Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-6x4h-9622-fqr6: Improper validation in meraki

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0. meraki from version 1.40.1 requires aiohttp 3.9.0

ghsa
Open in Source
#vulnerability#git
GHSA-w3vp-jw9m-f9pm: Unbounded queuing of path validation messages in cloudflare-quiche

### Impact quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption. QUIC path validation ([RFC 9000 Section 8.2](https://datatracker.ietf.org/doc/html/rfc9000#section-8.2)) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received, leading to storage of path validation data in an unbounded queue. ### Patches Quiche versions greater than 0.19.0 address this problem. ### References [CVE-2023-6193](https://www.cve.org/CVERecord?id=CVE-2023-6193) [RFC 9000 Section 8.2](https://datatracker.ietf.org/doc/html/rfc9000#section-8.2)

GHSA-6mjg-37cp-42x5: Improper Privilege Management in sap-xssec

### Impact SAP BTP Security Services Integration Library ([Python] sap-xssec) allows under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. ### Patches Upgrade to patched version >= 4.1.0 We always recommend to upgrade to the latest released version. ### Workarounds No workarounds ### References https://www.cve.org/CVERecord?id=CVE-2023-50423

GHSA-m8rw-rcpq-2vp2: Improper Privilege Management in github.com/sap/cloud-security-client-go

### Impact SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) allows under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. ### Patches Upgrade to patched version >= 0.17.0 We always recommend to upgrade to the latest released version. ### Workarounds No workarounds ### References https://www.cve.org/CVERecord?id=CVE-2023-50424

GHSA-59c9-pxq8-9c73: Improper JWT Signature Validation in SAP Security Services Library

### Impact SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) allows under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. ### Patches Upgrade to patched version >= 2.17.0 or >= 3.3.0 We always recommend to upgrade to the latest released version. ### Workarounds No workarounds ### References https://www.cve.org/CVERecord?id=CVE-2023-50422

GHSA-4mq4-7rw3-vm5j: Filesystem sandbox not enforced

### Summary As of Wasmer version v4.2.3, Wasm programs can access the filesystem outside of the sandbox. ### Details https://github.com/wasmerio/wasmer/issues/4267 ### PoC A minimal Rust program: ``` fn main() { let f = std::fs::OpenOptions::new() .write(true) .create_new(true) .open("abc") .unwrap(); } ``` This should be compiled with `cargo build --target wasm32-wasi`. The compiled program, when run with wasmer WITHOUT `--dir`, can still create a file in the working directory. ### Impact Service providers running untrusted Wasm code on Wasmer can unexpectedly expose the host filesystem.

GHSA-ff5x-7qg5-vwf2: Denial of service caused by infinite recursion when parsing SVG document

### Summary When parsing the attributes passed to a `use` tag inside an svg document, we can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. ### Details Inside `Svg\Tag\UseTag::before`, php-svg-lib parses the attributes passed to an `use` tag inside an svg document. When it finds a `href` or `xlink:href`, it will try to retrieve the object representing this tag: ``` $link = $attributes["href"] ?? $attributes["xlink:href"]; $this->reference = $document->getDef($link); if ($this->reference) { $this->reference->before($attributes); } ``` `$document->getDef` is implemented as follow: ``` public function getDef($id) { $id = ltrim($id, "#"); return isset($this->defs[$id]) ? $this->defs[$id] : null; } ``` _Note:_ the `$id` in the above method is actually the _link_ being used in `use` tag. This part is important, because thi...

GHSA-6xmx-85x3-4cv2: Stored XSS via SVG File Upload

#### Impact A user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. #### Workaround Implement the server side file validation https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation or Serve all media from an different host (e.g cdn) that where umbraco is hosted

GHSA-7x74-h8cw-qhxq: Brute force exploit can be used to collect valid usernames

#### Impact A brute force exploit that can be used to collect valid usernames is possible.

GHSA-8qp8-9rpw-j46c: SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email.

#### Impact A user enumeration attack is possible when SMTP is not setup correctly, but reset password is enabled