Pillow starting with 9.2.0 and prior to 9.3.0 allows denial of service via SAMPLESPERPIXEL. A large value in the SAMPLESPERPIXEL tag could lead to a memory and runtime DOS in TiffImagePlugin.py when setting up the context for image decoding. This issue…
[pillow] Pillow vulnerable to Data Amplification attack.
Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).
References
https://nvd.nist.gov/vuln/detail/CVE-2022-45198
https://github.com/python-pillow/Pillow/pull/6402
https://bugs.gentoo.org/855683
https://cwe….
[wasmtime] Wasmtime may have data leakage between instances in the pooling allocator
Impact
There is a bug in Wasmtime’s implementation of it’s pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. The poolin…
[ckb] ckb type_id script resume may randomly fail
Impact
https://github.com/nervosnetwork/ckb/blob/v0.101.2/script/src/verify.rs#L871-L879
TypeIdSystemScript resume handle is not correct when max_cycles is not enough, ScriptError::ExceededMaximumCycles will be raised directly ranther than suspend as e…
[openssl-src] X.509 Email Address Variable Length Buffer Overflow
A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs after
certificate chain signature verification and requires either a CA to
have signed a malicious certificate or for a…
[org.apache.tomcat:tomcat] Apache Tomcat may reject request containing invalid Content-Length header
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request conta…
[conduit-hyper] conduit-hyper vulnerable to Denial of Service from unchecked request length
Prior to version 0.4.2, conduit-hyper did not check any limit on a request’s length before calling hyper::body::to_bytes. An attacker could send a malicious request with an abnormally large Content-Length, which could lead to a panic if memory allocati…
[ansible] amazon.aws.ec2_instance leaks passwords into logs when tower_callback.windows is set
A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, l…
[org.jenkins-ci.plugins:pipeline-input-step] CSRF protection for any URL can be bypassed in Jenkins Pipeline: Input Step Plugin
Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the input step. This ID is used for the URLs that process user interactions for the given input step (proceed or abort) and is not …
[io.jenkins.plugins:pipeline-groovy-lib] Sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin
Pipeline: Groovy Libraries Plugin and older releases of the Pipeline: Deprecated Groovy Libraries Plugin (formerly Pipeline: Shared Groovy Libraries Plugin) define the library Pipeline step, which allows Pipeline authors to dynamically load Pipeline li…