Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-7v4r-c989-xh26: BentoML's runner server Vulnerable to Remote Code Execution (RCE) via Insecure Deserialization

### Summary There was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. ### PoC - First, create a file named **model.py** to create a simple model and save it ``` import bentoml import numpy as np class mymodel: def predict(self, info): return np.abs(info) def __call__(self, info): return self.predict(info) model = mymodel() bentoml.picklable_model.save_model("mymodel", model) ``` - Then run the following command to save this model ``` python3 model.py ``` - Next, create **bentofile.yaml** to build this model ``` service: "service.py" description: "A model serving service with BentoML" python: packages: - bentoml - numpy models: - tag: MyModel:latest include: - "*.py" ``` - Then, create **service.p...

ghsa
#vulnerability#web#js#git#backdoor#rce#auth
GHSA-3f7v-qx94-666m: DotNetNuke.Core Vulnerable to Server-Side Request Forgery (SSRF)

A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target systems, including internal or adjacent networks. ### Impact This vulnerability facilitates a semi-blind SSRF attack, allowing attackers to make the target server send requests to internal or external URLs without viewing the full responses. Potential impacts include internal network reconnaissance, bypassing firewalls.

GHSA-fmhh-rw3h-785m: bep/imagemeta allows a potentially large memory allocation in PNG and WebP parsing

### Impact The buffer created for parsing metadata for PNG and WebP images was only bounded by their input data type, which could lead to potentially large memory allocation, and unreasonably high for image metadata. Before `v0.11.0`, If you didn't trust the input images, this could be abused to construct denial-of-service attacks. ### Patches `v0.11.0` added a 10 MB upper limit.

GHSA-q7rw-w4cq-2j6w: bep/imagemeta allows excessively large EXIF data structures

### Impact The EXIF data format allows for defining excessively large data structures in relatively small payloads. Before `v0.10.0`, If you didn't trust the input images, this could be abused to construct denial-of-service attacks. ### Patches `v0.10.0` added LimitNumTags (default 5000) and LimitTagSize (default 10000) options.

GHSA-9r25-rp3p-h2w4: crud-query-parser SQL Injection vulnerability

### Impact Improper neutralization of the `order`/`sort` parameter in the TypeORM adapter, which allows SQL injection. You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter. Versions 0.0.1, 0.0.2 and 0.0.3 are affected by this vulnerability. ### Patches This vulnerability has been fixed in version 0.1.0 and newer, which introduces TypeORM field validation (enabled by default). ### Workarounds #### Add an allowlist of fields List all valid fields and use the `filterProperties` function to filter out invalid fields before passing the crudRequest to the `TypeOrmQueryAdapter`. Here's an example: ```ts crudRequest = filterProperties(crudRequest, ['id', 'title', 'category.name']); ``` #### Disable ordering Cleanup the `order` field just before passing it to the `TypeOrmQueryAdapter`. Here's an example: ```ts crudRequest.order = []; ```

GHSA-q62r-8ppj-xvf4: Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users

### Impact Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. ### Patches The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1. ### Workarounds Umbraco supports the configuration of [allowed](https://docs.umbraco.com/umbraco-cms/reference/configuration/contentsettings#allowed-upload-file-extensions) and [disallowed file extensions](https://docs.umbraco.com/umbraco-cms/reference/configuration/contentsettings#disallowed-upload-file-extensions). Using these options to allow only necessary file extensions significantly reduces the scope of the vulnerability.

GHSA-gmg8-593g-7mv3: Apache POI OOXML Vulnerable to Improper Input Validation in OOXML File Parsing

Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry. This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file. Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations about how to use the POI libraries securely.

GHSA-rcqj-3fmp-5cqx: Apache Pulsar Kafka Connector Logs Sensitive Information in Application Logs

Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs. This vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability's impact is limited by the fact that an attacker would need access to the application logs to exploit this issue. This issue affects Apache Pulsar IO's Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4. 3.0.x version users should upgrade to at least 3.0.11. 3.3.x version users should upgrade to at least 3.3.6. 4.0.x version users should upgrade to at least 4.0.4. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

GHSA-gjx9-wg9x-7gvp: Flowise Vulnerable to SQL Injection via `tableName` Parameter

Flowise <= 2.2.3 is vulnerable to SQL Injection. via tableName parameter at Postgres_VectorStores.

GHSA-44v2-prcf-pc3m: Joomla Framework Database Package Vulnerable to SQL Injection

Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.