Source
ghsa
The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked. Thanks to the Rust security team for identifying the problem and alerting us to it.
### Impact LiteDB use a special field in JSON documents to cast diferent types from `BsonDocument` do POCO classes. When instance of an object are not the same of class, `BsonMapper` use a special field `_type` string info with full class name with assembly to be loaded and fit in your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit in your model. ### Patches Version >= 5.0.13 add some basic fixes to avoid this, but is not 100% guaranteed when using `Object` type Next major version will contains a allow-list to select what king of Assembly can be loaded ### Workarounds - Avoid users send to your app a JSON string to be direct insert/update into database - Avoid use classes with `Object` type - try use an interface when possible If your app send a plain JSON string to be insert/update into database, prefer this: ``` // Bad public class Customer { public int Id { get; set; } public string Name { get; set; } ...
Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1.
Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3.
Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.
Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.
All versions of the package rangy are vulnerable to Prototype Pollution when using the `extend()` function in file `rangy-core.js`.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype.
sanitize-url (aka @braintree/sanitize-url) before 6.0.1 allows XSS via HTML entities.
Improper Access Control in GitHub repository francoisjacquet/rosariosis prior to 10.8.2.