#git

# Summary Attackers with access to a users' device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity-periods. # Details `uptime-kuma` sets JWT tokens for users after successful authentication. These tokens have the following design flaws: - After successful login, a JWT token and it is stored in `sessionStorage` or `localStorage`. Which of the two is decided based on the `Remember Me` button. The users' token is valid without any time limitation, even after long periods of inactivity. This increases the risk of session hijacking if, for example, a user forgets to log off and leaves the PC. - sessions are only deleted on the client side after a user loggs out, meaning a local attacker could reuse said token with deep system access over the browser - If a user changes a password - any previously logged in clients are not logged out - previously issued tokens remained valid forever...

In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks. The vulnerability occurs due to the following code: https://github.com/goharbor/harbor/blob/aaea068cceb4063ab89313d9785f2b40f35b0d63/src/jobservice/api/authenticator.go#L69-L69 To avoid this issue, constant time comparison should be used. ``` subtle.ConstantTimeCompare([]byte(expectedSecret), []byte(secret)) == 0 ``` ### Impact This attack might be possible theoretically, but no workable proof of concept is available, and access complexity is set at High. The jobservice exposes these APIs ``` Create a job task --- POST /api/v1/jobs Get job task information --- GET /api/v1/jobs/{job_id} Stop job task --- POST /api/v1/jobs/{job_id} Get job log task --- GET /api/v1/jobs/{job_id}/log Get job execution --- GET /api/v1/jobs/{job_id}/executions Get job stats --- GET /api/v1/stats Get job service configuration --- GET /api/v1/config ``` It is used to create jobs/stop job...

swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.

### Impact A malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. ### Patches Server administrators are advised to upgrade to Synapse 1.94.0 or later. ### Workarounds Rooms with malicious server ACL events can be [purged and blocked](https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version) using the admin API. ### References https://github.com/matrix-org/synapse/pull/16360

### Impact The MsQuic server application or process will crash, resulting in a denial of service. ### Patches The following patch was made: - Don't Allow Version Negotiation Packets for Server Connections - https://github.com/microsoft/msquic/commit/3226cff07d22662f16fc98d605656860e64cd343 ### Workarounds Beyond upgrading to the patched versions, there is no other workaround. You must upgrade or disable MsQuic functionality.

### Impact OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted [GCODE script](https://docs.octoprint.org/en/master/features/gcode_scripts.html) through the Settings that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. Please note that GCODE files uploaded to be printed are *not* affected! This vulnerability exclusively affects GCODE Scripts to be executed on connection to the printer, print pause, resume etc, as described [in the documentation](https://docs.octoprint.org/en/master/features/gcode_scripts.html), to be found under Settings > GCODE Scripts and configurable only by users with the `ADMIN` permission. ### Patches The vulnerability has been patched in version 1.9.3. ### Workar...

An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java 291 public void checkSize(int length, boolean huffman) throws SessionException 292 { 293 // Apply a huffman fudge factor 294 if (huffman) 295 length = (length * 4) / 3; 296 if ((_size + length) > _maxSize) 297 throw new HpackException.SessionException("Header too large %d > %d", _size + length, _maxSize); 298 } ``` However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on w...

### Impact The JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a note for it.

An overlooked library contains a vulnerability that could enable full remote takeover simply by clicking a link.

An issue was discovered in Broadcom) LSI PCI-SV92EX Soft Modem Kernel Driver through 2.2.100.1 (aka AGRSM64.sys). There is Local Privilege Escalation to SYSTEM via a Stack Overflow in RTLCopyMemory (IOCTL 0x1b2150). An attacker can exploit this to elevate privileges from a medium-integrity process to SYSTEM. This can also be used to bypass kernel-level protections such as AV or PPL, because exploit code runs with high-integrity privileges and can be used in coordinated BYOVD (bring your own vulnerable driver) ransomware campaigns.