Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-ffvr-gmp3-xx43: Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution

CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.

ghsa
#vulnerability#mac#windows#linux#apache#rce#auth
GHSA-m238-fmcw-wh58: Label Studio allows Server-Side Request Forgery in the S3 Storage Endpoint

## Description Label Studio's S3 storage integration feature contains a Server-Side Request Forgery (SSRF) vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a custom S3 endpoint URL via the s3_endpoint parameter. This endpoint URL is passed directly to the boto3 AWS SDK without proper validation or restrictions on the protocol or destination. The vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal services by specifying them as the S3 endpoint. When the storage sync operation is triggered, the application attempts to make S3 API calls to the specified endpoint, effectively making HTTP requests to the target service and returning the response in error messages. This SSRF vulnerability enables attackers to bypass network segmentation and access internal services that should not be accessible from the external network. The vulnerability is particularly severe because ...

GHSA-wpq5-3366-mqw4: Label Studio allows Cross-Site Scripting (XSS) via GET request to `/projects/upload-example` endpoint

## Description Label Studio's `/projects/upload-example` endpoint allows injection of arbitrary HTML through a `GET` request with an appropriately crafted `label_config` query parameter. By crafting a specially formatted XML label config with inline task data containing malicious HTML/JavaScript, an attacker can achieve Cross-Site Scripting (XSS). While the application has a Content Security Policy (CSP), it is only set in report-only mode, making it ineffective at preventing script execution. The vulnerability exists because the upload-example endpoint renders user-provided HTML content without proper sanitization on a GET request. This allows attackers to inject and execute arbitrary JavaScript in victims' browsers by getting them to visit a maliciously crafted URL. This is considered vulnerable because it enables attackers to execute JavaScript in victims' contexts, potentially allowing theft of sensitive data, session hijacking, or other malicious actions. ## Steps to reproduce ...

GHSA-rgv9-w7jp-m23g: Label Studio has a Path Traversal Vulnerability via image Field

## Description A path traversal vulnerability in Label Studio SDK versions prior to 1.0.10 allows unauthorized file access outside the intended directory structure. Label Studio versions before 1.16.0 specified SDK versions prior to 1.0.10 as dependencies, and the issue was confirmed in Label Studio version 1.13.2.dev0; therefore, Label Studio users should upgrade to 1.16.0 or newer to mitigate it. The flaw exists in the VOC, COCO and YOLO export functionalites. These functions invoke a `download` function on the `label-studio-sdk` python package, which fails to validate file paths when processing image references during task exports: ```python def download( url, output_dir, filename=None, project_dir=None, return_relative_path=False, upload_dir=None, download_resources=True, ): is_local_file = url.startswith("/data/") and "?d=" in url is_uploaded_file = url.startswith("/data/upload") if is_uploaded_file: upload_dir = _get_upload_dir(pr...

GHSA-8355-xj3p-hv6q: Apache Ignite: Possible RCE when deserializing incoming messages by the server node

In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side.

GHSA-vhxf-7vqr-mrjg: DOMPurify allows Cross-site Scripting (XSS)

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

GHSA-jgfp-53c3-624w: Node Denial of Service via kubelet Checkpoint API

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.

GHSA-mrqp-q7vx-v2cx: Instaclustr Cassandra-Lucene-Index allows bypass of Cassandra RBAC

**Summary / Details** Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.0-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC to access data and and escalate their privileges. **Affected Versions** - Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 - versions 4.1.0-1.0.0 through 4.1.8-1.0.0 when installed into Apache Cassandra version 4.x. **Required Configuration for Exploit** These are the conditions required to enable exploit: 1. Cassandra 4.x 2. Vulnerable version of the Cassandra-Lucene-Index plugin configured for use 3. Data added to tables 4. Lucene index created 5. Cassandra flush has run **Mitigation/Prevention** Mitigation requires dropping all Lucene indexes and stopping use of the plugin. Exploit will be possibl...

GHSA-phg3-gv66-q38x: Quarkus REST Endpoint Request Parameter Leakage Due to Shared Instance

A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.

GHSA-x3v6-f5fr-4wwv: Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user

An authenticated user can perform XSS and potentially impersonate another user. This issue affects Apache Atlas versions 2.3.0 and earlier. Users are recommended to upgrade to version 2.4.0, which fixes the issue.