ghsa

### Summary An remote Code exec vulnerability allows any unauthenticated user to exec code on the server. ### Details Hi,Team, i find openrefine support to import data from database,When use mysql jdbc to connect to database,It is vulnerable to jdbc url attacks,for example,unauthenticated attacker can get rce on the server through the mysql userializable If the mysql-connector-java version used on the server side is less than 8.20. In order for the server to enable deserialization we need to set the `autoDeserialize` and `queryInterceptors` parameters in the connection string,As same with https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m, since the concatenation string is a direct concatenation, it is possible to inject the required parameters after the other parameters.  And there is a commons-beanutils dependency library on the server side, w...

### Summary An arbitrary file read vulnerability allows any unauthenticated user to read the file on the server._ ### Details Hi,Team, i find openrefine support to import data from database,When use mysql jdbc to connect to database,It is vulnerable to jdbc url attacks,for example,unauthenticated attacker can read the file on the server. There are some differences in utilization depending on the version of the mysql-connector dependency on the server side. 1. mysql-connector-java version > 8.14 The default value of `allowLoadLocalInfile` on the server side is false in this case.We need to manually set this value to true in the connection string. Since the way to get the databaseurl in `com/google/refine/extension/database/mysql/MySQLConnectionManager.java` is to splice the individual configurations directly, we can set the `allowLoadLocalInfile` parameter after the other parameters(for example the `databaseName` parameter ). ![image](https://user-images.githubusercontent.com/24...

### Summary _Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._ The current implementation of `BaseUser.login` leaks enough information to a malicious user such that they would be able to successfully generate a list of valid users on the platform. As Piccolo on it's own does not also enforce strong passwords (see [here](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#implement-proper-password-strength-controls)), these lists of valid accounts are likely to be used in a password spray attack with the outcome being attempted takeover of user accounts on the platform. The impact of this vulnerability is minor as it requires chaining with other attack vectors in order to gain more then simply a list of valid users on the underlying platform. The likelihood of this vulnerability is possible as it requir...

A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

# Impact Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. # Patches None. # Workarounds Implementing rate-limiting at the web server would help mitigate the issue. In particular, a very strict rate limit (e.g. 1 per minute per IP) for the specific route (`sales/guest/view/`) would effectively mitigate the issue. # References Email from Frank Rochlitzer ([email protected]) to [email protected]: ## Summary The German Federal Office for Information Security (BSI) found the following flaw in OpenMage through a commissioned pen test: The web application was found to accept certain requests even without prior strong authentication if the person making the request has data that is non-public but also not secret, such as easily easily guessed t...

Affected versions do not enforce a `Sync` bound on the type of caller-provided value held in the plugin registry. References to these values are made accessible to arbitrary threads other than the one that constructed them. A caller could use this flaw to submit thread-unsafe data into inventory, then access it as a reference simultaneously from multiple threads. The flaw was corrected by enforcing that data submitted by the caller into inventory is `Sync`.

Affected versions dereference a potentially unaligned pointer. The pointer is commonly unaligned in practice, resulting in undefined behavior. In some build modes, this is observable as a panic followed by abort. In other build modes the UB may manifest in some other way, including the possibility of working correctly in some architectures. The crate is not currently maintained, so a patched version is not available. ## Recommended alternatives - [`sysinfo`](https://crates.io/crates/sysinfo)

Affected versions allow arbitrary caller-provided code to execute before the lifetime of `main`. If the caller-provided code accesses particular pieces of the standard library that require an initialized Rust runtime, such as `std::io` or `std::thread`, these may not behave as documented. Panics are likely; UB is possible. The flaw was corrected by enforcing that only code written within the `inventory` crate, which is guaranteed not to access runtime-dependent parts of the standard library, runs before `main`. Caller-provided code is restricted to running at compile time.

### Impact Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. Affected applications are any that use: * A custom `query_builder` option to limit the valid results; AND * An `EntityType` with `'autocomplete' => true` or a custom [AsEntityAutocompleteField](https://symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax). Under this circumstance, if an id is submitted, it is accepted even if the matching record would not be returned by the custom query built with `query_builder`. ### Patches The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2. ### Workarounds Upgrade to version 2.11.2 or greater of `symfony/ux-autocomplete` or perform extra validation after submit to verify the selected option is valid.

### Impact An issue was found in RKE2 where an attacker with network access to RKE2 servers' supervisor port (TCP 9345) can force the TLS server to add entries to the certificate's Subject Alternative Name (SAN) list, through a stuffing attack, until the certificate grows so large that it exceeds the maximum size allowed by TLS client implementations. OpenSSL for example will raise an `excessive message size` error when this occurs. No authentication is necessary to perform this attack, only the ability to perform a TLS handshake against the supervisor port (TCP 9345). Affected servers will continue to operate, but clients (server or agent nodes) will fail to establish new connections when joining or rejoining the cluster, thus leading to a denial of service (DoS) attack. ### Remediation Upgrade to a fixed release: - v1.28.1+rke2r1 - v1.27.5+rke2r1 - v1.26.8+rke2r1 - v1.25.13+rke2r1 - 1.24.17+rke2r1 If you are using RKE2 1.27 or earlier, you must also add the parameter `tls-san-se...