vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors.
vm2 version: ~3.9.14
Node version: 18.15.0, 19.8.1, 17.9.1
Impact
A threat actor can bypass the sandbox protections to gain remote code ex…
Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.
This has been fixed in v.3.5.8 and was also backported to 3.4 and 3.5.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-2…
sjqzhang go-fastdfs up to 1.4.3 is vulnerable to path traversal in the function upload of the file /group1/upload of the component File Upload Handler. The attack may be launched remotely and the exploit has been disclosed to the public and may be used…
Description
snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_exists() function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unser…
Impact
LiteDB use a special field in JSON documents to cast diferent types from BsonDocument do POCO classes. When instance of an object are not the same of class, BsonMapper use a special field _type string info with full class name with assembly to b…
SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.0.2 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-22452
htt…
Impact
MITM can enable Zip-Slip.
Vulnerability
Vulnerability 1: Scanner.java
There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.
https://github.com/hapifhir…
Impact
MITM can enable Zip-Slip.
Vulnerability
Vulnerability 1: Publisher.java
There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.
https://github.com/HL7/fh…
Improper Neutralization of Special Elements used in a Command (‘Command Injection’) vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Ap…
An issue was discovered in Electerm 1.3.22, allows attackers to execute arbitrary code via unverified request to electerms service.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-23256
https://github.com/electerm/electerm/issues/1686
https://git…
