Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-hfgr-h3vc-p6c2: DockerSpawner allows any image by default

### Impact Users of JupyterHub deployments running DockerSpawner starting with 0.11.0 without specifying `DockerSpawner.allowed_images` configuration allow users to launch _any_ pullable image, instead of restricting to only the single configured image, as intended. ### Patches Upgrade to DockerSpawner 13. ### Workarounds Explicitly setting `DockerSpawner.allowed_images` to a non-empty list containing only the default image will result in the intended default behavior: ```python c.DockerSpawner.image = "your-image" c.DockerSpawner.allowed_images = ["your-image"] ```

ghsa
Open in Source
#docker
GHSA-p8q6-qrgj-7gx2: Microweber allows a remote attacker to obtain sensitive information via the HTTP GET method

An issue present in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method.

GHSA-9r6p-hg4g-5gxp: Microweber missing standardized error handling mechanism

Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0.0.

GHSA-c79f-pqgf-fhp3: Directory Traversal in Gladys Assistant

Gladys Assistant v4.27.0 and prior is vulnerable to Directory Traversal. The patch of CVE-2023-43256 was found to be incomplete, allowing authenticated attackers to extract sensitive files in the host machine.

GHSA-2j39-qcjm-428w: Apache Struts vulnerable to path traversal

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

GHSA-vwhf-3v6x-wff8: Cross-site Scripting in MLflow

Cross-site Scripting (XSS) - Reflected in GitHub repository mlflow/mlflow prior to 2.9.0.

GHSA-3rpx-pgmf-j96h: Microweber Business Logic Errors

Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.0. Unpublished and deleted product(s) can be added to checkout.

GHSA-v7hc-87jc-qrrr: eventing-github vulnerable to denial of service caused by improper enforcement of the timeout on individual read operations

### Impact The eventing-github cluster-local server doesn't set `ReadHeaderTimeout`‬‭ which could lead do a DDoS‬ ‭attack, where a large group of users send requests to the server causing the server to hang‬ ‭for long enough to deny it from being available to other users, also know as a Slowloris‬ ‭attack. ### Patches Fix in `v1.12.1` and `v1.11.3` ### Credits The vulnerability was reported by Ada Logics during an ongoing security audit of Knative involving Ada Logics, the Knative maintainers, OSTIF and CNCF.

GHSA-xfv5-jqgp-vqhj: Quarkus Cache Runtime exposes sensitive information to an unauthorized actor

A flaw was found in the Quarkus Cache Runtime. When request processing utilizes a Uni cached using @CacheResult and the cached Uni reuses the initial "completion" context, the processing switches to the cached Uni instead of the request context. This is a problem if the cached Uni context contains sensitive information, and could allow a malicious user to benefit from a POST request returning the response that is meant for another user, gaining access to sensitive data.

GHSA-63cv-4pc2-4fcf: Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability

Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.