ghsa

> ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C` (4.0) ### Problem The export functionality fails to limit the result set to allowed columns of a particular database table. This allows authenticated users to export internal details of database tables to which they already have access. ### Solution Update to TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. In order to address this issue, access to mentioned export functionality is completely denied for regular backend users. ℹ️ **Strong security defaults - Manual actions required** Following User TSconfig setting would allow using the export functionality for particular users: ``` options.impexp.enableExportForNonAdminUser = 1 ``` ### Credits Thanks to TYPO3 core merger Lina Wolf who reported this issue and to TYPO3 security member Torben Hansen who fixed the issue. ### References * [TYPO3-CORE-SA-2022-001](https://typo3.org/security/adv...

### Impact The Key Storage converter plugin mechanism was not enabled correctly in Rundeck 4.2.0 and 4.2.1, resulting in use of the encryption layer for Key Storage possibly not working. Any credentials created or overwritten using Rundeck 4.2.0 or 4.2.1 might result in them being written in plaintext to the backend storage. If you are using a "[Storage Converter](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html#key-data-storage-converter)" plugin, such as `jasypt-encryption` configured via the `rundeck.storage.converter.1.type=jasypt-encryption` setting, and you installed 4.2.0 or 4.2.1 then please upgrade to one of the patched versions. If you *do not* use a "[Storage Converter](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html#key-data-storage-converter)" plugin, this would not affect you. ### Patches Rundeck 4.3.1 and 4.2.2 have fixed the code and upon upgrade will re-encrypt any plain text values. Note: 4.3.0 does not have the vulnerability,...

### Impact **This issue only applies to applications starting authorization sessions using an explicit initial `nonce`.** When [`Context::start_auth_session`](https://docs.rs/tss-esapi/7.0.1/tss_esapi/struct.Context.html#method.start_auth_session) was called with a `nonce` argument value of `Some(...)`, the nonce pointer passed down through FFI to `Esys_StartAuthSession` would be a dangling pointer, left over from a defunct instance of `TPM2B_NONCE`. This could lead to an incorrect value being used as a nonce, though whether that value is controllable is unclear (so should be assumed as possible). The error became apparent due to changes in v1.61.0 of the Rust compiler. Logs indicating a failure due to this issue (with the 1.61.0 version of the Rust toolchain) look as follows: ``` 2022-05-24T01:04:41.9131341Z WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:390:Esys_StartAuthSession_Finish() Received TPM Error 2022-05-24T01:04:41.9132192Z ERROR:esys:src/tss2-esys/api/Esys_Sta...

### Impact Datasets exported to file (e.g. CSV / XLS) are not sufficiently sanitized, to neutralize potential formula injection ### Patches - The issue is addressed in the upcoming 0.8.0 release - This fix will also be back-ported to the 0.7.x branch, applied to the 0.7.2 release ### Workarounds Users exporting untrusted data should open the files in safe mode (e.g. in Microsoft Excel). ### References - https://huntr.dev/bounties/e57c36e7-fa39-435f-944a-3a52ee066f73/ - https://owasp.org/www-community/attacks/CSV_Injection ### For more information If you have any questions or comments about this advisory: * Open an issue in [github](http://github.com/inventree/inventree) * Email us at [[email protected]](mailto:[email protected])

### Impact InvenTree allows unrestricted upload of files as attachments to various database fields. Potentially dangerous files (such as HTML files containing malicious javascript) can be uploaded, and (when opened by the user) run the malicious code directly in the users browser.  *Note that the upload of malicious files must be performed by an authenticated user account* ### Solution The solution for this vulnerability is to ensure that attachment files are downloaded to the local machine before opening, rather than opening the file in the current browser context. ### Patches - The issue is addressed in the upcoming 0.8.0 release - This fix will also be back-ported to the 0.7.x branch, applied to the 0.7.2 release ### Workarounds Users can alleviate risk of opening malicious files by right-clicking on the attachment link and selecting "Save link as" ![image](https:...

### Impact Affected versions can have malicious javascript code injected into the users browser by other authenticated users, as data fields retrieved from the database are not properly sanitized before displaying in various front-end views. The problem here stems from multiple issues: - Insufficient database sanitation on multiple fields allows injection of un-sanitized HTML - Lack of HTML escaping when rendering data on the front end The attack vector here is limited, as only authenticated users are able to write data to the database, for it to be subsequently rendered on the front-end. However, it is a vulnerability that the InvenTree development team takes seriously. ### Solution The proposed patch for this vulnerability is prevents injection of un-escaped fields into front-end UI elements. A future patch will also address sanitization of database fields on the "back end", however this will require a much larger effort to refactor multiple database tables. ### Patches - Th...

### Impact A [vulnerability](https://www.cve.org/CVERecord?id=CVE-2022-24785) in an upstream library means an authenticated attacker can abuse locale input to execute arbitrary commands from a file that has previously been uploaded using the file upload functionality in the post editor. ### Patches Fixed in 5.2.3, all 5.x sites should update as soon as possible. Fixed in 4.48.2, all 4.x sites should update as soon as possible. ### Workarounds Patched versions of Ghost add validation to the locale input to prevent execution of arbitrary files. Updating Ghost is the quickest complete solution. As a workaround, if for any reason you cannot update your Ghost instance, you can block the `POST /ghost/api/admin/settings/` endpoint, which will also disable updating settings for your site. ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected]) ### Credits * devx00 - https://twitter.com/devx00

### Impact The /api/v2/config endpoint exposes message bus credentials to local unauthenticated users. In security-enabled mode, message bus credentials are supposed to be kept in the EdgeX secret store and require authentication to access. This vulnerability bypasses the access controls on message bus credentials when running in security-enabled mode. (No credentials are required when running in security-disabled mode.) As a result, attackers could intercept data or inject fake data into the EdgeX message bus. ### Patches Users should upgrade to EdgeXFoundry Kamakura release (2.2.0) or to the June 2022 EdgeXFoundry LTS Jakarta release (2.1.1). The issue has been patched in the following docker containers and snaps: #### Patched go modules github.com/edgexfoundry/device-sdk-go/v2 >= v2.1.1 github.com/edgexfoundry/app-functions-sdk-go/v2 >= v2.1.1 #### Patched docker containers URL: https://hub.docker.com/r/edgexfoundry - docker.io/edgexfoundry/core-metadata:>=2.1.1 - docker.io/...

### Impact A malicious actor with the ability to register entities in the Software Catalog is able to write files to arbitrary paths on the techdocs backend host instance when `techdocs.publisher.type` is set to `local`. This vulnerability is mitigated by the fact that the Software Catalog must be configured with non-standard field format validators and/or non-standard entity policies. ### Patches Those affected are advised to upgrade to `@backstage/plugin-techdocs-node` version `1.1.2` or higher. ### Workarounds If patching or upgrading is not possible, it would be sufficient to update any custom Catalog field format validators and/or custom entity policies to disallow entity names, kinds, and namespaces containing `..` <!-- ### References todo: Link to blog post / published report. --> ### For more information If you have any questions or comments about this advisory: - Open an issue in the [Backstage repository](https://github.com/backstage/backstage) - Visit our chat, linked ...

### Impact A path traversal issue was found in the (g *GitArtifactReader).Read() API. Read() calls into (g *GitArtifactReader).readFromRepository() that opens and reads the file that contains the trigger resource definition: ```go func (g *GitArtifactReader) readFromRepository(r *git.Repository, dir string) ``` No checks are made on this file at read time, which could lead an attacker to read files anywhere on the system. This could be achieved by either using symbolic links, or putting `../` in the path. ### Patches A patch for this vulnerability has been released in the following Argo Events version: v1.7.1 ### Credits Disclosed by [Ada Logics](https://adalogics.com/) in a security audit sponsored by CNCF and facilitated by OSTIF. ### For more information Open an issue in the [Argo Events issue tracker](https://github.com/argoproj/argo-events/issues) or [discussions](https://github.com/argoproj/argo-events/discussions) Join us on [Slack](https://argoproj.github.io/community/joi...