ghsa

Directory traversal vulnerability in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to read arbitrary files via the include or extends tags.

In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.com/report.rptdesign). If the host indicated in the __report parameter matched the HTTP Host header value, the report would be retrieved. However, the Host header can be tampered with on some configurations where no virtual hosts are put in place (e.g. in the default configuration of Apache Tomcat) or when the default host points to the BIRT server. This vulnerability was patched on Eclipse BIRT 4.13.

Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. The traceback contains information that might be useful for a potential attacker to better target their attack (Python/Airflow version, node name). This information should not be shown if traceback is shown to unauthenticated user.

Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.

### Impact maddy 0.2.0 - 0.6.2 allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified authorization username, it is accepted as is after checking the credentials for the authentication username. ### Patches maddy 0.6.3 includes the fix for the bug. ### Workarounds There is no way to fix the issue without upgrading. ### References * Commit that introduced the vulnerable code: https://github.com/foxcpp/maddy/commit/55a91a37b71210f34f98f4d327c30308fe24399a * Fix: https://github.com/foxcpp/maddy/commit/9f58cb64b39cdc01928ec463bdb198c4c2313a9c

### Summary A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a user with the submit-job ACL capability can submit a job that can escalate to management-level privileges. This vulnerability, CVE-2023-1299, was introduced in Nomad 1.5.0 and fixed in Nomad 1.5.1. ### Background Nomad 1.4.0 introduced the concept of workload identity so that tasks can access variables without needing to access them through Nomad HTTP API with an ACL token. In 1.5.0, the identity block was introduced, which exposes the workload identity token to the workload so it can access Nomad HTTP API via a unix domain socket without configuring mTLS. ### Details During internal testing, we discovered it was possible to abuse the workload identity to elevate to management-level privilege if the workload identity did not have any attached ACL policies. ### Remediation Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.5.1 or newer. See Noma...

### Summary Fuzz testing on `crossplane/crossplane`, by Ada Logics and sponsored by the CNCF, identified input to a function in the `fieldpath` package that can cause an out of memory panic. Applications that use the `Paved` type's `SetValue` method with user provided input without proper validation might use excessive amounts of memory and cause an out of memory panic. ### Details In the `fieldpath` package, the `SetValue` method of the `Paved` type sets a value on the inner object according to the provided path, without validating it first. This allows setting values in slices at any specific index and the code will grow the target array up to the required size. The index is currently capped at max uint32 (4294967295) given how indexes are parsed, but that is still an unnecessarily large value. ### Workaround Users can parse and validate the path before passing it to the `SetValue` method of the `Paved` type, constraining the index size as deemed appropriate. ### Credits Disc...

### Impact `next-auth` applications using OAuth provider versions before `v4.20.1` are affected. A bad actor who can spy on the victim's network or able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. As an example, an attack can happen in the following scenario. > TL;DR: The attacker steals the victim's authenticated callback by intercepting and tampering with the authorization URL created by `next-auth`. 1. The victim attempts to log in to the `next-auth` site. For example https://next-auth-example.vercel.app/ 2. `next-auth` sets the `checks` cookies according to how the OAuth provider is configured. In this case, `state` and `pkce` are set by default for the Google Provider. <img width="1971" alt="Screen Shot 2023-03-03 at 09 54 26" src="https://user-images.githubusercontent.com/31528554/222619750-a2062bb8-99eb-4985-a75c-d75acd3da67e.png"> 3. The at...

### Impact If an admin account has already been compromised by an attacker, the `LESS` parser can be exploited to read sensitive files on the server through the use of path traversal techniques. An attacker can achieve this by providing an absolute path to a sensitive file in the custom `LESS` setting, which the `LESS` parser will then read. For example, an attacker could use the following code to read the contents of the `/etc/passwd` file: ```less @import (inline) '/etc/passwd'; .test { content: data-uri('/etc/passwd'); } ``` ### Patches The vulnerability has been addressed in version `1.7`. Users should upgrade to this version to mitigate the vulnerability. ### Workarounds Users can mitigate the vulnerability by ensuring that their admin accounts are secured with strong passwords and other best practices for account security. Additionally, users can limit the exposure of sensitive files on the server by implementing appropriate file permissions and access controls.

### Impact When authenticating users PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enables `same-site attackers` to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. ### Patches The problem is fixed in version 8.0.1