ghsa

### Summary The `env` and `expandenv` template functions which is enabled by default in [Sprig](https://masterminds.github.io/sprig/) enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. **Upgrade to [v5.0.2](https://github.com/knadh/listmonk/releases/tag/v5.0.2)** to mitigate. --------- # Demonstration ### Description A critical template injection vulnerability exists in Listmonk's campaign preview functionality that allows authenticated users with minimal privileges (campaigns:get & campaigns:get_all) to extract sensitive system data, including database credentials, SMTP passwords, and admin credentials due to some dangerous function being allowed. ### Proof of Concept - Create a user and give him `campaigns:get` and `campaigns...

A Developer persona can bring down the Authorino service, preventing the evaluation of all AuthPolicies on the cluster

The Authorino service in the Red Hat Connectivity Link is the authorization service for zero trust API security. Authorino allows the users with developer persona to add callbacks to be executed to HTTP endpoints once the authorization process is completed. It was found that an attacker with developer persona access can add a large number of those callbacks to be executed by Authorino and as the authentication policy is enforced by a single instance of the service, this leada to a Denial of Service in Authorino while processing the post-authorization callbacks.

Skyvern through 0.2.0 has a Jinja runtime leak in sdk/workflow/models/block.py.

### Overview A flaw in Jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible **information disclosure** in systems using **pooled or reused buffers**, like Netty or Vert.x. ### Details The vulnerability affects the creation of exception messages like: ``` JsonParseException: Unexpected character ... at [Source: (byte[])...] ``` When `JsonFactory.createParser(byte[] data, int offset, int len)` is used, and an error occurs while parsing, the exception message should include a snippet from the specified logical payload. However, the method `_appendSourceDesc` ignores the `offset`, and always starts reading from index `0`. If the buffer contains residual sensitive data from a previous request, such a...

### Impact On schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. For example, given this schema: ``` definition user {} definition office { relation parent: office relation manager: user permission read = manager + parent->read } definition group { relation parent: office permission read = parent->read } definition document { relation owner: group with equals permission read = owner->read } caveat equals(actual string, required string) { actual == required } ``` and these relationships: ``` office:headoffice#manager@user:maria office:branch1#parent@office:headoffice group:admins#parent@office:branch1 group:managers#parent@office:headoffice document:budget#owner@group:admins[equals:{"required":"admin"}] document:budget#owner@group:managers[equals:{"required":"manager"}] ``` P...

### Summary A **Denial of Service (DoS)** vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. ### Impact - **Component**: `server_quic.go` - **Attack Vector**: Remote, network-based - **Attack Complexity**: Low - **Privileges Required**: None - **User Interaction**: None - **Impact**: High availability loss (OOM kill or unresponsiveness) This issue affects deployments with `quic://` enabled in the Corefile. A single attacker can cause the CoreDNS instance to become unresponsive using minimal bandwidth and CPU. ### Patches The patch introduces two key mitigation m...

CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 6.2 (Medium) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N **Affected Component:** Facebook Authentication Logging **Version:** Para v1.50.6 **File Path:** para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java **Vulnerable Line(s):** Line 184 (logger.warn(...) with raw access token) Technical Details: The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement: ```java logger.warn("Facebook auth request failed: GET " + PROFILE_URL + accessToken, e);` ``` Here, `PROFILE_URL` is a constant: ```java private static final String PROFILE_URL = "https://graph.facebook.com/me?fields=name,email,picture.width(400).type(square).height(400)&access_token="; ``` This results in the full request URL being logged, including the user's access token in plain text. Since WARN-level ...

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-m65q-v92h-cm7q. This link is maintained to preserve external references. ### Original Description A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list.

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 before 2.1.0, this issue would allow an authenticated attacker to read arbitrary files by double writing the param. Users are recommended to upgrade to version 2.1.0, which fixes the issue.