Source
ghsa
### Impact Apps using `contextIsolation` and `contextBridge` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. ### Workarounds This issue is exploitable under either of two conditions: * If an API exposed to the main world via `contextBridge` can return an object or array that contains a JS object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown `Error: object could not be cloned`. * If an API exposed to the main world via `contextBridge` has a return value that throws a user-generated exception while being sent over the bridge, for instance a dynamic getter property on an object that throws an error when being computed. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge ...
### Impact A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. Details about this bug will be released within 4-8 weeks, as per our official [vulnerability disclosure policy](https://geth.ethereum.org/docs/developers/geth-developer/disclosures). ### Patches The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. ### Workarounds No known workarounds. ### Credits This bug was reported by Patrick McHardy and reported via [[email protected]](mailto:[email protected]). ### References
### Impact All users on Windows are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. ### Patches There are two patches that fix this problem comprehensively ``` commit b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc Author: Harshavardhana <[email protected]> Date: Mon Mar 20 13:16:00 2023 -0700 reject object names with '\' on windows (#16856) ``` ``` commit 8d6558b23649f613414c8527b58973fbdfa4d1b8 Author: Harshavardhana <[email protected]> Date: Mon Mar 20 00:35:25 2023 -0700 fix: convert '\' to '/' on windows (#16852) ``` ### Workarounds There are no known workarounds ### References The vulnerable code: ```go // minio/cmd/generic-handlers.go // Check if the incoming path has bad path components, // such as ".." and "." // SlashSep...
### Impact A Content-Security-Policy that disables eval, specifically setting a `script-src` directive and _not_ providing `unsafe-eval` in that directive, is not respected in renderers that have sandbox and contextIsolation disabled. i.e. `sandbox: false` and `contextIsolation: false` in the `webPreferences` object. This resulted in incorrectly allowing usage of methods like `eval()` and `new Function`, which can result in an expanded attack surface. ### Patches This issue only ever affected the 22 and 23 major versions of Electron and has been fixed in the latest versions of those release lines. Specifically, these versions contain the fixes: - 22.0.1 - 23.0.0-alpha.2 We recommend all apps upgrade to the latest stable version of Electron, especially if they use `sandbox: false` or `contextIsolation: false`. ### Workarounds If upgrading isn't possible, this issue can be addressed without upgrading by enabling at least one of `sandbox: true` or `contextIsolation: true` on all ren...
An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL parsing vulnerability.
If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0.
Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity. This vulnerability exists in Apache Superset versions up to and including 2.1.0.
Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.
Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to.
A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0.