Security
Headlines
HeadlinesLatestCVEs

Tag

#js

RHSA-2022:5153: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31016: argocd: vulnerable to an uncontrolled memory consumption bug * CVE-2022-31034: argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. * CVE-2022-31035: argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI * CVE-2022-31036: argocd: vulnerable to a symlink followin...

Red Hat Security Data
Open in Source
#xss#vulnerability#web#linux#red_hat#nodejs#js#git#java#kubernetes#aws
CVE-2021-40898: SaveResults/scaffold-helper.js at main · yetingli/SaveResults

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in scaffold-helper v1.2.0 when copying crafted invalid files.

CVE-2021-40899: SaveResults/repo-git-downloader.js at main · yetingli/SaveResults

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in repo-git-downloader v0.1.1 when downloading crafted invalid git repositories.

RHSA-2022:5189: Red Hat Security Advisory: RHACS 3.70 security update

Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug and security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1902: stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext

CVE-2021-40897: SaveResults/split-html-to-chars.js at main · yetingli/SaveResults

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in split-html-to-chars v1.0.5 when splitting crafted invalid htmls.

CVE-2021-40896: SaveResults/that-value.js at main · yetingli/SaveResults

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in that-value v0.1.3 when validating crafted invalid emails.

CVE-2021-40895: SaveResults/todo-regex.js at main · yetingli/SaveResults

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in todo-regex v0.1.1 when matching crafted invalid TODO statements.

CVE-2022-2212: CVE/POC.md at main · CyberThoth/CVE

A vulnerability was found in SourceCodester Library Management System 1.0. It has been classified as critical. Affected is an unknown function of the component /card/index.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2022-31016

Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.

GHSA-3fvg-4v2m-98jf: JWS and JWT signature validation vulnerability with special characters

### Impact Jsrsasign supports JWS(JSON Web Signatures) and JWT(JSON Web Token) validation. However JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. For example, even if a string of non Base64URL encoding characters such as `!@$%` or `\11` is inserted into a valid JWS or JWT signature value string, it will still be a valid JWS or JWT signature by mistake. When jsrsasign's JWS or JWT validation is used in OpenID connect or OAuth2, this vulnerability will affect to authentication or authorization. By our internal assessment, CVSS 3.1 score will be 7.5. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N ### Patches Users validate JWS or JWT signatures should upgrade to 10.5.25. ### Workarounds Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method. ### ACKNOWLEDGEMENT Thanks to Adi Malyanker and Or David for this vulnerability report...