ghsa

Challenge derivation in non-interactive ZK proofs was ambiguous and that could lead to security vulnerability (however, it's unknown if it could be exploited).

Challenge derivation in non-interactive ZK proofs was ambiguous and that could lead to security vulnerability (however, it's unknown if it could be exploited).

An invalid use of `MaybeUninit::uninit().assume_init()` in `simd-json-derive`'s derive macro can cause undefined behavior. The original code used `MaybeUninit` to avoid initialisation of the struct and then set the fields using `ptr::write`. The undefined behavior triggered by this misuse of `MaybeUninit` can lead to invlaid memory access and panics in binaries compiled in release mode (aka simd-json-derive prior to version 0.12 has UB and optimizes into some nonsense) The version `0.12.0` removes this section of code, avoiding the use of MaybeUninit alltogether.

Challenge derivation in non-interactive ZK proofs was ambiguous and that could lead to security vulnerability (however, it's unknown if it could be exploited).

`fast-float` contains multiple soundness issues: 1. [Undefined behavior when checking input length](https://github.com/aldanor/fast-float-rust/issues/28), which has been merged but no package [pubished](https://github.com/aldanor/fast-float-rust/issues/35). 1. [Many functions marked as safe with non-local safety guarantees](https://github.com/aldanor/fast-float-rust/issues/37) The library is also unmaintained. ## Alternatives For quickly parsing floating-point numbers third-party crates are generally no longer needed. A fast float parsing algorithm by the author of `lexical` has been [merged](https://github.com/rust-lang/rust/pull/86761) into libcore. When requiring direct parsing from bytes and/or partial parsers, the [`fast-float2`](https://crates.io/crates/fast-float2) fork of `fast-float` containing these security patches and reduces overall usage of unsafe.

### Impact This vulnerability is a method exposure issue (CWE-749: Exposed Dangerous Method or Function) in the Orchid Platform’s asynchronous modal functionality, affecting users of Orchid Platform version 8 through 14.42.x. Attackers could exploit this vulnerability to call arbitrary methods within the `Screen` class, leading to potential brute force of database tables, validation checks against user credentials, and disclosure of the server’s real IP address. ### Patches The issue has been patched in the latest release, version 14.43.0, released on November 6, 2024. Users should upgrade to version 14.43.0 or later to address this vulnerability. ### Workarounds If upgrading to version 14.43.0 is not immediately possible, you can mitigate the vulnerability by implementing middleware to intercept and validate requests to asynchronous modal endpoints, allowing only approved methods and parameters. ### References - [CWE-749: Exposed Dangerous Method or Function](https://cwe.mitre.org/...

### Summary matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. ### Details The Matrix specification demands homeservers to [perform validation](https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5) of the `server-name` and `media-id` components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent *client-side* path traversal. matrix-js-sdk fails to perform this validation. ### Patches Fixed in matrix-js-sdk 34.11.1. ### Workarounds None. ### References - https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5 - https://blog.doyensec.com/2024/07/02/cspt2csrf.html

### Summary An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. ### Details When the library netty is loaded in a java windows application, the library tries to identify the system environnement in which it is executed. At this stage, Netty tries to load both `/etc/os-release` and `/usr/lib/os-release` even though it is in a Windows environment. <img width="364" alt="1" src="https://github.com/user-attachments/assets/9466b181-9394-45a3-b0e3-1dcf105def59"> If netty finds this files, it reads them and loads them into memory. By default : - The JVM maximum memory size is set to 1 GB, - A non-privileged user can create a directory at `C:\` and create files within it. <img width="340" alt="2" src="https://github.com/user-attachments/assets/43b359a2-5871-4592-ae2b-ffc40ac76831"> <img...

## Vulnerability type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ## Vendor: Decidim International Community Environment ### Has vendor confirmed: Yes ### Attack type: Remote ### Impact: Code Execution Escalation of Privileges Information Disclosure ### Affected component: A raw sql-statement that uses an interpolated variable exists in the admin_role_actions method of the `papertrail/version-model(app/models/decidim/decidim_awesome/paper_trail_version.rb`). ### Attack vector: An attacker with admin permissions could manipulate database queries in order to read out the database, read files from the filesystem, write files from the filesystem. In the worst case, this could lead to remote code execution on the server. Description of the vulnerability for use in the CVE [ℹ] (https://cveproject.github.io/docs/content/key-details- phrasing.pdf) : An improper neutralization of special elements used in an SQL command in the `papertrail/vers...

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6x36-qxmj-rv4p. This link is maintained to preserve external references. ## Original Description .NET and Visual Studio Remote Code Execution Vulnerability