HIGH

[omniauth-facebook] omniauth-facebook Improper Authentication vulnerability

Posted inHIGH
Posted byWpmaster
05/05/202201/27/2023

RubyGem omniauth-facebook has an access token security vulnerability.
References

https://nvd.nist.gov/vuln/detail/CVE-2013-4593
https://exchange.xforce.ibmcloud.com/vulnerabilities/89040
https://security-tracker.debian.org/tracker/CVE-2013-4593
http:/…

[k8s.io/kubernetes] Improper Authentication in Kubernetes

Posted inHIGH
Posted byWpmaster
02/15/202201/07/2023

A security issue was discovered in the Kubelet and kube-proxy components of Kubernetes which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node’s network namespace. For example, if a cluster admini…

[cgi] Cookie prefix spoofing in CGI

Posted inHIGH
Posted byWpmaster
01/22/202201/06/2023

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem prior to versions 0.3.1, 0.2.1, 0.1.1, and 0.1.0.1 for Ruby.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-41819
https://hackero…

[pillow] Uncontrolled Resource Consumption in pillow

Posted inHIGH
Posted byWpmaster
09/08/202111/23/2022

The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-23437
https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd…

[v9] Data races in v9

Posted inHIGH
Posted byWpmaster
08/26/202101/24/2023

Affected versions of this crate unconditionally implement Sync for SyncRef<T>.
This definition allows data races if &T is accessible through &SyncRef.
SyncRef<T> derives Clone and Debug, and the default implementations of those trai…

[slock] Slock allows sending non-Send types across thread boundaries

Posted inHIGH
Posted byWpmaster
08/26/202111/29/2022

Slock<T> unconditionally implements Send/Sync.
Affected versions of this crate allows sending non-Send types to other threads,
which can lead to data races and memory corruption due to the data race.
References

https://github.com/BrokenLamp/sloc…

[slock] Data races in slock

Posted inHIGH
Posted byWpmaster
08/26/202102/02/2023

An issue was discovered in the slock crate through 2020-11-17 for Rust. Slock unconditionally implements Send and Sync.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-36455
https://github.com/BrokenLamp/slock-rs/issues/2
https://raw.githubuserco…

[v9] Data race in v9

Posted inHIGH
Posted byWpmaster
08/26/202101/18/2023

v9 is a slim data engine for Data Oriented Design. An issue was discovered in the v9 crate through 2020-12-18 for Rust. There is an unconditional implementation of Sync for SyncRef.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-36447
https://gi…

[addressable] Regular Expression Denial of Service in Addressable templates

Posted inHIGH
Posted byWpmaster
07/13/202110/06/2022

Impact
Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be rea…

[Pillow] Out of bounds read in Pillow

Posted inHIGH
Posted byWpmaster
03/30/202112/02/2022

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-25291
https://github.com/python-pillow/Pillow/commit/…

TechMedia

Featured

[Microsoft.NetCore.App.Runtime.win-arm] .NET Remote Code Execution Vulnerability

[github.com/traefik/traefik/v2] Traefik HTTP header parsing could cause a denial of service

[github.com/answerdev/answer] Answer vulnerable to Exposure of Sensitive Information Through Metadata

[github.com/answerdev/answer] Answer vulnerable to Insertion of Sensitive Information Into Sent Data