ghsa

### Impact Debug logs expose sensitive URLs for Slack webhooks that contain private information. ### Patches The problem is fixed in v1.3.2 which redacts sensitive URLs for webhooks. ### Workarounds Disabling/filtering debug logs in case you use Slack webhooks using tracing log level and filters. ### References https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2 ### For more information If you have any questions or comments about this advisory: * Open an issue in [repo](https://github.com/abdolence/slack-morphism-rust) * Read our [security policy](https://github.com/abdolence/slack-morphism-rust/blob/master/SECURITY.md)

### Impact _What kind of vulnerability is it? Who is impacted?_ The default cookie name (and documentation recommendation) was prefixed with `Host__` instead of `__Host-`. The point of this prefix is for additional security, to ensure that, when no domain option is provided in the cookie options, we can guarantee the cookie came from the correct domain. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Yes, the problem is patched from version 2.2.1, this will not be back ported, but you can use the workaround described below. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ You can work around this by providing a custom `cookieName` as part of the options, which is correctly prefixed with `__Host-`. ### References _Are there any links users can visit to find out more?_ https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#cookie-with-__host-prefix ...

A lack of user input validation leads to an open redirect vulnerability in rdiffweb prior to 2.5.0a4.

### Impact Weak encryption on CSRF so tokens can be read by malicious attackers. ### Patches Problems have been patched as of v1.1.0 ### Workarounds Upgrade to v1.1.0 ### References https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html ### For more information Submit an issue at [the github repo](https://github.com/valexandersaulys/tiny-csrf)

### Impact An authenticated user can perform a remote Denial of Service attack against Fat Free CRM. This vulnerability has been assigned the CVE identifier: CVE-2022-39281 Affected versions: All Not affected: None Fixed versions: 0.20.1 All users running an affected release should either upgrade or apply the patch immediately. ### Releases Fixed versions: 0.20.1 and above ### Patches If you are unable to upgrade immediately, you should apply the following patch. ``` diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb index d3d5c32c..7cdb24d6 100644 --- a/app/models/polymorphic/task.rb +++ b/app/models/polymorphic/task.rb @@ -189,6 +189,7 @@ class Task < ActiveRecord::Base #---------------------------------------------------------------------------- def self.bucket_empty?(bucket, user, view = "pending") return false if bucket.blank? || !ALLOWED_VIEWS.include?(view) + return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s) ...

In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.

NocoDB prior to 0.92.0 allows actors to insert large characters into the input field `New Project` on the create field, which can cause a Denial of Service (DoS) via a crafted HTTP request. Version 0.92.0 fixes this issue.

### Impact Inefficient regular expression complexity of `lowercase()` and `uppercase()` regex could lead to a denial of service attack. With a formed payload `'a' + 'a'.repeat(i) + 'A'`, only 32 characters payload could take 29443 ms time execution when testing `lowercase()`. The same issue happens with `uppercase()`. ### Patches v1.5.1 ### References [huntr.dev report](https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609) [_Regular Expression Denial of Service (ReDoS) and Catastrophic Backtracking_](https://snyk.io/blog/redos-and-catastrophic-backtracking/) ### For more information If you have any questions or comments about this advisory: * Open an issue in [v8n issues list](https://github.com/imbrn/v8n) * Email us at [[email protected]](mailto:[email protected])

### Impact Twisted Web is vulnerable to request smuggling attacks: 1. "When presented with two content-length headers, Twisted Web ignored the first header. When the second content-length was set to zero this caused Twisted Web to interpret the request body as a pipelined request. According to RFC 7230 Section 3.3.3#4, if a message is received with multiple content-length headers with differing value, then the server must reject the message with a 400 response." (Jake Miller of Bishop Fox Security) 2. " When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted by Twisted Web as a pipelined request. According to RFC 7230 Section 3.3.3#3, if a message with both content-length and chunked encoding is accepted, transfer-encoding overrides the content-length." (Jake Miller of Bishop Fox Security) 3. ~"Twisted should not allow BWS between the filed-name and colon." (ZeddYu Lu)~ _closed in 9646...

This affects all versions of package Flask-Security. When using the `get_post_logout_redirect` and `get_post_login_redirect` functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as `\\\evil.com/path`. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using `'autocorrect_location_header=False`. **Note:** Flask-Security is not maintained anymore.