Source
ghsa
### Summary A session fixation attack allows an attacker to hijack a legitimate user session. The attack investigates a flaw in how the online application handles the session ID, especially the susceptible web application. ### Affected Version <= v1.6.3 ### For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/KubeOperator/KubePi/issues). This vulnerability is reported by [sachinh09](https://huntr.dev/users/sachinh09/) from [huntr.dev](https://huntr.dev/).
### Summary API interfaces with unauthorized access will leak sensitive information /kubepi/api/v1/systems/operation/logs/search /kubepi/api/v1/systems/login/logs/search This vulnerability also exists in https://github.com/KubeOperator/KubeOperator ### Details The vulnerability is located in KubePi/internal/api/v1/v1.go <img width="855" alt="image" src="https://user-images.githubusercontent.com/35884266/211234101-8c325e46-bf65-44ee-9fcb-7a1dc3a39c03.png"> `sp.Post("/login/logs/search", handler.LoginLogsSearch())` directly uses the v1 route without middleware authentication <img width="961" alt="image" src="https://user-images.githubusercontent.com/35884266/211234091-fe8cf249-8806-4124-92d0-4fd58753fa48.png"> Follow up found no role based authentication <img width="919" alt="image" src="https://user-images.githubusercontent.com/35884266/211234162-0a6cbaa1-1f83-4361-aa26-a72cd117d64d.png"> `sp.Post("/operation/logs/search", handler.OperationLogsSearch())` the same as above <img w...
### Impact Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. ### Patches This was patched in https://github.com/mercurius-js/mercurius/pull/940. ### Workarounds Disable subscriptions. ### References Reported publicly as https://github.com/mercurius-js/mercurius/issues/939. The same problem was solved in https://github.com/fastify/fastify-websocket/pull/228
The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the `git ls-files` command using `eval()` to unescape quoted file names. If a file name was added to the git repository contained special characters, such as `\n`, then the `git ls-files` command would print the file name in quotes and escape any special characters. If the `Git#ls_files` method encountered a quoted file name it would use `eval()` to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.
### Impact `DyeColorIdMap->fromId()` did not account for the possibility that it might be given invalid input. This means that an undefined offset error would occur whenever this happened. This code is indirectly called during [`Banner->deserializeCompoundTag()`](https://github.com/pmmp/PocketMine-MP/blob/38d6284671e8b657ba557e765a6c29b24a7705f5/src/item/Banner.php#L104), which is invoked when deserializing any item NBT, whether from network or disk. An attacker could use this bug to crash a server by providing NBT with invalid values for pattern colours in an inventory transaction, or by using `/give` to obtain an item with NBT like this. ### Patches 08b9495bce2d65a6d1d3eeb76e484499a00765eb ### Workarounds This is quite difficult to work around via a plugin. Theoretically, it's possible to override the `Banner` item class from a plugin and validate the data before it reaches `deserializeCompoundTag()`. ### For more information If you have any questions or comments about this advi...
An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL. **Affected products and versions** Okta OIDC Middleware prior to version 5.0.0. **Resolution** The vulnerability is fixed in OIDC Middleware 5.0.0. To remediate this vulnerability, upgrade Okta OIDC Middleware to this version or later. **CVE details** **CVE ID:** [CVE-2022-3145](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3145) **Published Date:** 01/05/2023 **Vulnerability Type:** Open Redirect **CWE:** CWE-601 **CVSS v3.1 Score:** 4.3 **Severity:** Medium **Vector string:** AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N **Severity Details** To exploit this issue, an attacker would need to send a victim a malformed URL containing a target server that they control. Once a user successfully completed the login process, the victim user would then be redirected to the attacker controlled site. **References** https://github.com/okta/okta-oi...
### Impact Due to a vulnerability in `jackson-databind <= 2.12.6.0`, an authenticated attacker could craft an Apiman policy configuration which, when saved, may cause a denial of service on the Apiman Manager API. This does **not** affect the Apiman Gateway. ### Patches Upgrade to Apiman 3.0.0.Final or later. If you are using an older version of Apiman and need to remain on that version, contact your Apiman [support provider](https://www.apiman.io/support.html) for advice/long-term support. ### Workarounds If all users of the Apiman Manager are trusted then you may assess this is low risk, as an account is required to exploit the vulnerability. ### References * Apiman maintainer and security contact: [email protected] * https://nvd.nist.gov/vuln/detail/CVE-2020-36518 * https://github.com/FasterXML/jackson-databind/issues/2816
### Impact GitOps run has a local S3 bucket which it uses for synchronising files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local s3 bucket is not encrypted. This allows privileged users or process to tap the local traffic to gain information permitting access to the s3 bucket. From that point, it would be possible to alter the bucket content, resulting in changes in the Kubernetes cluster's resources(e.g. CVE-2022-23508). ### Patches This vulnerability has been fixed by commits [ce2bbff](https://github.com/weaveworks/weave-gitops/pull/3106/commits/ce2bbff0a3609c33396050ed544a5a21f8d0797f) and [babd915](https://github.com/weaveworks/weave-gitops/pull/3098/commits/babd91574b99b310b84aeec9f8f895bd18acb967). Users should upgrade to Weave GitOps version >= v0.12.0 released on 08/12/2022. ### Workarounds There is no workaround for this vulnerability. ### References Disclosed by Paulo Gomes, Senior Software Engineer, Weaveworks. #...
### Impact A vulnerability in GitOps run could allow a local user or process to alter a Kubernetes cluster's resources. GitOps run has a local S3 bucket which it uses for synchronising files that are later applied against a Kubernetes cluster. Its endpoint had no security controls to block unauthorised access, therefore allowing local users (and processes) on the same machine to see and alter the bucket content. By leveraging this vulnerability, an attacker could pick a workload of their choosing and inject it into the S3 bucket, which resulted in the successful deployment in the target cluster, without the need to provide any credentials to either the S3 bucket nor the target Kubernetes cluster. ### Patches This vulnerability has been fixed by commits [75268c4](https://github.com/weaveworks/weave-gitops/pull/3114/commits/75268c4d2c8f7e4db22c63d76b451ba6545d117f) and [966823b](https://github.com/weaveworks/weave-gitops/pull/3102/commits/966823bbda8c539a4661e2a4f8607c9307ba6225). Use...
# Impact Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This is the same bug as Moment's https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g # Workarounds Limit the length of the input. # References There is an excellent writeup of the same issue in Moment: https://github.com/moment/moment/pull/6015#issuecomment-1152961973 # Details `DateTime.fromRFC2822("(".repeat(500000))` takes a couple minutes to complete.