Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn’t cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL clie…
[jsonwebtoken] jsonwebtoken has insecure input validation in jwt.verify function
Overview
For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote c…
[dustjs-linkedin] dustjs-linkedin vulnerable to Prototype Pollution
A vulnerability was found in LinkedIn dustjs prior to version 3.0.0 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes (‘proto…
[org.apache.karaf:apache-karaf] Apache Karaf vulnerable to potential code injection
This vulnerability is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource uses Init…
[github.com/kyverno/kyverno] Bypass of verifyImages rule possible with malicious proxy/registry
Impact
Users of Kyverno on versions 1.8.3 or 1.8.4 who use verifyImages rules to verify container image signatures, and do not prevent use of unknown registries.
Patches
This issue has been fixed in version 1.8.5
Workarounds
Configure a Kyverno policy …
[lite-dev-server] lite-dev-server vulnerable to Directory Traversal
All versions of package lite-dev-server are vulnerable to Directory Traversal due to missing input sanitization and sandboxes being employed to the req.url user input that is passed to the server code.
References
https://nvd.nist.gov/vuln/detail/CVE-2…
[abacus-ext-cmdline] abacus-ext-cmdline vulnerable to Command Injection
All versions of package abacus-ext-cmdline are vulnerable to Command Injection via the execute function due to improper user-input sanitization.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-24431
https://security.snyk.io/vuln/SNYK-JS-ABACUSEXT…
[github.com/openfga/openfga] OpenFGA Authorization Bypass
Overview
During our internal security assessment, it was discovered that OpenFGA versions v0.3.0 is vulnerable to authorization bypass under certain conditions.
Am I Affected?
You are affected by this vulnerability if all of the following applies:
You…
[p4] p4 vulnerable to Command Injection due to improper input sanitization
The package p4 before 0.0.7 is vulnerable to Command Injection via the run() function due to improper input sanitization
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25171
https://github.com/natelong/p4/commit/ae42e251beabf67c00539ec0e1d7aa149…
[lite-server] lite-server vulnerable to Denial of Service
All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse.
References
https://nvd.nist.gov/vuln/detail/CVE-2022…