ghsa

### Summary _Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._ There is a potential XXE(XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46 XML contents is parsed with DocumentBuilder without security settings on or external entity enabled ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ #### ...

### Impact Any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. ### Patches This has been patched in XWiki 15.10.9 and 16.3.0. ### Workarounds If you have subwikis where the Job Scheduler is enabled, you can edit the objects on `Scheduler.WebPreferences` to match https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331#diff-8e274bd0065e319a34090339de6dfe56193144d15fd71c52c1be7272254728b4. ### References * https://jira.xwiki.org/browse/XWIKI-21663 * https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) *...

### Impact Any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a instance, as a connected user without script nor programming rights, go to your user profile and add an object of type `XWiki.WikiMacroClass`. Set "Macro Id", "Macro Name" and "Macro Code" to any value, "Macro Visibility" to `Current User` and "Macro Description" to `{{async}}{{groovy}}println("Hello from User macro!"){{/groovy}}{{/async}}`. Save the page, then go to `<host>/xwiki/bin/view/XWiki/XWikiSyntaxMacrosList`. If the description of your new macro reads "Hello from User macro!", then your instance is vulnerable. ### Patches This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. ### Workarounds It is possible to manually apply [this patch](https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f36...

### Impact Any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a instance, as a user with script rights, edit your user profile and add an object of type `XWiki.ConfigurableClass` ("Custom configurable sections"). Set "Display in section" and "Display in category" to `other`, "Scope" to `Wiki and all spaces` and "Heading" to: ``` #set($codeToExecute = 'Test') #set($codeToExecuteResult = '{{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from Heading succeeded!"){{/groovy}}{{/async}}') ``` Save the page and view it, then add `?sheet=XWiki.AdminSheet&viewer=content&section=other` to the URL. If the logs contain "attacker - Attack from Heading succeeded!", then the instance is vulnerable. ### Patches This has been patched in XWiki 15.10.9 and 16.3.0. ### Workarounds We're...

A security issue was identified in the NanoProxy project related to the `golang.org/x/crypto` dependency. The project was using an outdated version of this dependency, which potentially exposed the system to security vulnerabilities that have been addressed in subsequent updates. Impact: The specific vulnerabilities in the outdated version of `golang.org/x/crypto` could include authorization bypasses, data breaches, or other security risks. These vulnerabilities can be exploited by attackers to compromise the integrity, confidentiality, or availability of the system. Resolution: The issue has been fixed in NanoProxy by upgrading the `golang.org/x/crypto` dependency to version 0.31.0. Users are strongly encouraged to update their instances of NanoProxy to include this fix and ensure they are using the latest secure version of all dependencies. Fixed Version: * `golang.org/x/crypto` upgraded to version 0.31.0.

Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable.  This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.

# Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r4pg-vg54-wxx4. This link is maintained to preserve external references. # Original Description A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.

A flaw was found in Undertow. An HTTP request header value from a previous stream may be incorrectly reused for a request associated with a subsequent stream on the same HTTP/2 connection. This issue can potentially lead to information leakage between requests.

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

python-libarchive through 4.2.1 allows directory traversal (to create files) in extract in zip.py for ZipFile.extractall and ZipFile.extract.