ghsa

jose4j before v0.9.3 allows attackers to set a low PBES2 iteration count of 1000 or less.

light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token.

Dromara Sureness before v1.0.8 was discovered to use a hardcoded key.

Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.

### Impact Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. ### Patches Users should upgrade to version 3.7.0 where the "Custom Filter" input is turned off by default. You can find out more information on how to turn it back on [here](https://github.com/man-group/dtale#custom-filter) ### Workarounds The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users. ### References See "Custom Filter" [documentation](https://github.com/man-group/dtale#custom-filter)

### Impact Panic vulnerability when a specially crafted payload is used. This is because of the following calculation: ```rust inner_payload_len + (4 - inner_payload_len % 4) % 4 ``` If `inner_payload_len` is `0xffffffff`, `(4 - inner_payload_len % 4) % 4 = 1` so ```rust inner_payload_len + (4 - inner_payload_len % 4) % 4 = u32::MAX + 1 ``` which overflow. ### Patches Check that `inner_payload_len` is not above 64 which should never be the case. Patched in version 0.0.8 ### Workarounds Sanitize input payload before it is passed to the vulnerable function so that bytes in `payload[32..32+4]` and parsed as a `u32` is not above 64. ### References GitHub issue #58

### Impact An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the host system. ### Details Through the WEB CLI interface provided by koko, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands. ``` admin> const { execSync } = require("child_process") admin> console.log(execSync("id; hostname;").toString()) uid=0(root) gid=0(root) groups=0(root) jms_koko admin> ``` ### Patches Safe versions: - v2.28.20 - v3.7.1 ### Workarounds It is recommended to upgrade the safe versions. After upgrade, you can use the same method to check whether the vulnerability is fixed. ``` admin> console.log(execSync("id; hostname;").toString()) /bin/sh: line 1: /bin/hostname: Permission denied ``` ### References Thanks for **Oskar Zeino-Mahmalat** of [Sonar](https://sonarsource.com/) found an...

### Impact In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=<N>` query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints. > The passwords are *not* exposed in plaintext. > Nautobot 1.x is *not* affected by this vulnerability. Example: ``` GET /api/users/permissions/?depth=1 HTTP 200 OK API-Version: 2.0 Allow: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS Content-Type: application/json Vary: Accept ``` ```json { "count": 1, "next": null, "previous": null, "results": [ { "id": "28ea85e4-5039-4389-94f1-9a3e1c787149", "object_type": "users.objectpermission", "display": "Run Job", "url": "http://localhost:8080/api/users/permissions/28ea85e4-5039-4389-94f1-9a3e1c787149/", "natural_slug": "run-job_28ea", "object_types": [ "extras.job" ], "name": ...

**Problem**: Trying to create a new encrypted message with the same cocoon object generates the same ciphertext. It mostly affects `MiniCocoon` and `Cocoon` objects with custom seeds and RNGs (where `StdRng` is used under the hood). **Note**: The issue does **NOT** affect objects created with **`Cocoon::new`** which utilizes `ThreadRng`. **Cause**: `StdRng` produces the same nonce because `StdRng::clone` resets its state. **Measure**: Make encryption API mutable (`encrypt`, `wrap`, and `dump`). **Workaround**: Create a new cocoon object with a new **seed** per each encryption. ## How to Reproduce ```rust let cocoon = MiniCocoon::from_password(b"password", &[1; 32]); let mut data1 = "my secret data".to_owned().into_bytes(); let _ = cocoon.encrypt(&mut data1)?; let mut data2 = "my secret data".to_owned().into_bytes(); let _ = cocoon.encrypt(&mut data2)?; // data1: [23, 217, 251, 151, 179, 62, 85, 15, 253, 92, 192, 112, 200, 52] // data2: [23, 217, 251, 151, 179, 62, 85, 15, 253, ...

### Summary The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. ## Details This vulnerability requires: * The WPS extension to be installed * The WPS security setting "Disable complex inputs" to be unselected * Security URL checks to be disabled ### Impact This vulnerability presents the opportunity for Server Side Request Forgery. ### Mitigation The ability to reference an external URL location is defined by the WPS standard Execute operation. This operations is defined by an Industry and International standard and cannot be redefined by the GeoServer application in isolation. To disable complex remote inputs on GeoServer 2.20.5 and GeoServer 2.21.0: 1. Navigate to **Security > WPS Security** page 2. Locate **Complex Inputs** heading 3. Select the check box for **Disable loading complex inputs from remote references** ### Resolution...