ghsa

Jfinal cms 5.1.0 is vulnerable to SQL Injection.

An arbitrary file upload vulnerability in Mindoc v2.1-beta.5 allows attackers to execute arbitrary commands via a crafted Zip file.

In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8

HashiCorp go-getter before 2.0.2 allows Command Injection.

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Protocol switching, endless redirect, and configuration bypass were possible via abuse of custom HTTP response header processing.

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Arbitrary host access was possible via go-getter path traversal, symlink processing, and command injection flaws.

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric resource exhaustion could occur when go-getter processed malicious HTTP responses.

When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data. This vulnerability was introduced in Pillow 9.1.0, and can cause a heap buffer overflow. Opening an image with a zero or negative height has been found to bypass a decompression bomb check. This will now raise a SyntaxError instead, in turn raising a PIL.UnidentifiedImageError.

In ginadmin through 05-10-2022 the incoming path value is not filtered, resulting in directory traversal.

In ginadmin through 05-10-2022, the incoming path value is not filtered, resulting in arbitrary file reading.