Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-4f4r-wgv2-jjvg: Quarkus HTTP vulnerable to incorrect evaluation of permissions

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

ghsa
Open in Source
#csrf#vulnerability#dos#git#java#auth#maven
CVE-2023-5084: Multiple Self-XSS Vulnerabilites in hestiacp

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.

CVE-2023-5084: Fix XSS in edit server and add package · hestiacp/hestiacp@5131f5a

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.

Fresh Wave of Malicious npm Packages Threaten Kubernetes Configs and SSH Keys

Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server. Sonatype said it has discovered 14 different npm packages so far: @am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core,

GitLab Releases Urgent Security Patches for Critical Vulnerability

GitLab has shipped security patches to resolve a critical flaw that allows an attacker to run pipelines as another user. The issue, tracked as CVE-2023-5009 (CVSS score: 9.6), impacts all versions of GitLab Enterprise Edition (EE) starting from 13.12 and prior to 16.2.7 as well as from 16.3 and before 16.3.4. "It was possible for an attacker to run pipelines as an arbitrary user via scheduled

GHSA-7g3v-4ggr-xvjf: Croc may expose secret to local users

An issue was discovered in Croc through 9.6.5. The shared secret, located on a command line, can be read by local users who list all processes and their arguments.

GHSA-8c8w-f7wp-2jr2: Sender can cause a receiver to overwrite files during ZIP extraction in Croc

An issue was discovered in Croc through 9.6.5. A sender can cause a receiver to overwrite files during ZIP extraction.

GHSA-364c-vvqx-446c: Croc sender may place ANSI or CSI escape sequences in filename to attach receiver's terminal device

An issue was discovered in Croc through 9.6.5. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver.

GHSA-9pv7-vfvm-6vr7: graphql Uncontrolled Resource Consumption vulnerability

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.

GHSA-hp56-xvf4-g6wr: Cros secrets may be disclosed to untrusted relay

An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name.