ghsa

# Microsoft Security Advisory CVE-2023-38180: .NET Denial of Service Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.1, .NET 6.0, and .NET 7.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in Kestrel where, on detecting a potentially malicious client, Kestrel will sometimes fail to disconnect it, resulting in denial of service. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/269 ### <a name="mitigation-factors"></a>Mitigation factors If your application is running behind a reverse proxy, or Web Application Firewall, which has its own mitigations against HTTP based attacks this issue may be mitigated by the proxy or WAF ## <a name="affected-software"></a>Affected software * Any .NET 7.0 applicat...

### Impact Angular Universal applications on 16.1.0 and 16.1.1 using critical CSS inlining are vulnerable to a [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) attack where an attacker can trick another user into visiting a page which injects malicious JavaScript. Angular CLI applications without Universal do perform critical CSS inlining as well, however exploiting this requires a malicious actor to already have access to modify source code directly. ### Patches `@nguniversal/common` should be upgraded to 16.1.2 or higher. 16.2.0-rc.0 is safe. ### Workarounds The easiest solution is likely to upgrade Universal to 16.1.2 or downgrade to 16.0.x or lower. Alternatively you can [override](https://docs.npmjs.com/cli/v9/configuring-npm/package-json#overrides) specifically the `critters` dependency with version `0.0.20` in your `package.json`. ```json { "overrides": { "critters": "0.0.20" } } ``` ### References * [Angular Blog Post](https://blog.angula...

### Impact An attacker with access to a token with few or no scopes can query `/api/0/api-tokens/` for a list of all tokens created by a user, including tokens with greater scopes, and use those tokens in other requests. There is no evidence that the issue was exploited on https://sentry.io. For self-hosted users, it is advised to rotate user auth tokens via `https://your-self-hosted-sentry-installation/settings/account/api/auth-tokens/`. ### Patches The issue was fixed in https://github.com/getsentry/sentry/pull/53850 and is available in the release 23.7.2 of [sentry](https://github.com/getsentry/sentry/releases/tag/23.7.2) and [self-hosted](https://github.com/getsentry/self-hosted/releases/tag/23.7.2). ### Workarounds There are no known workarounds.

### Impact The `import-in-the-middle` loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. It allows for remote code execution in cases where an application passes user-supplied input directly to an import() function. ### Patches This vulnerability has been patched in `import-in-the-middle` version 1.4.2 ### Workarounds * Do not pass any user-supplied input to `import()`. Instead, verify it against a set of allowed values. * If using `import-in-the-middle` and support for EcmaScript Modules is not needed, ensure that none of the following options are set (either via command-line or the `NODE_OPTIONS` environment variable): ``` --loader=import-in-the-middle/hook.mjs --loader import-in-the-middle/hook.mjs ``` ### References If you have any questions or comments about this advisory, email us at [[email protected]](mailto:[email protected])

Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

## Impact Several quadratic complexity bugs in commonmarker's underlying [`cmark-gfm`](https://github.com/github/cmark-gfm) library may lead to unbounded resource exhaustion and subsequent denial of service. The following vulnerabilities were addressed: * [CVE-2023-37463](https://github.com/github/cmark-gfm/security/advisories/GHSA-w4qg-3vf7-m9x5) For more information, consult the release notes for version [`0.29.0.gfm.12`](https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.12). ## Mitigation Users are advised to upgrade to commonmarker version [`0.23.10`](https://rubygems.org/gems/commonmarker/versions/0.23.10).

In Gitea through 1.17.1, repo cloning can occur in the migration function.

PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3. Users may upload php files through the system file upload utility to obtain remote code execution.

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. For any role that has permission to execute function assets, an attacker can upload a html file and that leads to XSS.

Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. This vulnerability allows a user's session to remain valid even after the user has logged out, potentially granting unauthorized access to sensitive areas and functionalities.