#git

### Impact ZITADEL uses Go templates to render the login UI. Due to a improper use of the `text/template` instead of the `html/template` package, the Login UI did not sanitize input parameters. An attacker could create a malicious link, where he injected code which would be rendered as part of the login screen. While it was possible to inject HTML including javascript, the execution of such scripts would be prevented by the Content Security Policy. ### Patches 2.x versions are fixed on >= [2.47.3](https://github.com/zitadel/zitadel/releases/tag/v2.47.3) 2.46.x versions are fixed on >= [2.46.1](https://github.com/zitadel/zitadel/releases/tag/v2.46.1) 2.45.x versions are fixed on >= [2.45.1](https://github.com/zitadel/zitadel/releases/tag/v2.45.1) 2.44.x versions are fixed on >= [2.44.3](https://github.com/zitadel/zitadel/releases/tag/v2.44.3) 2.43.x versions are fixed on >= [2.43.9](https://github.com/zitadel/zitadel/releases/tag/v2.43.9) 2.42.x versions are fixed on >= [2.42.15](ht...

### Summary An attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a previously [patched CVE](https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force) intended to protect against brute-force attacks. ### Details The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account. The brute force protection mechanism's code: ```go if failed && len(failures) >= getMaximumCacheSize() { log.Wa...

### Summary An attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. ### Details The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes. The core issue is located in [expireOldFailedAttempts](https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311) function: ```go func expireOldFailedAttempts(maxAge time.Duration, failures *map[string]LoginAttempts) int { expiredCount := 0 for key, attempt := range *failures { if time.Since(attempt.LastFailed) > maxAge*time.Sec...

### Summary RCE due to improper input validation in TranformGraph().to_dot_graph function ### Details Due to improper input validation a malicious user can provide a command or a script file as a value to `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539 Although an error will be raised, the command or script will be executed successfully. ### PoC ```shell $ cat /tmp/script #!/bin/bash echo astrorce > /tmp/poc.txt ``` ```shell $ python3 Python 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] on linux Type "help", "copyright", "credits" or "license" for more information. >>> from astropy.coordinates.transformations import TransformGraph >>> tg = TransformGraph() >>> tg.to_dot_graph(savefn="/tmp/1.txt", savelayout="/tmp/script") Traceback (most recent call last): File "<stdin>", l...

The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation.

Ubuntu Security Notice 6696-1 - Yi Yang discovered that the Hotspot component of OpenJDK 8 incorrectly handled array accesses in the C1 compiler. An attacker could possibly use this issue to cause a denial of service, execute arbitrary code or bypass Java sandbox restrictions. It was discovered that the Hotspot component of OpenJDK 8 did not properly verify bytecode in certain situations. An attacker could possibly use this issue to bypass Java sandbox restrictions.

Red Hat Security Advisory 2024-1346-03 - An update is now available for Red Hat OpenShift GitOps 1.11. Issues addressed include a cross site scripting vulnerability.

Red Hat Security Advisory 2024-1345-03 - An update is now available for Red Hat OpenShift GitOps 1.10. Issues addressed include a cross site scripting vulnerability.

Gasmark Pro version 1.0 suffers from a remote shell upload vulnerability.

vm2 versions 3.9.19 and below suffer from a sandbox escape vulnerability.