ghsa

### Impact The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. Example attack scenario: 1. An attacker has stolen the private key for a key published in JWK Set. 2. The publishers of that JWK Set remove that key from the JWK Set. 3. Enough time has passed that the program using the auto-caching HTTP client found in `github.com/MicahParks/jwkset` v0.5.0-v0.5.21 has elapsed its `HTTPClientStorageOptions.RefreshInterval` duration, causing a refresh of the remote JWK Set. 4. The attacker is signing content (such as JWTs) with the stolen private key and the system has no other forms of revocation. ### Patches The affected auto-caching HTTP client was added in version `v0.5.0` and fixed in `v0.6.0`. Upgrade ...

Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.

Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.

Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.

SickChill is an automatic video library manager for TV shows. A user-controlled `login` endpoint's `next_` parameter takes arbitrary content. Prior to commit c7128a8946c3701df95c285810eb75b2de18bf82, an authenticated attacker may use this to redirect the user to arbitrary destinations, leading to open redirect. Commit c7128a8946c3701df95c285810eb75b2de18bf82 changes the login page to redirect to `settings.DEFAULT_PAGE` instead of to the `next` parameter.

### Impact Application passing unsanitized user input to `Carbon::setLocale` are at risk of arbitrary file include, if the application allows users to upload files with `.php` extension in an folder that allows `include` or `require` to read it, then they are at risk of arbitrary code ran on their servers. ### Patches - [3.8.4](https://github.com/briannesbitt/Carbon/releases/tag/3.8.4) - [2.72.6](https://github.com/briannesbitt/Carbon/releases/tag/2.72.6) ### Workarounds Any of the below actions can be taken to prevent the issue: - Validate input before calling `setLocale()`, for instance by forbidding or removing `/` and `\` - Call `setLocale()` only with a locale from a whitelist of supported locales - When uploading files, rename them so they cannot have a `.php` extension (this is recommended even if you're not affected by this issue) - Prefer storage system that are not local to the application (remote service, or local service ran by another user so the uploaded files actually ...

An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function.

### Impact Path traversal attack gives access to existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. ### Patches This is patched in [v0.8.2](https://github.com/charmbracelet/soft-serve/releases/tag/v0.8.2) ### Workarounds Single user set-ups are not affected. This only affects multi-user Soft Serve set-ups that enable repository creation for users. Otherwise, upgrading is necessary to circumvent the attack.

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html  doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.