Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-762v-rq7q-ff97: Mattermost Server vulnerable to application crash from attacker-generated large response

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by sending a specially crafted request to Playbooks.

ghsa
#git
GHSA-762g-9p7f-mrww: Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks

GHSA-7mqj-xgf8-p59v: Apache NiFi Cross-site Scripting vulnerability

Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.

GHSA-25pw-q952-x37g: Duplicate Advisory: pyload-ng vulnerable to RCE with js2py sandbox escape

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r9pp-r4xf-597r. This link is maintained to preserve external references. ## Original Description An issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request.

GHSA-v9xq-2mvm-x8xc: Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs

### Impact IdentityServer's local API authentication handler performs insufficient validation of the `cnf` claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only impacts custom endpoints within an IdentityServer implementation that have explicitly used the `LocalApiAuthenticationHandler` for authentication. It does not impact: - OAuth or OIDC protocol endpoints defined by IdentityServer, such as the authorize and token endpoints. - Typical UI pages within an IdentityServer implementation, which are not normally authorized with the local API authentication handler. - The use of DPoP to create sender-constrained tokens in IdentityServer that are consumed by external API resources. - The use of DPoP to sender-constrain refresh tokens issued to public clients. ## Are you affected? This vulnerability only affects IdentityServer implementations that a...

GHSA-wcx9-ccpj-hx3c: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect')

### Summary An issue on Coder's login page allows attackers to craft a Coder URL that when clicked by a logged in user could redirect them to a website the attacker controls, e.g. https://google.com. ### Details On the login page, Coder checks for the presence of a `redirect` query parameter. On successful login, the user would be redirected to the location of the parameter. Improper sanitization allows attackers to specify a URL outside of the Coder application to redirect users to. ### Impact Coder users could potentially be redirected to a untrusted website if tricked into clicking a URL crafted by the attacker. Coder authentication tokens are **not** leaked to the resulting website. To check if your deployment is vulnerable, visit the following URL for your Coder deployment: - `https://<coder url>/login?redirect=https%3A%2F%2Fcoder.com%2Fdocs` ### Patched Versions This vulnerability is remedied in - v2.16.1 - v2.15.3 - v2.14.4 All versions prior to 2.3.1 are not affected. ###...

GHSA-j945-c44v-97g6: MPXJ has a Potential Path Traversal Vulnerability

### Impact The patch for the historical vulnerability CVE-2020-35460 in MPXJ is incomplete as there is still a possibility that a malicious path could be constructed which would not be picked up by the original fix and allow files to be written to arbitrary locations. ### Patches The issue is addressed in MPXJ version 13.5.1 ### Workarounds Do not pass zip files to MPXJ. ### References N/A

GHSA-ghjw-32xw-ffwr: Argo Workflows Controller: Denial of Service via malicious daemon Workflows

### Summary Due to a race condition in a global variable, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow. This was resolved by https://github.com/argoproj/argo-workflows/pull/13641 ### Details These two lines introduce a data race in the underlying SPDY implementation of the Kubernetes API client. If a second request is made before the first completes, it results in a panic due to a null pointer. * https://github.com/argoproj/argo-workflows/blob/ce7f9bfb9b45f009b3e85fabe5e6410de23c7c5f/workflow/metrics/metrics_k8s_request.go#L49 * https://github.com/argoproj/argo-workflows/blob/ce7f9bfb9b45f009b3e85fabe5e6410de23c7c5f/workflow/metrics/metrics_k8s_request.go#L75 This appears to have been added in this commit https://github.com/argoproj/argo-workflows/commit/9756babd0ed589d1cd24592f05725f748f74130b / #13265 / v3.6.0-rc1 ### PoC With the `KUBECONFIG` variable set to an appropriate file with `create` permissions for the `W...

GHSA-hm57-h27x-599c: Mattermost incorrectly issues two sessions when using desktop SSO

Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 incorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.