ghsa

The family of functions to read "borrowed" values from Python weak references were fundamentally unsound, because the weak reference does itself not have ownership of the value. At any point the last strong reference could be cleared and the borrowed value would become dangling. In PyO3 0.22.4 these functions have all been deprecated and patched to leak a strong reference as a mitigation. PyO3 0.23 will remove these functions entirely.

### Impact Illegal access can be granted to the system. ### References see https://sakaiproject.atlassian.net/browse/SAK-50571

Versions of the package markdown-to-jsx before 7.4.0 are vulnerable to Cross-site Scripting (XSS) via the src property due to improper input sanitization. An attacker can execute arbitrary code by injecting a malicious iframe element in the markdown.

### Impact OpenCanary directly executed commands taken from its config file. Where the config file is stored in an unprivileged user directory but the daemon is executed by root, it’s possible for the unprivileged user to change the config file and escalate permissions when root later runs the daemon. Thanks to the folks at [Whirlylabs](https://whirlylabs.com/) for finding and fixing this. ### Patches Upgrade to 0.9.4 or higher.

## Summary Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, `HttpURI`, for URI/URL parsing. The `HttpURI` class does insufficient validation on the authority segment of a URI. However the behaviour of `HttpURI` differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically `HttpURI` and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks. ## Details ### Affected components The vulnerable component is the `HttpURI` class when used as a utility class in an application. The Jetty usage of the class is not vulnerable. ### Attack overview The `HttpURI` class does not well validate the authority section of a URI. When presented with an illega...

### Impact Remote DOS attack can cause out of memory ### Description There exists a security vulnerability in Jetty's `ThreadLimitHandler.getRemote()` which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory. ### Affected Versions * Jetty 12.0.0-12.0.8 (Supported) * Jetty 11.0.0-11.0.23 (EOL) * Jetty 10.0.0-10.0.23 (EOL) * Jetty 9.3.12-9.4.55 (EOL) ### Patched Versions * Jetty 12.0.9 * Jetty 11.0.24 * Jetty 10.0.24 * Jetty 9.4.56 ### Workarounds Do not use `ThreadLimitHandler`. Consider use of `QoSHandler` instead to artificially limit resource utilization. ### References Jetty 12 - https://github.com/jetty/jetty.project/pull/11723

### Impact Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory. ### Patches * https://github.com/jetty/jetty.project/pull/9715 * https://github.com/jetty/jetty.project/pull/9716 ### Workarounds The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by: + not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead. + reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory. + configuring a session cache to use [session passivation](https://jetty.org/docs/jetty/12/programming-guide/server/session.html), so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory. ### References * https://github.com/jetty/jetty.project/pull/10756 * https://github.com/jetty/j...

### Impact Clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permissionship of `CONDITIONAL` with context marked as missing, even then the context was supplied. LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0 ### Patches The bug will be released as part of SpiceDB 1.37.1 ### Workarounds Disable LookupResources2 via the `--enable-experimental-lookup-resources` flag by setting it to `false` ``` --enable-experimental-lookup-resources=false ```

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.