#vulnerability

Despite lagging in technology adoption, African and Middle Eastern organizations are catching up, driven by smartphone acceptance and national identity systems.

Torrance, United States / California, 22nd January 2025, CyberNewsWire

SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.

### Impact Authenticated users are able to exploit an XSS vulnerability when viewing previewed content. ### Patches Will be patched in 10.8.8, 13.5.3, 14.3.2 and 15.1.2. ### Workarounds None available.

### Impact Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an account exists. ### Patches Will be patched in 14.3.2 and 15.1.2. ### Workarounds None available.

### Impact Lack of proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with `Header` class. This could disrupt application functionality, potentially causing errors or generating invalid HTTP requests. In some cases, these malformed requests might lead to a DoS scenario if a remote service’s web application firewall interprets them as malicious and blocks further communication with the application. ### Patches Upgrade to v4.5.8 or later. ### Workarounds Validate HTTP header keys and/or values if using user-supplied values before passing them to `Header` class. ### Differences from CVE-2023-29197 1. **Affected Software**: * CVE-2023-29197 specifically addresses a vulnerability in the `guzzlehttp/psr7` library. * The reported issue in this Security Advisory is within the **CodeIgniter4** framework and does not depend on or use the `guzzlehttp/psr7` library. 2. **Root Cause and Implementation**: * The vulner...

### Summary `gix-worktree-state` specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations. ### Details Git repositories track executable bits for regular files. In tree objects and the index, regular file modes are stored as 0644 if not executable, or 0755 if executable. But this is independent of how the permissions are set in the filesystem (where supported). [`gix_worktree_state::checkout`](https://github.com/GitoxideLabs/gitoxide/blob/8d84818240d44e1f5fe78a231b5d9bffd0283918/gix-worktree-state/src/checkout/function.rs#L8-L35) has two strategies for checking out a file and marking it executable on a Unix-like operating system, one of which is vulnerable: - If the file is created by assuming it does not already exist, correct permissions are applied, because per...

### Impact [Undici `fetch()` uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113) to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met. ### Patches This is fixed in 5.28.5; 6.21.1; 7.2.3. ### Workarounds Do not issue multipart requests to attacker controlled servers. ### References * https://hackerone.com/reports/2913312 * https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

### Summary The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response. ### Details When generating the HTML from an xlsx file containing multiple sheets, a navigation menu is created. This menu includes the sheet names, which are not sanitized. As a result, an attacker can exploit this vulnerability to execute JavaScript code. ```php // Construct HTML $html = ''; // Only if there are more than 1 sheets if (count($sheets) > 1) { // Loop all sheets $sheetId = 0; $html .= '<ul class="navigation">' . PHP_EOL; foreach ($sheets as $sheet) { $html .= ' <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . $sheet->getTitle() . '</a></li>' . PHP_EOL; ++$sheetId; } $html .= '</ul>' . PHP_EOL; } ``` ...

### Summary Content in filesystem is accessible for reading using `sniff_csv`, even with `enable_external_access=false`. ### Details During a pentest, a security researcher was able to access environment variable data and other system data by using the `sniff_csv` function, even though we set `enable_external_access` to false. ### PoC ```SQL SET enable_external_access=false; SET lock_configuration=true; SELECT Columns FROM sniff_csv('/proc/self/environ'); ``` ### Impact Provides an attacker with access to filesystem even when access is expected to be disabled and other similar functions do NOT provide access. For example `select * from read_csv('/proc/self/environ')` fails with a permission error. There seems to be two vectors to this vulnerability: 1. Access to files that should otherwise not be allowed. (We expect `Permission Error: Scanning CSV files is disabled through configuration` and not to provide any access to the file or even acknowledge that it exists). 2. The c...