ghsa

There is a potential vulnerability in Traefik managing HTTP/3 connections. More details in the [CVE-2024-53259](https://nvd.nist.gov/vuln/detail/CVE-2024-53259). ## Patches - https://github.com/traefik/traefik/releases/tag/v2.11.15 - https://github.com/traefik/traefik/releases/tag/v3.2.2 ## Workarounds No workaround ## For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).

### Impact If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar` ### Patches This issue was patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. ### Workarounds There are no official workarounds for this vulnerability. #### Credits We'd like to thank [tyage](http://github.com/tyage) (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

### Impact The welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified. ### Proof of Concept 1. Welcome page footer: <img width="432" alt="image" src="https://github.com/geoserver/geoserver/assets/629681/a7fd5151-55d5-432b-9d5d-79136833609f"> 2. About page *build information*. <img width="401" alt="image" src="https://github.com/geoserver/geoserver/assets/629681/59fcd8dd-eaee-4bf8-9578-a2a94b2864db"> ### Patches No patch presently available. ### Workarounds No workaround available, although the ADMIN_CONSOLE can be disabled completely. ### References * [About GeoServer](https://docs.geoserver.org/latest/en/user/webadmin/about.html)

## Summary ### ASA-2024-0012 Name: ASA-2024-0012, Transaction decoding may result in a stack overflow Component: Cosmos SDK Criticality: High (Considerable Impact, and Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) Affected versions: cosmos-sdk versions <= v0.50.10, <= v0.47.14 Affected users: Chain Builders + Maintainers, Validators, node operators ### ASA-2024-0013 Name: ASA-2024-0013: CosmosSDK: Transaction decoding may result in resource exhaustion Component: Cosmos SDK Criticality: High (Considerable Impact, and Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) Affected versions: cosmos-sdk versions <= v0.50.10, <= v0.47.14 Affected users: Chain Builders + Maintainers, Validators, node operators ### Impact ### ASA-2024-0012 When decoding a maliciously formed packet with a deeply-nested structure, it may be possible for a stac...

The `OVERWRITE` clause of the `DEFINE TABLE` statement would fail to overwrite data for tables that were defined with `TYPE RELATION`. Since table definitions include the `PERMISSIONS` clause, this failure would result in permissions not being overwritten as a result, which may potentially lead users to believe they have changed the table permissions when they have not. ### Impact If a user attempted to update table permissions of a table defined with `TYPE RELATION` using `DEFINE TABLE ... OVERWRITE`, permissions for the table would not be changed. This may allow a client that is authorized to run queries in a SurrealDB server to access certain data in that specific table that they were not intended to be able to access after the specified change in permissions. ### Patches The `DEFINE TABLE` statement has been updated to appropriately overwrite data for tables defined with `TYPE RELATION`. - Version 2.1.3 and later are not affected by this issue. ### Workarounds Users of table...

### Impact Privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f ### Patches ``` commit f246c9053f9603e610d98439799bdd2a6b293427 Author: Aditya Manthramurthy <[email protected]> Date: Wed Dec 11 18:09:40 2024 -0800 fix: Privilege escalation in IAM import API (#20756) This API had missing permissions checking, allowing a user to change their policy mapping by: 1. Craft iam-info.zip file: Update own user permission in user_mappings.json 2. Upload it via `mc admin cluster iam import nobody iam-info.zip` Here `nobody` can be a user with pretty much any kind of permission (but not anonymous) and this ends up working. Some more detailed steps - start from a fresh setup: ``` ./minio server /tmp/d{1...4} & mc alias set myminio http://localhost:9000 minioadmin minioadmin mc admin user add myminio nobody nobody123 mc admin poli...

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.

### Impact Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. ### Patches Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. You can find out more information on how to turn that flag on [here](https://github.com/man-group/dtale#custom-filter) ### Workarounds The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users. ### References See "Custom Filter" [documentation](https://github.com/man-group/dtale#custom-filter)