Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-532x-j9r7-8f73: Apache InLong: JDBC Vulnerability For URLEncode and backspace bypass

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability which can lead to JDBC Vulnerability URLEncode and backspace bypass. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1]  https://github.com/apache/inlong/pull/11747

ghsa
#vulnerability#apache#git#auth
GHSA-r324-vgr5-73c9: Apache InLong: JDBC Vulnerability during verification processing

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability is a secondary mining bypass for CVE-2024-26579. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11732

GHSA-69rh-hccr-cxrj: Laravel Rest Api has a Search Validation Bypass

A validation bypass vulnerability was discovered prior to version 2.13.0, where multiple validations defined for the same attribute could be silently overridden. Due to how the framework merged validation rules across multiple contexts (such as index, store, and update actions), malicious actors could exploit this behavior by crafting requests that bypass expected validation rules, potentially injecting unexpected or dangerous parameters into the application. Impact: This could lead to unauthorized data being accepted or processed by the API, depending on the context in which the validation was bypassed. Patch: The issue was fixed in [PR #172](https://github.com/Lomkit/laravel-rest-api/pull/172) by ensuring that multiple rule definitions are merged correctly rather than overwritten.

GHSA-wjrh-hj83-3wh7: Django-Select2 Vulnerable to Widget Instance Secret Cache Key Leaking

### Impact Instances of `HeavySelect2Mixin` subclasses like the `ModelSelect2MultipleWidget` and `ModelSelect2Widget` can secret access tokens across requests. This can allow users to access restricted querysets and restricted data. ### Patches The problem has been patched in version 8.4.1 and all following versions. ### Workarounds This vulnerability is limited use cases where instances of widget classes are created during app loading (not during a request). Example of affected code: ```python class MyForm(forms.ModelForm): class Meta: widgets = {"my_select_field": Select2ModelWidget()} ``` Django allows you to pass just the widget class (not the instance). This can be used to mitigate the session request leak. Example of affected code: ```python class MyForm(forms.ModelForm): class Meta: widgets = {"my_select_field": Select2ModelWidget} ``` ### References Thanks to @neartik for reporting this issue. I will address it later. I had to delete your iss...

GHSA-g88v-2j67-9rmx: Fess has Insecure Temporary File Permissions

### Summary Fess (an open-source Enterprise Search Server) creates temporary files without restrictive permissions, which may allow local attackers to read sensitive information from these temporary files. ### Details The `createTempFile()` method in `org.codelibs.fess.helper.SystemHelper` creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files. ### Impact This issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal or negligible practical impact. ### Workarounds Ensure local access to the environment running Fess is restricted to trusted users only. ### References - [CVE-2022-24823: Netty temporary file permissions vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2022-24823)

GHSA-8r88-6cj9-9fh5: auth-js Vulnerable to Insecure Path Routing from Malformed User Input

### Impact The library functions `getUserById`, `deleteUser`, `updateUserById`, `listFactors` and `deleteFactor` did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the `userId` are not affected by this. ### Patches Strict value checks have been added to all affected functions. These functions now require that the `userId` and `factorId` parameters MUST be valid UUID (v4). **Patched version:** >= 2.69.1 ### Workarounds Implementations that follow security best practice and validate user controlled inputs, such as the `userId` are not affected by this. It is recommended that users of the auth-js library always follow security best practice and validate all inputs, before passing these to other functions or libraries. ### References https://github.com/supabase/auth-js/pull/1063

GHSA-v8wj-f5c7-pvxf: Strapi allows Server-Side Request Forgery in Webhook function

## Description In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as `localhost`, `127.0.0.1`, `0.0.0.0`,.... in order to make the Application fetching into the internal itself, which causes the vulnerability `Server - Side Request Forgery (SSRF)`. ## Payloads - `http://127.0.0.1:80` -> `The Port is not open` - `http://127.0.0.1:1337` -> `The Port which Strapi is running on` ## Steps to Reproduce - First of all, let's input the URL `http://127.0.0.1:80` into the `URL` field, and click "Save". ![CleanShot 2024-06-04 at 22 45 17@2x](https://github.com/strapi/strapi/assets/71650574/7336b817-cb61-41e6-9b3f-87151d8667e9) - Next, use the "Trigger" function and use Burp Suite to capture the request / response ![CleanShot 2024-06-04 at 22 47 50@2x](https://github.com/strapi/strapi/assets/71650574/659f1bbe-6b03-456c-a9c2-5187fca20dd6) ...

GHSA-2xv9-ghh9-xc69: radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

### Impact This is a prototype pollution vulnerability. It impacts users of the `set` function within the Radashi library. If an attacker can control parts of the `path` argument to the `set` function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios. ### Patches The vulnerability has been patched in commit [`8147abc8cfc3cfe9b9a17cd389076a5d97235a66`](https://github.com/radashi-org/radashi/commit/8147abc8cfc3cfe9b9a17cd389076a5d97235a66). Users should upgrade to a version of Radashi that includes this commit. The fix utilizes a new helper function, `isDangerousKey`, to prevent the use of `__proto__`, `prototype`, or `constructor` as keys in the path, throwing an error if any are encountered. This check is bypassed for objects with a `null` prototype. ### Workarounds Users on older versions can mitigate this vulnerability by sanitizing the...

GHSA-q5q7-8x6x-hcg2: ActiveMQ Artemis AMQ Broker Operator Starting Credentials Reuse

A flaw was found in ActiveMQ Artemis. The password generated by activemq-artemis-operator does not regenerate between separated CR dependencies.

GHSA-5qwj-342r-h886: pypickle unsafe deserialization vulnerability

A vulnerability was found in erdogant pypickle up to 1.1.5 and classified as problematic. Affected by this issue is the function load of the file pypickle/pypickle.py. The manipulation leads to deserialization. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The patch is identified as 14b4cae704a0bb4eb6723e238f25382d847a1917. It is recommended to upgrade the affected component.