ghsa

When the host header does not match a configured host, `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. Example configuration: ```python from twisted.web.server import Site from twisted.web.vhost import NameVirtualHost from twisted.internet import reactor resource = NameVirtualHost() site = Site(resource) reactor.listenTCP(8080, site) reactor.run() ``` Output: ``` ❯ curl -H"Host:<h1>HELLO THERE</h1>" http://localhost:8080/ <html> <head><title>404 - No Such Resource</title></head> <body> <h1>No Such Resource</h1> <p>host b'<h1>hello there</h1>' not in vhost map</p> </body> </html> ``` This vulnerability was introduced in f49041bb67792506d85aeda9cf6157e92f8048f4 and first appeared in the 0.9.4 release.

### Impact _What kind of vulnerability is it? Who is impacted?_ We’d like to disclose an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in the current working directory. This vulnerability allows one user to run code as another. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Users should upgrade to `jupyter_core>=4.11.2`. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ No ### References _Are there any links users can visit to find out more?_ Similar advisory in [IPython](https://github.com/advisories/GHSA-pq7m-3gw7-gq5x)

Apache IoTDB versions 0.12.2 through 0.12.6, and 0.13.0 through 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. This issue is patched in 0.13.3. Users should upgrade or use a later version of Java to avoid it.

In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. This issue is patched in version 1.3.0, and users are recommended to upgrade.

Flume’s JMSSource class can be configured with a providerUrl parameter. A JNDI lookup is performed on this name without performing validation. This could result in untrusted data being deserialized, leading to remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed in version 1.11.0.

Badaso allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.

HyperDown is a markdown parser written for the Chinese website SegmentFault. Improper validation of the href attribute allows for Cross-site Scripting. At publication there are no patched versions, and no known workarounds.

feathers-sequelize is vulnerable to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection.

Feather-Sequelize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.

Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.