Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-w695-p3j5-hrj9: Apache Airflow AWS Provider Generates Error Message Containing Sensitive Information

Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1.

ghsa
Open in Source
#vulnerability#apache#git#aws
GHSA-9mwf-mw74-9cv5: Apache Airflow Hive Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3.

GHSA-8g23-2q5p-8866: Apache Airflow Google Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.

GHSA-h8p2-8g72-qpgh: Apache Airflow Google Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.

GHSA-j69x-v4wc-3fpf: Apache Airflow Sqoop Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.

GHSA-65rp-mhqf-8gj3: rangy vulnerable to Prototype Pollution

All versions of the package rangy are vulnerable to Prototype Pollution when using the `extend()` function in file `rangy-core.js`.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype.

GHSA-q8gg-vj6m-hgmj: @braintree/sanitize-url Cross-site Scripting vulnerability

sanitize-url (aka @braintree/sanitize-url) before 6.0.1 allows XSS via HTML entities.

GHSA-prjg-28jg-m3p5: RosarioSIS Improper Access Control vulnerability

Improper Access Control in GitHub repository francoisjacquet/rosariosis prior to 10.8.2.

GHSA-9fh3-j99m-f4v7: Code injection in pdf_info

pdf_info 0.5.3 is vulnerable to Command Execution. An attacker using a specially crafted payload may execute OS commands by using command chaining because during object initalization there is no validation performed and the user provided path is used.

GHSA-3x5j-9vwr-8rr5: Update share links to use FRP instead of SSH tunneling

### Impact This is a vulnerability which affects anyone using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`) with Gradio versions older than 3.13.1. In these older versions of Gradio, a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. ### Patches The problem has been patched. Ideally, users should upgrade to `gradio==3.19.1` or later where the FRP solution has been properly tested. ### Credit Credit to Greg Sadetsky and Samuel Tremblay-Cossette for alerting the team