Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-98hq-4wmw-98w9: Arbitrary code execution in de.tum.in.ase:artemis-java-test-sandbox

### Summary Because of the missing `checkLink(String)` override in the SecurityManager, students can load libraries and execute arbitrary code. ### Details Using `System.load(String)` or `System.loadLibrary​(String)` students can load and execute arbitrary code. ```java private static native void start(List<String> args); public static void main(String[] args) { System.load(new File("path_to_lib.so").getAbsolutePath()); start(List.of(args)); } ``` Adding this to the security manager (and a translation) should fix the issue: ```java @Override public void checkExec(String cmd) { try { if (enterPublicInterface()) return; throw new SecurityException(localized("security.error_link")); //$NON-NLS-1$ } finally { exitPublicInterface(); } } ``` ### PoC See details. ### Impact Arbitrary code execution.

ghsa
Open in Source
#git#java#maven
GHSA-66p8-j459-rq63: Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in deletion of files and directories on the host system

### Impact This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with [`GHSA-p8r3-83r8-jwj5`](https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5) to overwrite files on the host system. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Information on how the exploitation of this vulnerability works will be released on February 24th, 2023 in North America. ### Patches This vulnerability has been resolved in version `v1.11.4` of Wings, and has been back-ported to the 1.7 release series in `v1.7.4`. Anyone running `v1.11.x` should upgrade to `v1.11.4` and anyone running `v1.7.x` should upgrade to `v1.7.4`. ### Workarounds None at this time.

GHSA-q264-w97q-q778: Denial of service via HAMT Decoding Panics

### Impact Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. This include checks returned in [ipfs/go-bitfield GHSA-2h6c-j3gf-xp9r](https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r), as well as limiting the `fanout` to `<= 1024` (to avoid attempts of arbitrary sized allocations). ### Patches - https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175 ### Workarounds Do not feed untrusted user data to the decoding functions. ### References - https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r

GHSA-rfhw-fm4m-52j6: Authentication Bypass in modoboa

Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.

GHSA-29gw-9793-fvw7: IPython vulnerable to command injection via set_term_title

IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command injection in the `set_term_title` [function](https://github.com/ipython/ipython/blob/3f0bf05f072a91b2a3042d23ce250e5e906183fd/IPython/utils/terminal.py#L103-L117) under specific conditions. This has been patched in version 8.10.0. ### Impact Users are only vulnerable when calling this function in Windows in a Python environment where [ctypes](https://docs.python.org/3/library/ctypes.html) is not available. The dependency on ctypes in `IPython.utils._process_win32` prevents the vulnerable code from ever being reached (making it effectively dead code). However, as a library that could be used by another tool, `set_term_title` could introduce a vulnerability for dependencies. Currently `set_term_title` is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control di...

GHSA-4gj3-6r43-3wfc: IPFS go-unixfsnode subject to DOS via HAMT Decoding Panics

## Impact Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by a bogus fanout parameter in the HAMT directory nodes. This includes checks returned in [ipfs/go-bitfield GHSA-2h6c-j3gf-xp9r](https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r), as well as limiting the fanout to <= 1024 (to avoid attempts of arbitrary sized allocations). ## Patches - https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68 - https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122 ## References * https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778 * https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r

GHSA-2h6c-j3gf-xp9r: IPFS go-bitfield vulnerable to DoS via malformed size arguments

### Impact When feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s. This happen when the `size` is a not a multiple of `8` or is negative. There were already a note in the `NewBitfield` documentation: > ``` > Panics if size is not a multiple of 8. > ```` But it incomplete and missing from `FromBytes`'s documentation. This has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong. ### Patches - https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579 ### Workarounds - Ensure `size%8 == 0 && size >= 0` yourself before calling `NewBitfield` or `FromBytes` ### References - https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778

GHSA-hxjp-q6c3-38fx: XML External Entity Reference in Apache NiFi

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

GHSA-53jx-vvf9-4x38: StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route

### Summary When running vertx web applications that serve files using `StaticHandler` on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (`*`) then an attacker can exfiltrate any class path resource. ### Details When computing the relative path to locate the resource, in case of wildcards, the code: https://github.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java#L83 returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized `\` are not properly handled and an attacker can build a path that is valid within the classpath. ### PoC https://github.com/adrien-aubert-drovio/vertx-statichandler-windows-traversal-path-vulnerability

GHSA-qf87-q4gg-cg43: bottlerocket dependency openssl is vulnerable to dereferenced null pointers

A null pointer in OpenSSL can be dereferenced when signatures are being verified in malformed PKCS7 data. Agents or clients compiled with OpenSSL may experience unexpected crashes. OpenSSL has been removed in bottlerocket/update-operator version 1.1.0 in favor of Rust-based TLS using rustls.