Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-fpr8-4wvx-j9q3: node-qpdf vulnerable to command injection

All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path.

ghsa
Open in Source
#git#pdf
GHSA-7x94-6g2m-3hp2: Defining resource name as integer may give unintended access in vantage6

### Impact Malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to run algorithms on their node. This may be defined by username or user id. Now, for example, if user id 13 is allowed to run tasks, and an attacker creates a username with username '13', they would be wrongly allowed to run an algorithm. There may also be other places in the code where such a mixup of resource ID or name leads to issues. The best solution we see is therefore to check when resources are created or modified, that the resource name always starts with a character. ### Patches To be done, probably in v3.9 ### Workarounds None

GHSA-gc57-xhh5-m94r: Improper Access Control in vantage6

### Impact The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, currently it is only checked if the user has permission to view the collaboration. ### Patches No ### Workarounds None ### References None ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])

GHSA-5m22-cfq9-86x6: Pickle serialization vulnerable to Deserialization of Untrusted Data

### What We are using pickle as default serialization module but that has known security issues (see e.g. https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9). In summary, it is not advisable to open Pickles that you create yourself locally. In vantage6, algorithms use pickles to send aggregated data around and to pack algorithm input or output. All of the Python algorithms that use the wrappers with default serialization are therefore vulnerable to this issue. Solution: we should use JSON instead ### Impact All users of vantage6 that post tasks with algorithms that use the default serialization. The default serialization is used by default with all algorithm wrappers. ### Patches Not yet ### Workarounds Specify JSON serialization

GHSA-cvwv-h85m-w37h: Cross-site Scripting (XSS) in froxlor/froxlor

Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22.

GHSA-5ghm-h2wq-g3mh: Allocation of Resources Without Limits or Throttling in vriteio/vrite

Allocation of Resources Without Limits or Throttling in GitHub repository vriteio/vrite prior to 0.3.0.

GHSA-w35p-wxwj-rcm9: Server-Side Request Forgery (SSRF) in vriteio/vrite

Server-Side Request Forgery (SSRF) in GitHub repository vriteio/vrite prior to 0.3.0.

GHSA-44ff-9w4f-99w6: Improper Input Validation in vriteio/vrite

Improper Input Validation in GitHub repository vriteio/vrite prior to 0.3.0.

GHSA-j5hq-6frc-64v3: Cross-site Scripting (XSS) in froxlor/froxlor

Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1.

GHSA-rm7j-f5g5-27vv: Denial of Service in JSON-Java

Denial of Service in JSON-Java versions prior to 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.