#git

All versions of the package github.com/greenpau/caddy-security are vulnerable to HTTP Header Injection via the X-Forwarded-Proto header due to redirecting to the injected protocol.Exploiting this vulnerability could lead to bypass of security mechanisms or confusion in handling TLS.

The security of both a TUF client and repository implementations depend on the concept of trusted Metadata objects verifying the signatures over other Metadata that it delegates to. This verification process uses `Targets.get_delegated_role(delegated_role: str)` to find the delegation information. `tuf.api.metadata.Targets.get_delegated_role()` should ensure that the given `delegated_rolename` is actually a name of a role that is delegated by that Targets, but in the case of "succinct delegation" this does not happen. `tuf.ngclient` users are **not** impacted but direct users of `tuf.api.metadata` could be impacted. ### Impact If an attacker can make a Metadata API user run `Targets.get_delegated_role()` so that 1. the `Targets` uses succinct delegation 1. the `delegated_role` argument is not actually delegated by the `Targets` the result will be incorrect. This also means that if an attacker can make a Metadata API user run `Targets.verify_delegate()` or `Targets.get_verificati...

### Impact In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem. ### Patches Fix versions: 5.3.5, 5.4.0-BETA-1 ### Workaround Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won't work.

# GitHub Security Lab (GHSL) Vulnerability Report, scrypted: `GHSL-2023-218`, `GHSL-2023-219` The [GitHub Security Lab](https://securitylab.github.com) team has identified potential security vulnerabilities in [scrypted](https://github.com/koush/scrypted). We are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team. If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `[email protected]` (please include `GHSL-2023-218` or `GHSL-2023-219` as a reference). See also [this blog post](https://github.blog/2022-04-22-removing-the-stigma-of-a-cve/) written by GitHub's Advisory Curation team which explains what CVEs and advisories are, why they are important to track vulnerabilities and keep downstream users informed, the CVE assigning process, and how they are used to keep open source software secure...

By Deeba Ahmed From Banking Apps to Crypto Wallets: SpyNote Malware Evolves for Financial Gain. This is a post from HackRead.com Read the original post: SpyNote Android Spyware Poses as Legit Crypto Wallets, Steals Funds

### Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. ### Patches This is patched in v5.28.3 and v6.6.1 ### Workarounds There are no known workarounds. ### References - https://fetch.spec.whatwg.org/#authentication-entries - https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g

### Impact Calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. ### Patches Patched in v6.6.1 ### Workarounds Make sure to always consume the incoming body.

Red Hat Security Advisory 2024-0843-03 - Red Hat OpenShift Serverless version 1.31.1 is now available. Issues addressed include denial of service and traversal vulnerabilities.

By Waqas The latest report from Swedish telecom security firm Enea sheds light on security vulnerabilities within the widely used messaging platform, WhatsApp. This is a post from HackRead.com Read the original post: Israeli NSO Group Suspected of “MMS Fingerprint” Attack on WhatsApp

One of Microsoft's Patch Tuesday fixes has flipped from "Likely to be Exploited" to “Exploitation Detected”.