Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

Security vulnerability reporting: Who can you trust?

Good cyber security practices depend on trustworthy information sources about security vulnerabilities. This article offers guidance around who to trust for this information.In 1999, MITRE Corporation, a US Government-funded research and development company, realized the world needed a uniform standard for reporting and tracking software security bugs. MITRE worked with the IT industry to invent a concept called CVE, for Common Vulnerabilities and Exposures. The CVE concept caught on, and today, the industry acknowledges CVE as the universal standard for security vulnerability reporting.Softw

Red Hat Blog
Open in Source
#vulnerability#mac#google#linux#red_hat#git#auth
GHSA-9v2f-6vcg-3hgv: Gradio was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py

Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input.

GHSA-jfgp-674x-6q4p: Weblate vulnerable to improper sanitization of project backups

### Impact Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. ### Patches This issue has been addressed in Weblate 5.6.2 via https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd. ### Workarounds Do not allow project creation to untrusted users. ### References Thanks to Bryan Cahill for bringing this issue to our attention. ### For more information If you have any questions or comments about this advisory: * Open a topic in [discussions](https://github.com/WeblateOrg/weblate/discussions) * Email us at [[email protected]](mailto:[email protected])

GHSA-3669-72x9-r9p3: Potential memory exhaustion attack due to sparse slice deserialization

### Details Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. For instance, in the Proof of Concept written below, someone can specify to set a field of the billionth element and it will allocate all other elements before it in the slice. In the local environment environment for my project, I was able to call an endpoint like `/innocent_endpoint?arr.10000000.X=1` and freeze my system from the memory allocation while parsing `r.Form`. I think [this line](https://github.com/gorilla/schema/blob/main/decoder.go#L223) is responsible for allocating the slice, although I haven't tested to make sure, so it's just an educated guess. ### Proof of Concept The following proof of concept works on both v1.2.0 and v1.2.1. I have not tested earlier versions. ```go package main import ( "fmt" "github.com/gorilla/schema" ) func main() { dec :=...

GHSA-98j2-3j3p-fw2v: Session Middleware Token Injection Vulnerability

A security vulnerability has been identified in the Fiber session middleware where a user can supply their own session_id value, leading to the creation of a session with that key. ## Impact The identified vulnerability is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted. ## Patches The issue has been addressed in the latest patch. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. ## Workarounds Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: 1. **Validate Session IDs**: Implement add...

GHSA-6jj6-gm7p-fcvv: Remote Code Execution (RCE) vulnerability in geoserver

### Summary Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. ### Details The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. ### PoC No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. ### Impact This vulnerability can lead to exec...

GHSA-jhqx-5v5g-mpf3: Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat

### Impact If GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation in the GeoWebCache ByteStreamController class and read arbitrary classpath resources with specific file name extensions. If GeoServer is also deployed as a web archive using the data directory embedded in the geoserver.war file (rather than an external data directory), it will likely be possible to read specific resources to gain administrator privileges. However, it is very unlikely that production environments will be using the embedded data directory since, depending on how GeoServer is deployed, it will be erased and re-installed (which would also reset to the default password) either every time the server restarts or every time a new GeoServer WAR is installed and is therefore difficult to maintain. An external data directory will always be used if GeoServer is running in standalone mode (via an installer or a bina...

GHSA-c2hr-cqg6-8j6r: ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability

### Impact This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. ### Patches The algorithm to detect SQL injection has been improved. ### Workarounds None. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r - https://github.com/parse-community/parse-server/pull/9167 (fix for Parse Server 7) - https://github.com/parse-community/parse-server/pull/9168 (fix for Parse Server 6) ### Credits - Smile Thanapattheerakul of Trend Micro (finder) - Manuel Trezza (coordinator)

Critical Flaws in CocoaPods Expose iOS and macOS Apps to Supply Chain Attacks

A trio of security flaws has been uncovered in the CocoaPods dependency manager for Swift and Objective-C Cocoa projects that could be exploited to stage software supply chain attacks, putting downstream customers at severe risks. The vulnerabilities allow "any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and

GHSA-876p-c77m-x2hc: ag-grid-community were discovered to contain a prototype pollution via the _.mergeDeep function

ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.