Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-f7ff-xf87-f22q: Arbitrary command execution in Minidoc

An arbitrary file upload vulnerability in Mindoc v2.1-beta.5 allows attackers to execute arbitrary commands via a crafted Zip file.

ghsa
#vulnerability#git
GHSA-5hqc-x78w-3cmw: Missing Authorization in Apache Archiva

In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8

GHSA-fcgg-rvwg-jv58: Unsafe downloads in HashiCorp go-getter

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Protocol switching, endless redirect, and configuration bypass were possible via abuse of custom HTTP response header processing.

GHSA-x24g-9w7v-vprh: Command injection in HashiCorp go-getter

HashiCorp go-getter before 2.0.2 allows Command Injection.

GHSA-28r2-q6m8-9hpx: Unsafe downloads in HashiCorp go-getter

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric resource exhaustion could occur when go-getter processed malicious HTTP responses.

GHSA-cjr4-fv6c-f3mv: Unsafe downloads in HashiCorp go-getter

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Arbitrary host access was possible via go-getter path traversal, symlink processing, and command injection flaws.

GHSA-hr8g-f6r6-mr22: Buffer over-flow in Pillow

When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data. This vulnerability was introduced in Pillow 9.1.0, and can cause a heap buffer overflow. Opening an image with a zero or negative height has been found to bypass a decompression bomb check. This will now raise a SyntaxError instead, in turn raising a PIL.UnidentifiedImageError.

GHSA-5824-6jfv-xr3r: Arbitrary file read in ginadmin

In ginadmin through 05-10-2022, the incoming path value is not filtered, resulting in arbitrary file reading.

GHSA-9pg5-3pjc-f8wm: Path traversal in ginadmin

In ginadmin through 05-10-2022 the incoming path value is not filtered, resulting in directory traversal.

GHSA-4g82-3jcr-q52w: Malware in ctx

The `ctx` hosted project on [PyPI](https://pypi.org/project/ctx/) was taken over via user account compromise and replaced with a malicious project which contained runtime code that collected the content of `os.environ.items()` when instantiating `Ctx` objects. The captured environment variables were sent as a base64 encoded query parameter to a heroku application running at `https://anti-theft-web.herokuapp.com`. If you installed the package between May 14, 2022 and May 24, 2022, and your environment variables contain sensitive data like passwords and API keys (like `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`), we advise you to rotate your passwords and keys, then perform an audit to determine if they were exploited.