Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-mc8h-8q98-g5hr: Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all

The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked. Thanks to the Rust security team for identifying the problem and alerting us to it.

ghsa
#git
GHSA-3x49-g6rc-c284: LiteDB may deserialize bad JSON on object type using _type

### Impact LiteDB use a special field in JSON documents to cast diferent types from `BsonDocument` do POCO classes. When instance of an object are not the same of class, `BsonMapper` use a special field `_type` string info with full class name with assembly to be loaded and fit in your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit in your model. ### Patches Version >= 5.0.13 add some basic fixes to avoid this, but is not 100% guaranteed when using `Object` type Next major version will contains a allow-list to select what king of Assembly can be loaded ### Workarounds - Avoid users send to your app a JSON string to be direct insert/update into database - Avoid use classes with `Object` type - try use an interface when possible If your app send a plain JSON string to be insert/update into database, prefer this: ``` // Bad public class Customer { public int Id { get; set; } public string Name { get; set; } ...

GHSA-w695-p3j5-hrj9: Apache Airflow AWS Provider Generates Error Message Containing Sensitive Information

Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1.

GHSA-9mwf-mw74-9cv5: Apache Airflow Hive Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3.

GHSA-8g23-2q5p-8866: Apache Airflow Google Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.

GHSA-h8p2-8g72-qpgh: Apache Airflow Google Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.

GHSA-j69x-v4wc-3fpf: Apache Airflow Sqoop Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.

GHSA-65rp-mhqf-8gj3: rangy vulnerable to Prototype Pollution

All versions of the package rangy are vulnerable to Prototype Pollution when using the `extend()` function in file `rangy-core.js`.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype.

GHSA-q8gg-vj6m-hgmj: @braintree/sanitize-url Cross-site Scripting vulnerability

sanitize-url (aka @braintree/sanitize-url) before 6.0.1 allows XSS via HTML entities.

GHSA-prjg-28jg-m3p5: RosarioSIS Improper Access Control vulnerability

Improper Access Control in GitHub repository francoisjacquet/rosariosis prior to 10.8.2.