ghsa

Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that is not affected.

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit 2.6.3 and prior. A patch is available at commit 36d1d4d256cbbab028342ba10cc493e5c119172c and anticipated to be part of version 2.6.4.

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function.

## Impact The Flarum forum software is affected by a vulnerability that allows an attacker to conduct a Blind SSRF attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The vulnerability is due to the behavior of the `intervention/image` package, which attempts to interpret the supplied file contents as a URL, which then fetches its contents. This allows an attacker to exploit the vulnerability to perform SSRF attacks, disclose local file contents, or conduct a blind oracle attack. ### Patches This has been patched in Flarum **v1.8**. ## Workarounds As a temporary workaround for the SSRF aspect of the vulnerability, one can disable PHP's `allow_url_fopen` which will prevent the fetching of external files via URLs. ### Credits Adam Kues - [Assetnote](https://assetnote.io/)

### Impact An attacker can post malformed webhook data witch lead to an update of the repository data that can e.g. allow the takeover of an repo. This is only critical if the CI is configured for public usage and connected to a forge witch is also in public usage. ### Patches Please use either next or the latest v1.0 e.g. v1.0.2 ### Workarounds Secure the CI system by making it inaccessible to untrusted entities, for example, by placing it behind a firewall. ### References Fix: https://github.com/woodpecker-ci/woodpecker/pull/2221 Backport: https://github.com/woodpecker-ci/woodpecker/pull/2222

### Impact XSS vulnerability due to improperly sanitizing URLs of links that can be attached on canvas elements. This affects users of the npm package `@excalidraw/excalidraw` provided it was deployed in environments where untrusted user input in drawings that are then shared with third parties is a concern. If you only hosted the editor in trusted environments, or sharing didn't take place, the impact is minimized. ### Patches Patch is available on version 0.15.3 and up (stable), or latest `@excalidraw/excalidraw@next` (unstable releases). ### Workarounds No workaround without upgrading unless deployed in environments without untrusted user input. ### References https://security.snyk.io/vuln/SNYK-JS-EXCALIDRAWEXCALIDRAW-5841658 https://github.com/excalidraw/excalidraw/pull/6728

Jenkins NodeJS Plugin integrates with Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file. NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs. NodeJS Plugin 1.6.0.1 masks credentials specified in the Npm config file in Pipeline build logs.

Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Overall/Read permission to access and capture credentials they are not entitled to. Delphix Plugin 3.0.3 defines the appropriate context for credentials lookup.

Jenkins Gogs Plugin provides a webhook endpoint at /gogs-webhook that can be used to trigger builds of jobs. In Gogs Plugin 1.0.15 and earlier, an option to specify a Gogs secret for this webhook is provided, but not enabled by default. This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified job name. Additionally, the output of the webhook endpoint includes whether a job corresponding to the attacker-specified job name exists, even if the attacker has no permission to access it. As of publication of this advisory, there is no fix.

Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to add or remove views from another user’s favorite views tab bar. As of publication of this advisory, there is no fix.