ghsa

In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. This issue is patched in version 1.3.0, and users are recommended to upgrade.

Flume’s JMSSource class can be configured with a providerUrl parameter. A JNDI lookup is performed on this name without performing validation. This could result in untrusted data being deserialized, leading to remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed in version 1.11.0.

Badaso allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.

HyperDown is a markdown parser written for the Chinese website SegmentFault. Improper validation of the href attribute allows for Cross-site Scripting. At publication there are no patched versions, and no known workarounds.

feathers-sequelize is vulnerable to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection.

Feather-Sequelize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.

Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.

Due to improper type validation in the `socket.io-parser` library (which is used by the `socket.io` and `socket.io-client` packages to encode and decode Socket.IO packets), it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object. Example: ```js const decoder = new Decoder(); decoder.on(\"decoded\", (packet) => { console.log(packet.data); // prints [ 'hello', [Function: splice] ] }) decoder.add('51-[\"hello\",{\"_placeholder\":true,\"num\":\"splice\"}]'); decoder.add(Buffer.from(\"world\")); ``` This bubbles up in the `socket.io` package: ```js io.on(\"connection\", (socket) => { socket.on(\"hello\", (val) => { // here, \"val\" could be a reference instead of what the user expected }); }); ``` At first sight, the potential impact seems rather limited, but please upgrade to a safe version as soon as possible. This should be fixed by: - https://github.com/socketio/socket....

### Impact This impacts users that use shescape to escape arguments: - for the Unix shell Bash, or any not-officially-supported Unix shell; - using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example: ```javascript import * as shescape from "shescape"; /* 1. Prerequisites */ const options = { interpolation: true, // and shell: "/bin/bash", // or shell: "some-not-officially-supported-shell", // or shell: undefined, // Only if the system's default shell is bash or an unsupported shell. }; /* 2. Attack */ let userInput = '{,'.repeat(150_000); // polynomial backtracking /* 3. Usage */ shescape.escape(userInput, options); // or shescape.escapeAll([userInput], options); ``` ### Patches This bug has been patched in [v1.6.1](https://github.com/...

### Impact A custom stateful precompile can use the `is_static` parameter to determine if the call is executed in a static context (via `STATICCALL`), and thus decide if stateful operations should be done. Previously, the passed `is_static` parameter was incorrect -- it was only set to `true` if the call comes from a **direct** `STATICCALL` opcode. However, once a static call context is entered, it should stay static. The issue only impacts custom precompiles that actually uses `is_static`. The maintainers estimate the usage is low. However, for those affected, it can lead to possible incorrect state transitions. ### Patches PR: https://github.com/rust-blockchain/evm/pull/133 Released in v0.36.0. Older patch versions can be released on request if anyone needs them. Simply contact @sorpaas by email to request it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [evm repo](https://github.com/rust-blockchain/evm) * Email Wei at...