Source
ghsa
In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument.
In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.
A SQL injection vulnerability in Centreon affects unknown code of the file formContactGroup.php of the component Contact Groups Form. The manipulation of the argument cg_id leads to sql injection. The attack can be initiated remotely. Version 22.10.0-beta1 contains a patch for this issue.
A Cross-site Scripting vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature.
### Impact In Apollo Server 3 and 4, the `cache-control` HTTP response header may not reflect the cache policy that should apply to an HTTP request when that HTTP request contains multiple operations using HTTP batching. This could lead to data being inappropriately cached and shared. Apollo Server allows clients to send multiple operations in a single HTTP request. The results of these operations are returned in a single HTTP response, with a single set of headers. Apollo Client Web and Apollo Kotlin both have opt-in features to use batched requests. Apollo Server has several features relating to caching. This advisory is about the ability to set the `cache-control` response header based on field- and operation-specific cache hints. (It is not about the "response cache plugin".) This header can be interpreted by a reverse proxy such as a CDN in front of your server, or by a browser. In Apollo Server 2, plugins such as the cache control plugin could not control the HTTP headers of...
### Impact A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. ### Patches v1.15.3 ### Workarounds Do not use `FLUENT_OJ_OPTION_MODE=object`. ### References * GHSL-2022-067
### Impact https://github.com/nervosnetwork/ckb/blob/v0.101.2/script/src/verify.rs#L871-L879 TypeIdSystemScript resume handle is not correct when max_cycles is not enough, `ScriptError::ExceededMaximumCycles` will be raised directly ranther than suspend as expect, and also because script_group execution order is random, so this will happen randomly.
### Impact fn `HeaderChecker#check_valid` skipped main chain checking after this PR: https://github.com/nervosnetwork/ckb/pull/1646/files#diff-c4e017b67c1b3005ca0c446a9b0879571aa36a858b1f7ddd1b9328a884e3214bR171-R176 It will cause network forking if one transaction is using a forked block header which is not exists in local node's storage. ### Patches 0.101.1 and later versions
### Impact When a transaction contains a dep group with many cells, the resources required to process it are not linear to the transaction size nor spent script cycles. ### Patches In 0.43.3, nodes drop the transactions relayed to them when they contain a dep group with more than 64 cells. They do not ban peers who send them such transactions. In 0.100, the consensus disallow transactions using a dep group with more than 64 cells. Peers relaying such transaction must be banned. Blocks committing such transactions must be rejected.
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-38.0.3 are vulnerable to a number of security issues. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221101.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.