ghsa

Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the `set()` function and the current variable in the `/dottie.js` file.

HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured.

### Issue Snowflake was informed via our bug bounty program of a command injection vulnerability in the Snowflake NodeJS driver via SSO browser URL authentication. ### Impacted driver package: snowflake-connector-nodejs ### Impacted version range: before [Version 1.6.21](https://community.snowflake.com/s/article/Node-js-Driver-Release-Notes) ### Attack Scenario In order to exploit the potential for command injection, an attacker would need to be successful in (1) establishing a malicious resource and (2) redirecting users to utilize the resource. The attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution. This attack scenario can be mitigated through URL whitelisting as well as common anti-phishing resources. ### Solution On April 1...

### Issue Snowflake was informed via our bug bounty program of a command injection vulnerability in the Snowflake Golang driver via SSO browser URL authentication. ### Impacted driver package: gosnowflake ### Impacted version range: before [Version 1.6.19](https://community.snowflake.com/s/article/Go-Snowflake-Driver-Release-Notes) ### Attack Scenario In order to exploit the potential for command injection, an attacker would need to be successful in (1) establishing a malicious resource and (2) redirecting users to utilize the resource. The attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution. This attack scenario can be mitigated through URL whitelisting as well as common anti-phishing resources. ### Solution On March 21, 2023, Sn...

### Issue Snowflake was informed via our bug bounty program of a command injection vulnerability in the Snowflake Python connector via SSO browser URL authentication. ### Impacted driver package: snowflake-connector-python ### Impacted version range: before [Version 3.0.2](https://community.snowflake.com/s/article/Snowflake-Connector-for-Python-Release-Notes) ### Attack Scenario In order to exploit the potential for command injection, an attacker would need to be successful in (1) establishing a malicious resource and (2) redirecting users to utilize the resource. The attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution. This attack scenario can be mitigated through URL whitelisting as well as common anti-phishing resources. ### ...

### Impact The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the `__file-code-frame` and `__original-stack-frame` paths, exposed when running the Gatsby develop server (`gatsby develop`). The following steps can be used to reproduce the vulnerability: ``` # Create a new Gatsby project $ npm init gatsby $ cd my-gatsby-site # Start the Gatsby develop server $ gatsby develop # Execute the Local File Inclusion vulnerability in __file-code-frame $ curl "http://127.0.0.1:8000/__file-code-frame?filePath=/etc/passwd&lineNumber=1" # Execute the Local File Inclusion vulnerability in __original-stack-frame $ curl "http://127.0.0.1:8000/__original-stack-frame?moduleId=/etc/hosts&lineNumber=1&skipSourceMap=1" ``` It should be noted that by default `gatsby develop` is only accessible via the localhost `127.0.0.1`, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options...

### Impact There are two separate security vulnerabilities here: (1) a security vulnerability that allows users to read arbitrary files on the machines that are running shared Gradio apps (2) the ability of users to use machines that are sharing Gradio apps to proxy arbitrary URLs ### Patches Both problems have been solved, please upgrade `gradio` to `3.34.0` or higher ### Workarounds Not possible to workaround except by taking down any shared Gradio apps ### References Relevant PRs: * https://github.com/gradio-app/gradio/pull/4406 * https://github.com/gradio-app/gradio/pull/4370

### Impact Affected versions of the link plugin and link UI component do not sanitize URLs to prevent use of the `javascript:` scheme. As a result, links with JavaScript URLs can be inserted into the Plate editor through various means, including opening or pasting malicious content. ### Patches `@udecode/plate-link` 20.0.0 resolves this issue by introducing an `allowedSchemes` option to the link plugin, defaulting to `['http', 'https', 'mailto', 'tel']`. URLs using a scheme that isn't in this list will not be rendered to the DOM. ### Workarounds If you are unable to update `@udecode/plate-link` to version 20.0.0, we recommend overriding the `LinkElement` and `PlateFloatingLink` components with implementations that explicitly check the URL scheme before rendering any anchor elements.

NOTE: rails-ujs is part of Rails/actionview since 5.1.0. There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute. This vulnerability has been assigned the CVE identifier CVE-2023-23913. Not affected: < 5.1.0 Versions Affected: >= 5.1.0 Fixed Versions: 6.1.7.3, 7.0.4.3 Impact If the specified malicious HTML clipboard content is provided to a contenteditable element, this could result in the arbitrary execution of javascript on the origin in question. Releases The FIXED releases are available at the normal locations. Workarounds We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can attempt to mitigate this vulnerability by removing the contenteditable at...

There is a deserialization of untrusted data vulnerability in the Kredis JSON deserialization code. This vulnerability has been assigned the CVE identifier CVE-2023-27531. 'Not affected: None.' 'Versions Affected: All.' 'Fixed Versions: 1.3.0.1' Impact Carefully crafted JSON data processed by Kredis may result in deserialization of untrusted data, potentially leading to deserialization of unexpected objects in the system. Any applications using Kredis with JSON are affected. Releases The fixed releases are available at the normal locations. Workarounds There are no feasible workarounds for this issue. Patches To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 1-3-0-1-kredis.patch - Patch for 1.3.0 series Credits Thank you ooooooo_k 7 for reporting this!