Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-qxqc-27pr-wgc8: GoAuthentik vulnerable to Insufficient Authorization for several API endpoints

### Summary Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this: - `/api/v3/crypto/certificatekeypairs/<uuid>/view_certificate/` - `/api/v3/crypto/certificatekeypairs/<uuid>/view_private_key/` - `/api/v3/.../used_by/` Note that all of the affected API endpoints require the knowledge of the ID of an object, which especially for certificates is not accessible to an unprivileged user. Additionally the IDs for most objects are UUIDv4, meaning they are not easily guessable/enumerable. ### Patches authentik 2024.4.4, 2024.6.4 and 2024.8.0 fix this issue. ### Workarounds Access to the API endpoints can be blocked at a Reverse-proxy/Load balancer level to prevent this issue from being exploited. ### For more information If you have any questions or comments about this advisory: - Email us at [[email protected]](mailto:[email protected])

ghsa
#oauth#auth
GHSA-hrf9-rm95-fpf3: Mattermost Cross-Site Request Forgery vulnerability

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Management page of the system console.

GHSA-5263-pm2h-m7hw: Mattermost doesn't restrict which roles can promote a user as system admin

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the `manage_system` permission, effectively becoming a System Admin.

GHSA-c6vp-jjgv-38wj: Mattermost allows remote/synthetic users to create sessions, reset passwords

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.

GHSA-4ww8-fprq-cq34: Mattermost doesn't redact remote users' original email addresses

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server.

GHSA-cgrq-wvfj-v28j: Mage AI allows remote unauthenticated attackers to leak the terminal server command history of arbitrary users

Mage AI allows remote unauthenticated attackers to leak the terminal server command history of arbitrary users.

GHSA-fpgj-cr28-fvpx: CWA-2024-006: wasmd non-deterministic module_query_safe query

**Component:** wasmd **Criticality:** Medium ([ACMv1](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md): I:Moderate; L:Likely) **Patched versions:** wasmd 0.53.0 See [CWA-2024-006](https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-006.md) for more details.

GHSA-g8w7-7vgg-x7xg: CWA-2024-005: Stackoverflow in wasmd

**Component:** wasmd **Criticality:** High ([ACMv1](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md): I:Critical; L:Likely) **Patched versions:** wasmd 0.53.0, 0.46.0 See [CWA-2024-005](https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-005.md) for more details.

GHSA-w5pw-gmcw-rfc8: squirrelly Code Injection vulnerability

squirrellyjs squirrelly v9.0.0 was discovered to contain a code injection vulnerability via the component `options.varName`. The issue was fixed in version 9.1.0.

GHSA-w7cp-g8v7-r54m: Apache Airflow Cross-site Scripting Vulnerability

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.