-register all agents ### Credit Reported by: Anderson Toshiyuki Sasaki/@ansasaki Patched by: Anderson Toshiyuki Sasaki/@ansasaki

ghsa
Open in Source
#dos
GHSA-rmvr-2pp2-xj38: @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

### Summary The regular expression `/<([^>]+)>; rel="deprecation"/` used to match the `link` header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious `link` header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. ### Details The vulnerability resides in the regular expression `/<([^>]+)>; rel="deprecation"/`, which is used to match the `link` header in HTTP responses. This regular expression captures content between angle brackets (`<>`) followed by `; rel="deprecation"`. However, the pattern is vulnerable to ReDoS (Regular Expression Denial of Service) attacks due to its susceptibility to catastrophic backtracking when processing malicious inp...

GHSA-xx4v-prfh-6cgc: @octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

### Summary A Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. ### Details The issue occurs at [line 52](https://github.com/octokit/request-error.js/blob/main/src/index.ts) of iterator.ts in the @octokit/request-error repository. The vulnerability is caused by the use of an inefficient regular expression in the handling of the `authorization` header within the request processing logic: ```js authorization: options.request.headers.authorization.replace( / .*$/, " [REDACTED]" ) ``` The regular expression `/ .*$/` matches a space followed by any number of characters until the end of th...

GHSA-h5c3-5r3r-rr8q: @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

### Summary For the npm package `@octokit/plugin-paginate-rest`, when calling `octokit.paginate.iterator()`, a specially crafted `octokit` instance—particularly with a malicious `link` parameter in the `headers` section of the `request`—can trigger a ReDoS attack. ### Details The issue occurs at [line 39](https://github.com/octokit/plugin-paginate-rest.js/blob/main/src/iterator.ts) of iterator.ts in the @octokit/plugin-paginate-rest repository. The relevant code is as follows: ```js url = ((normalizedResponse.headers.link || "").match( /<([^>]+)>;\s*rel="next"/, ) || [])[1]; ``` The regular expression `/<([^>]+)>;\s*rel="next"/` may lead to a potential backtracking vulnerability, resulting in a ReDoS (Regular Expression Denial of Service) attack. This could cause high CPU utilization and even service slowdowns or freezes when processing specially crafted `Link` headers. ### PoC [The gist of PoC.js](https://gist.github.com/ShiyuBanzhou/d3f2ad000be8384d2105c87c2ed7ce7d) 1. run npm i ...

GHSA-x4c5-c7rf-jjgv: @octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

### Summary By crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. ### Details The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62: ```ts headers.accept.match(/[\w-]+(?=-preview)/g) || ([] as string[]); ``` The regular expression `/[\w-]+(?=-preview)/g` encounters a backtracking issue when it processes `a large number of characters` followed by the `-` symbol. e.g., the attack string: ```js "" + "A".repeat(100000) + "-" ``` ### PoC [The gist](https://gist.github.com/ShiyuBanzhou/a17202ac1ad403a80ca302466d5e56c4) Here is the reproduction process for the vulnerability: 1. run 'npm i @octokit/endpoint' 2. Move `poc.js` to the root dir...

GHSA-mp7w-mhcv-673j: Vega allows Cross-site Scripting via the vlSelectionTuples function

### Summary The `vlSelectionTuples` function can be used to call JavaScript functions, leading to XSS. ### Details [`vlSelectionTuples`](https://github.com/vega/vega/blob/b45cf431cd6c0d0c0e1567f087f9b3b55bc236fa/packages/vega-selections/src/selectionTuples.js#L14) calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. Example call: `vlSelectionTuples([{datum:<argument>}], {fields:[{getter:<function>}]})` This can be used to call `Function()` with arbitrary JavaScript and the resulting function can be called with `vlSelectionTuples` or using a type coercion to call `toString` or `valueOf`. ### PoC ``` {"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","init":"+{valueOf:vlSelectionTuples([{datum:'alert(1)'}],{fields:[{getter:[].at.constructor}]})[0].values[0]}"}]} ```

GHSA-h7h7-6mx3-r89v: Fyrox has unsound usages of `Vec::from_raw_parts`

The library provides a public safe API `transmute_vec_as_bytes`, which incorrectly assumes that any generic type `T` could have stable layout, causing to uninitialized memory exposure if the users pass any types with padding bytes as `T` and cast it to `u8` pointer. In the [issue](https://github.com/FyroxEngine/Fyrox/issues/630), we develop a PoC to show passing struct type to `transmute_vec_as_bytes` could lead to undefined behavior with `Vec::from_raw_parts`. The developers provide a patch by changing trait of `Copy` to `Pod`, which can make sure `T` should be plain data. This was patched in the latest version of [master](https://github.com/FyroxEngine/Fyrox/blob/3f9ad6f9667047dac051b0e97d544e5b38e5ae72/fyrox-core/src/lib.rs#L351-L360) branch, but still not on the latest release (0.28.1).

GHSA-5v93-9mqw-p9mh: Uncaught Panic in ORML Rewards Pallet

## Summary A vulnerability in the `add_share` function of the **Rewards** pallet (part of the ORML repository) can lead to an uncaught Rust panic when handling user-provided input exceeding the `u128` range. ## Affected Components - **ORML Rewards** pallet (`rewards/src/lib.rs`) - Any Substrate-based chain using ORML Rewards with `add_share` accepting unvalidated large `u128` inputs ## Technical Details - `add_share` performs arithmetic on user-supplied values (`add_amount`) of type `T::Share` (mapped to `u128` in Acala). - If `add_amount` is large enough (e.g., `i128::MAX`), the intermediate result may overflow and panic on the cast to `u128`. - Validation occurs only after arithmetic, enabling a crafted input to trigger an overflow. ## Impact A malicious user submitting a specially crafted extrinsic can cause a panic in the runtime: - **Denial of Service** by crashing the node process. - **Potential for invalid blocks** produced by validators. ## Likelihood This issue is exploita...

GHSA-fgw4-v983-mgp8: `gh attestation verify` returns incorrect exit code during verification if no attestations are present

### Summary A bug in GitHub's Artifact Attestation CLI tool, `gh attestation verify`, may return an incorrect zero exit status when no matching attestations are found for the specified `--predicate-type <value>` or the default `https://slsa.dev/provenance/v1` if not specified. This issue only arises if an artifact has an attestation with a predicate type different from the one provided in the command. As a result, users relying solely on these exit codes may mistakenly believe the attestation has been verified, despite the absence of an attestation with the specified predicate type and the tool printing a verification failure. Users are advised to update `gh` to version `v2.67.0` as soon as possible. Initial report: https://github.com/cli/cli/issues/10418 Fix: https://github.com/cli/cli/pull/10421 ### Details The gh attestation verify command fetches, loads, and attempts to verify attestations associated with a given artifact for a specified predicate type. If an attestation is fo...

Scammers Exploit JFK Files Release with Malware and Phishing

Veriti Research reported a developing cyber threat campaign centred around the declassification and release of the RFK, MLK…