Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-jm6m-4632-36hf: Composer Remote Code Execution vulnerability via web-accessible composer.phar

### Impact Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini. ### Patches 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. ### Workarounds Make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

ghsa
Open in Source
#vulnerability#web#git#php#rce
GHSA-hq58-p9mv-338c: CometBFT's default for `BlockParams.MaxBytes` consensus parameter may increase block times and affect consensus participation

## Amulet Security Advisory for CometBFT: ASA-2023-002 **Component**: CometBFT **Criticality:** Low **Affected versions:** All **Affected users:** Validators, Chain Builders + Maintainers # Summary A default configuration in CometBFT has been found to be large for common use cases, and may affect block times and consensus participation when fully utilized by chain participants. It is advised that chains consider their specific needs for their use case when setting the `BlockParams.MaxBytes` consensus parameter. Chains are encouraged to evaluate the impact of having proposed blocks with the maximum allowed block size, especially on bandwidth usage and block latency. Additionally, the `timeout_propose` parameter should be computed using the maximum allowed block size as a reference. This issue does not represent an actively exploitable vulnerability that would result in a direct loss of funds, however it may have a slight impact on block latency depending on a network’s topography. W...

GHSA-rhrv-645h-fjfh: Apache Avro Java SDK vulnerable to Improper Input Validation

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.

GHSA-c4rv-2j6x-pq7x: Rdiffweb Allocation of Resources Without Limits or Throttling vulnerability

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.8.4.

GHSA-rp65-jpc7-8h8p: Mattermost Incorrect Authorization vulnerability

Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.

GHSA-h8wh-f7gw-fwpr: Mattermost Incorrect Authorization vulnerability

Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.

GHSA-33r7-wjfc-7w98: Mattermost Uncontrolled Resource Consumption vulnerability

Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users.

GHSA-9hwp-cj7m-wjw4: Mattermost Incorrect Authorization vulnerability

Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of

GHSA-h69v-mvh9-hfrq: Mattermost Incorrect Authorization vulnerability

Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager

GHSA-9jvx-p6mq-fw4v: pretix allows Pillow to parse EPS files

pretix before 2023.7.2 allows Pillow to parse EPS files.