Source
ghsa
### Impact Several `HandleRoute` endpoints make use of the deprecated `ioutil.ReadAll()`. `ioutil.ReadAll()` reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. Eventsources susceptible to an out-of-memory denial-of-service attack: - AWS SNS - Bitbucket - Bitbucket - Gitlab - Slack - Storagegrid - Webhook ### Patches A patch for this vulnerability has been released in the following Argo Events version: v1.7.1 ### Credits Disclosed by [Ada Logics](https://adalogics.com/) in a security audit sponsored by CNCF and facilitated by OSTIF. ### For more information Open an issue in the [Argo Events issue tracker](https://github.com/argoproj/argo-events/issues) or [discussions](https://github.com/argoproj/argo-events/discussions) Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-events
### Description `Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server. ### Impact This affects all use of HTTPS via HTTP proxy using **`Undici.ProxyAgent`** with Undici or Node's global `fetch`. In this case, it removes all HTTPS security from all requests sent using Undici's `ProxyAgent`, allowing trivial MitM attacks by anybody on the network path between the client and the target server (local network users, your ISP, the proxy, the target server's ISP, etc). This less seriously affects HTTPS via HTTPS proxies. When you send HTTPS via a proxy to a remote server, the proxy can freely view or modify all HTTPS traffic unexpectedly (but only the proxy). Example: ```js setGlobalDispatcher(new...
### Impact The paper [Cryptanalysis of Aggregate Γ-Signature and Practical Countermeasures in Application to Bitcoin](https://eprint.iacr.org/2020/1484) defines a way to forge valid Γ-signatures, an algorithm that is used in the Biscuit specification version 1. It would allow an attacker to create a token with any access level. As Biscuit v1 was still an early version and not broadly deployed, we were able to contact all known users of Biscuit v1 and help them migrate to Biscuit v2. We are not aware of any active exploitation of this vulnerability. ### Patches The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. ### Workarounds There is no known workaround, any use of Biscuit v1 should be migrated to v2. ### References [Cryptanalysis of Aggregate Γ-Signature and Prac...
Affected versions of this crate did not implement `Drop` when `#[zeroize(drop)]` was used on an `enum`. This can result in memory not being zeroed out after dropping it, which is exactly what is intended when adding this attribute. The flaw was corrected in version 1.2 and `#[zeroize(drop)]` on `enum`s now properly implements `Drop`.
Affected versions of this crate did not require event handlers to have `Send` bound despite there being no guarantee of them being called on any particular thread, which can potentially lead to data races and undefined behavior. The flaw was corrected in commit [afe3252](https://github.com/microsoft/windows-rs/commit/afe32525c22209aa8f632a0f4ad607863b51796a) by adding `Send` bounds.
Affected versions of this crate claimed to construct a const `Vec` with nonzero length and capacity, but that cannot be done because such a `Vec` requires a pointer from an allocator. The implementation was later changed to just construct a `std::borrow::Cow`.
Affected versions of this crate maintains references to memory that might have been freed already. If affects the following two `tremor-script` language constructs: * A [Merge](https://www.tremor.rs/docs/tremor-script/index#merge) where we assign the result back to the target expression and the expression to be merged needs to reference the `event`: ``` let state = merge state of event end; ``` * A [Patch](https://www.tremor.rs/docs/tremor-script/index#patch) where we assign the result back to the target expression and the patch operations used need to reference the `event`: ``` let state = patch state of insert event.key => event.value end; ``` For constructs like this (it doesnt matter what is references in the expression to be merged or the patch operations) an optimization was applied to manipulate the target value in-place, instead of cloning it. Our `Value` struct which underpins all event data in `tremor-script`, is representing as borrowed strings `beef::Cow<'lifetime...
`tower_http::services::fs::ServeDir` didn't correctly validate Windows paths meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users could potentially read files anywhere on the filesystem. This only impacts Windows. Linux and other unix likes are not impacted by this. See [tower-http#204] for more details. [tower-http#204]: https://github.com/tower-rs/tower-http/pull/204
In the affected version of this crate, `{Iter, IterMut}::next` used a weaker memory ordering when loading values than what was required, exposing a potential data race when iterating over a `ThreadLocal`'s values. Crates using `Iter::next`, or `IterMut::next` are affected by this issue.
Affected versions of this crate passes an uninitialized buffer to a user-provided `Read` implementation. Arbitrary `Read` implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior. The problem was fixed in commit `cdff034` by zero-initializing the buffer before passing it to a user-provided `Read` implementation.