Source
ghsa
An arbitrary file upload vulnerability in Mindoc v2.1-beta.5 allows attackers to execute arbitrary commands via a crafted Zip file.
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
HashiCorp go-getter through 2.0.2 does not safely perform downloads. Protocol switching, endless redirect, and configuration bypass were possible via abuse of custom HTTP response header processing.
HashiCorp go-getter before 2.0.2 allows Command Injection.
HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric resource exhaustion could occur when go-getter processed malicious HTTP responses.
HashiCorp go-getter through 2.0.2 does not safely perform downloads. Arbitrary host access was possible via go-getter path traversal, symlink processing, and command injection flaws.
When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data. This vulnerability was introduced in Pillow 9.1.0, and can cause a heap buffer overflow. Opening an image with a zero or negative height has been found to bypass a decompression bomb check. This will now raise a SyntaxError instead, in turn raising a PIL.UnidentifiedImageError.
In ginadmin through 05-10-2022, the incoming path value is not filtered, resulting in arbitrary file reading.
In ginadmin through 05-10-2022 the incoming path value is not filtered, resulting in directory traversal.
The `ctx` hosted project on [PyPI](https://pypi.org/project/ctx/) was taken over via user account compromise and replaced with a malicious project which contained runtime code that collected the content of `os.environ.items()` when instantiating `Ctx` objects. The captured environment variables were sent as a base64 encoded query parameter to a heroku application running at `https://anti-theft-web.herokuapp.com`. If you installed the package between May 14, 2022 and May 24, 2022, and your environment variables contain sensitive data like passwords and API keys (like `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`), we advise you to rotate your passwords and keys, then perform an audit to determine if they were exploited.