ghsa

### Impact Under certain conditions, an attacker can construct malicious authentication requests to bypass the authentication process, resulting in privilege escalation or unauthorized access. Only users using TiDB 5.3.0 are affected by this vulnerability. ### Patches Please upgrade to TiDB 5.3.1 or higher version ### Workarounds You can also mitigate risks by taking the following measures. Option 1: Turn off SEM (Security Enhanced Mode). Option 2: Disable local login for non-root accounts and ensure that the same IP cannot be logged in as root or normal user at the same time. ### References https://en.pingcap.com/download/ ### For more information If you have any questions or comments about this advisory: * Email us at [email protected]

### Impact When authenticating, a malicious server could return a specially crafted authentication packet, causing the client to read and return up to 12 bytes of data from an uninitialized variable in stack memory. ### Patches Users of the trilogy gem should upgrade to version 2.1.1 ### Workarounds This issue can be avoided by only connecting to trusted servers. ### Acknowledgements We would like to thank Sergei Volokitin for reporting this vulnerability ### For more information If you have any questions or comments about this advisory: * Open an issue in [trilogy](https://github.com/github/trilogy)

# Background CILogon is a federated auth provider that allows users to authenticate themselves via a number of Identity Providers (IdP), focused primarily on educational and research institutions (such as Universities). More traditional and open IdPs such as GitHub, ORCID, Google, Microsoft, etc are also supported. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub only to users of a given institute. The allowed_idps configuration trait of CILogonOAuthenticator is documented to be a list of domains that indicate the institutions whose users are authorized to access this JupyterHub. This authorization is validated by ensuring that the *email* field provided to us by CILogon has a *domain* that matches one of the domains listed in `allowed_idps`. # Impact If `allowed_idps` contains `berkeley.edu`, you might expect only users with valid current credentials provided by Unive...

FacturaScripts 2022.08 and prior is vulnerable to cross-site scripting. A patch is available on the `master` branch of the repository and anticipated to be part of version 2022.09.

An access control issue in aleksis/core/util/auth_helpers.py: ClientProtectedResourceMixin of AlekSIS-Core v2.8.1 and below allows attackers to access arbitrary scopes if no allowed scopes are specifically set.

### Impact The gatsby-plugin-mdx plugin prior to versions 3.15.2 and 2.14.1 passes input through to the `gray-matter` npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized. The vulnerability is present when passing input in both webpack (MDX files in `src/pages` or MDX file imported as component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Injected JavaScript executes in the context of the build server. To exploit this vulnerability untrusted/unsanitized input would need to be sourced or added into an MDX file. The following MDX payload demonstrates a vulnerable configuration: ``` ---js ((require("child_process")).execSync("id >> /tmp/rce")) --- ``` ### Patches A patch has been introduced in `[email protected]` and `[email protected]` which mitigates the issue by disabling the `gray-matter` JavaScript Frontmatter engine. The patch introduces a new option, `JSFrontmatterEngine` w...

### Impact Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. ### Patches This is patched in Play Framework 2.8.16. The `DefaultHttpErrorH...

### Impact A denial-of-service vulnerability has been discovered in Play's forms library, in both the Scala and Java APIs. This can occur when using either the `Form#bindFromRequest` method on a JSON request body or the `Form#bind` method directly on a JSON value. If the JSON data being bound to the form contains a deeply-nested JSON object or array, the form binding implementation may consume all available heap space and cause an `OutOfMemoryError`. If executing on the default dispatcher and `akka.jvm-exit-on-fatal-error` is enabled—as it is by default—then this can crash the application process. `Form.bindFromRequest` is vulnerable when using any body parser that produces a type of `AnyContent` or `JsValue` in Scala, or one that can produce a `JsonNode` in Java. This includes Play's default body parser. ### Patches This vulnerability been patched in version 2.8.16. There is now a global limit on the depth of a JSON object that can be parsed, which can be configured by the user if...

### Impact _What kind of vulnerability is it? Who is impacted?_ Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. (https://github.com/blevesearch/bleve-explorer) These HTTP methods paves way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (http/index_create.go) and DeleteIndexHandler (http/index_delete.go) enable an attacker to create a bleve index (directory structure) anywhere where the user running the server has the write permissions and to delete recursively any directory owned by the same user account. Users who have used the bleve/http package for exposing access to bleve index without the explicit handling for the Role Based Access Controls(RBAC) of the index assets would be impacted. ### Patches _Has the problem been patched? What versions should users upgrade to...

### Impact The malicious user is able to discover services in the internal network through webhook functionality. All installations accepting public traffic are affected. ### Patches Webhook payload URLs are revalidated before each delivery to make sure they are not resolved to blocked local network addresses. Users should upgrade to 0.12.8 or the latest 0.13.0+dev. ### Workarounds Run Gogs in its own private network. ### References https://huntr.dev/bounties/da1fbd6e-7a02-458e-9c2e-6d226c47046d/ ### For more information If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/6901.