Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-7m5c-fgwf-mwph: Spring HATEOAS vulnerable to Improper Neutralization of HTTP Headers for Scripting Syntax

Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle (and possibly discard) forwarded headers either in WebFlux or at the level of the underlying HTTP server. For the application to be affected, it needs to satisfy the following requirements: * It needs to use the reactive web stack (Spring WebFlux) and Spring HATEOAS to create links in hypermedia-based responses. * The application infrastructure does not guard against clients submitting (X-)Forwarded… headers.

ghsa
Open in Source
#web#git#java#maven
GHSA-9x44-9pgq-cf45: avro vulnerable to denial of service via attacker-controlled parameter

### Summary A well-crafted string passed to avro's `github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out of memory` which is unrecoverable and can cause denial of service of the consumer of avro. ### Details The root cause of the issue is that avro uses part of the input to `Unmarshal()` to determine the size when creating a new slice. In the reproducer below, the first few bytes determine the size of the slice. The root cause is on line 239 here: https://github.com/hamba/avro/blob/3abfe1e6382c5dccf2e1a00260c51a64bc1f1ca1/reader.go#L216-L242 ### PoC The issue was found during a security audit of Dapr, and I attach a reproducer that shows how the issue affects Dapr. Dapr uses an older version of the avro library, but it is also affected if bumping avro to latest. To reproduce: ```bash cd /tmp git clone --depth=1 https://github.com/dapr/components-contrib cd components-contrib/pubsub/pulsar ``` now add this test to the `pulsar_test.go`: ```golang func TestPa...

GHSA-8c6q-26w6-qwhg: Easy!Appointments Improper Access Control vulnerability

Easy!Appointments 1.4.3 and prior has an Improper Access Control vulnerability. This issue is patched at commit b37b46019553089db4f22eb2fe998bca84b2cb64 and anticipated to be part of version 1.5.0.

GHSA-9m93-w8w6-76hh: Mongoose Prototype Pollution vulnerability

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

GHSA-hx4h-676r-j3qp: layui vulnerable to cross-site scripting

A vulnerability, which was classified as problematic, was found in layui up to v2.8.0-rc.16. This affects an unknown part of the component HTML Attribute Handler. The manipulation of the argument title leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.8.0 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-234237 was assigned to this vulnerability.

GHSA-q347-jrx8-5pw9: Admidio vulnerable to Unrestricted Upload of File with Dangerous Type

Unrestricted Upload of File with Dangerous Type in GitHub repository admidio/admidio prior to 4.2.10.

GHSA-x2ph-qqwm-9cc6: CleverTap Cordova plugin vulnerable to Cross-site Scripting

CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker. This is possible because the plugin does not correctly validate the data coming from the deeplinks before using them.

GHSA-vc79-65pr-q82v: rswag vulnerable to arbitrary JSON and YAML file read via directory traversal

rswag before 2.10.1 allows remote attackers to read arbitrary JSON and YAML files via directory traversal, because rswag-api can expose a file that is not the OpenAPI (or Swagger) specification file of a project.

GHSA-pxfv-7rr3-2qjg: copyparty vulnerable to path traversal attack affecting all subfolders in http://localhost:3923/.cpr/ subfolder

### Summary Path traversal vulnerability detected in .cpr subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory. Tested in Debian Linux. ### Details Steps to reproduce: 1)Install the software python3 -m pip install --user -U copyparty 2)Execute using the default config : copyparty 3) Execute the POC curl command 4) /etc/passwd file of the remote server is accessible. ### PoC ```bash curl -i -s -k -X GET 'http://172.19.1.2:3923/.cpr/%2Fetc%2Fpasswd' ``` Additional examples: http://172.19.4.2:3923/.cpr/a/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd http://172.19.4.2:3923/.cpr/deps/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd ### Checking for exposure if copyparty is running behind a reverse proxy, you can check the access-logs for traces of attacks, by grepping your access...

GHSA-7xr2-8ff7-6fjq: zenstruck/collection passing callable string to EntityRepository::find() and query()

### Impact Passing _callable strings_ (ie `system`) caused the function to be executed. ### Patches Fixed in [v0.2.1](https://github.com/zenstruck/collection/releases/tag/v0.2.1). ### Workarounds Do not allow passing user strings to `EntityRepository::find()` or `query()`. ### References [Fix commit](https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c).