A vulnerability was found in mholt PapaParse up to 5.1.x. It has been classified as problematic. Affected is an unknown function of the file papaparse.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 5.2.0 i…
[Microsoft.NetCore.App.Runtime.linux-musl-arm] .NET Denial of Service Vulnerability
Microsoft Security Advisory CVE-2023-21538: .NET Denial of Service Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0. This advisory also provides guidance on what deve…
[flarum/mentions] Flarum post mentions can be used to read any post on the forum without access control
Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special @”<username>”#p<id> syntax.
The following behavior never changes no matter if the actor should be able to read…
[convict] convict vulnerable to Prototype Pollution
Impact
An attacker can inject attributes that are used in other components
An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.
The main use case of Convict is for handling server-side configu…
[bzip2] bzip2 allows attackers to cause a denial of service via a large file that triggers an integer overflow
The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.
References
https://nvd.nist.gov/…
[github.com/KubeOperator/KubeOperator] KubeOperator allows unauthorized access to system API
Summary
API interfaces with unauthorized access will leak sensitive information
/api/v1/clusters/kubeconfig/
Details
Routes using v1 without any restrictions
Directly pass in downloadKubeconfig according to the cluster name
pkg/router/v1/white.go
no…
[github.com/KubeOperator/kubepi] KubePi session fixation attack allows an attacker to hijack a legitimate user session.
Summary
A session fixation attack allows an attacker to hijack a legitimate user session. The attack investigates a flaw in how the online application handles the session ID, especially the susceptible web application.
Affected Version
<= v1.6.3
For…
[github.com/KubeOperator/kubepi] KubePi may allow unauthorized access to system API
Summary
API interfaces with unauthorized access will leak sensitive information
/kubepi/api/v1/systems/operation/logs/search
/kubepi/api/v1/systems/login/logs/search
This vulnerability also exists in https://github.com/KubeOperator/KubeOperator
Details…
[pocketmine/pocketmine-mp] PocketMine-MP has improperly handled dye colour IDs in banner NBT, leading to server crash
Impact
DyeColorIdMap->fromId() did not account for the possibility that it might be given invalid input. This means that an undefined offset error would occur whenever this happened.
This code is indirectly called during Banner->deserializeCompou…
[github.com/weaveworks/weave-gitops] Gitops Run insecure communication
Impact
GitOps run has a local S3 bucket which it uses for synchronising files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local s3 bucket is not encrypted.
This allows privileged users or process t…