ghsa

## Impact Several quadratic complexity bugs in commonmarker's underlying [`cmark-gfm`](https://github.com/github/cmark-gfm) library may lead to unbounded resource exhaustion and subsequent denial of service. The following vulnerabilities were addressed: * [CVE-2023-22483](https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c) * [CVE-2023-22484](https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r) * [CVE-2023-22485](https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr) * [CVE-2023-22486](https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p) For more information, consult the release notes for version [`0.23.0.gfm.7`](https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.7). ## Mitigation Users are advised to upgrade to commonmarker version [`0.23.7`](https://rubygems.org/gems/commonmarker/versions/0.23.7).

### Description: A regular expression denial of service (ReDoS) vulnerability has been discovered in `ua-parser-js`. ### Impact: This vulnerability bypass the library's `MAX_LENGTH` input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition. ### Affected Versions: All versions of the library prior to version `0.7.33` / `1.0.33`. ### Patches: A patch has been released to remove the vulnerable regular expression, update to version `0.7.33` / `1.0.33` or later. ### References: [Regular expression Denial of Service - ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) ### Credits: Thanks to @Snyk who first reported the issue.

### Impact MITM can enable Zip-Slip. ### Vulnerability #### Vulnerability 1: `Scanner.java` There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory. https://github.com/hapifhir/org.hl7.fhir.core/blob/8c43e21094af971303131efd081503e5a112db4b/org.hl7.fhir.validation/src/main/java/org/hl7/fhir/validation/Scanner.java#L335-L357 This zip archive is downloaded over HTTP instead of HTTPS, leaving it vulnerable to compromise in-flight. https://github.com/hapifhir/org.hl7.fhir.core/blob/8c43e21094af971303131efd081503e5a112db4b/org.hl7.fhir.validation/src/main/java/org/hl7/fhir/validation/Scanner.java#L136 ##### Vulnerability 2: `TerminologyCacheManager.java` **Note:** While these links point to only one implementation, both implementations of `TerminologyCacheManager.java` are vulnerable to this as their code seems to be duplicated. - https://github.com/hapifhir/org.hl7.fhir.core/blob/f58b7acfb5e3...

### Summary If a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended. ### Details The [code Spotipy uses to parse URIs and URLs ](https://github.com/spotipy-dev/spotipy/blob/master/spotipy/client.py#L1942) accepts user data too liberally which allows a malicious user to insert arbitrary characters into the path that is used for API requests. Because it is possible to include `..`, an attacker can redirect for example a track lookup via `spotifyApi.track()` to an arbitrary API endpoint like playlists, but this is possible for other endpoints as well. Before the security advisory feature was enabled on GitHub, I was already in contact with Stéphane Bruckert via e-mail, and he asked me to look into a potential fix. My recommendation is to perform stricter parsing of URLs and URIs, which I implemented in the patch included at the end of the report. If you prefer, I can also invite you to a private for...

### Impact MITM can enable Zip-Slip. ### Vulnerability #### Vulnerability 1: `Publisher.java` There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory. https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/Publisher.java#L3598-L3610 #### Vulnerability 2: `WebSourceProvider.java` There is a check for malicious zip entries here, but it is not covered by test cases and could potentially be reverted in future changes. https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/web/WebSourceProvider.java#L104-L112 #### Vulnerability 3: `ZipFetcher.java` This retains the path for Zip files in FetchedFile entries, which could later be used to output malicious entries to another compressed file or file s...

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

An issue in the component /admin/backups/work-dir of Sonic v1.0.4 allows attackers to execute a directory traversal.

Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41.

Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40.

The git2 and libgit2-sys crates are Rust wrappers around the [libgit2](https://libgit2.org/) C library. It was discovered that libgit2 1.5.0 and below did not verify SSH host keys when establishing an SSH connection, exposing users of the library to Man-In-the-Middle attacks. The libgit2 team assigned [CVE-2023-22742](https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq) to this vulnerability. The following versions of the libgit2-sys Rust crate have been released: * libgit2-sys 0.14.2, updating the underlying libgit2 C library to version 1.5.1. * libgit2-sys 0.13.5, updating the underlying libgit2 C library to version 1.4.5. A new git2 crate version has also been released, 0.16.1. This version only bumps its libgit2-sys dependency to ensure no vulnerable libgit2-sys versions are used, but contains no code changes: if you update the libgit2-sys version there is no need to also update the git2 crate version. [You can learn more about this vulnerability in libgi...