#js

Red Hat Security Advisory 2024-4500-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-4326-03 - An update is now available for Red Hat build of Quarkus. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-2106-03 - An update is now available for Red Hat build of Quarkus.

### Summary Applications using the `zitadel-go` `v3` library (`next` branch) might be impacted by package vulnerabilities. The output of `govulncheck` suggests that only `example` code seems to be impacted, based on 1 of the 3 potential vulnerabilities. This vulnerability is located in the transitive dependency `golang.org/x/net v0.19.0`, [CVE-2023-45288](https://www.cve.org/CVERecord?id=CVE-2023-45288) ### Patches 3.0.0-next versions are fixed on >= [3.0.0-next.3](https://github.com/zitadel/zitadel-go/releases/tag/v3.0.0-next.3) ZITADEL recommends upgrading to the latest versions available in due course. ### Workarounds If updating the zitadel-go library is not an option, updating the affected (transient) dependencies works as a workaround. ### Details #### Direct deps: - [GO-2024-2631](https://pkg.go.dev/vuln/GO-2024-2631) Decompression bomb vulnerability in github.com/go-jose/go-jose - github.com/go-jose/go-jose/v3 Fixed in v3.0.3. This module is necessary because [github....

### Summary HTTP `OPTIONS` requests are always allowed by `OpaMiddleware`, even when they lack authentication, and are passed through directly to the application. The maintainer uncertain whether this should be classed as a "bug" or "security issue" – but is erring on the side of "security issue" as an application could reasonably assume OPA controls apply to *all* HTTP methods, and it bypasses more sophisticated policies. ### Details `OpaMiddleware` allows all HTTP `OPTIONS` requests without evaluating it against any policy: https://github.com/busykoala/fastapi-opa/blob/6dd6f8c87e908fe080784a74707f016f1422b58a/fastapi_opa/opa/opa_middleware.py#L79-L80 If an application provides different responses to HTTP `OPTIONS` requests based on an entity existing (such as to indicate whether an entity is writable on a system level), an unauthenticated attacker could discover which entities exist within an application (CWE-204). ### PoC This toy application is based on the behaviour of an ...

### Summary The maintainer been contemplating whether FTP or other protocols could serve as useful functionalities, but there may not be a practical reason for it since we are utilizing headless Chrome to capture screenshots. The argument is based on the assumption that this package can function as a service. The package includes an `ALLOW_LIST` where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed. The maintainer is of the opinion that the package should also have a blacklist due to a potential vulnerability (or rather design oversight). If someone hosts this on a server, users could then capture screenshots of other web services running locally. Unless this is strictly for web pages. Something similar here: https://github.com/follow-redirects/follow-redirects/issues/235 (localhost is intended for end users or hosts to deny, and the package...

### Summary When trying to add a `BLOCK_LIST` feature when the maintainer noticed they didn't sanitize the `ImageId` in the code, which leads to path traversal vulnerability. Now, this is different from a traditional path traversal issue, because as of NOW you can store the image in any place arbitrarily, and given enough time they might be able to come up with a working exploit BUT for the time being they am reporting this. ### Details @jmondi/url-to-png does not sanitizing the `ImageID` as in not removing special chars from the params [(extract_query_params.ts#l75)](https://github.com/jasonraimondi/url-to-png/blob/e43098e0af3a380ebc044e7f303a83933b94b434/src/middlewares/extract_query_params.ts#L75) ```js const imageId = dateString + "." + slugify(validData.url) +configToString(params); ``` This when fed to other parts of the code such as ([filesystem.ts#L34](https://github.com/jasonraimondi/url-to-png/blob/8afc00247c1d7e6c7b37356a5f6282b486e596fa/src/lib/storage/filesystem.ts#L...

### Summary The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found. ### Details When WebAuthn is used as the first or only authentication method, an attacker can enumerate usernames based on the absence of the `allowedCredentials` property in the assertion options response. This allows enumeration of valid or invalid usernames. #### Proposal how to resolve it: ``` return $this->publicKeyCredentialRequestOptionsFactory->create( $this->profile, count($allowedCredentials) <= 0 ? self::getRandomCredentials(): $allowedCredentials, $optionsRequest->userVerification, $extensions ); private static function getRandomCredentials(): array { $credentialSources = []; for ($i = 0; $i <= rand(0,1); $i++) { $credentialSources[] = new PublicKeyCredentialSource( random_bytes(32), "public-key", [], ...

Debian Linux Security Advisory 5729-1 - Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in authentication bypass, execution of scripts in directories not directly reachable by any URL, server-side request forgery or denial of service.

Red Hat Security Advisory 2024-4522-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include a denial of service vulnerability.