Impact
A vulnerability in GitOps run could allow a local user or process to alter a Kubernetes cluster’s resources.
GitOps run has a local S3 bucket which it uses for synchronising files that are later applied against a Kubernetes cluster. Its endpoint…
[luxon] Luxon Inefficient Regular Expression Complexity vulnerability
Impact
Luxon’s `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re…
[debug] debug Inefficient Regular Expression Complexity vulnerability
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to v…
[wifey] wifey vulnerable to Command Injection due to improper input sanitization
All versions of the package wifey are vulnerable to Command Injection via the connect() function due to improper input sanitization.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25890
https://security.snyk.io/vuln/SNYK-JS-WIFEY-3175615
https:/…
[terminal-kit] terminal-kit Inefficient Regular Expression Complexity vulnerability
A vulnerability classified as problematic has been found in cronvel terminal-kit up to 2.1.7. Affected is an unknown function. The manipulation leads to inefficient regular expression complexity. Upgrading to version 2.1.8 can address this issue. The n…
[org.http4s:http4s-core] Http4s improperly parses User-Agent and Server headers
Impact
The User-Agent and Server header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers.
v0.21.x
val unsafe: Option…
[exec-local-bin] exec-local-bin vulnerable to Command Injection
Versions of the package exec-local-bin before 1.2.0 are vulnerable to Command Injection via the theProcess() functionality due to improper user-input sanitization.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25923
https://github.com/saeedseyf…
[@mattkrick/sanitize-svg] @mattkrick/sanitize-svg vulnerable to Cross-Site Scripting (XSS)
Impact
The sanitize-svg package uses a deny-list-pattern to sanitize SVGs to prevent cross-site scripting (XSS). In doing so, literal <script>-tags and on-event handlers were detected:
[…]
const svgEl = div.firstElementChild!
const attribut…
[pghero] PgHero Allows Information Disclosure Through EXPLAIN Feature
PgHero before 3.1.0 allows Information Disclosure via EXPLAIN because query results may be present in an error message. (Depending on database user privileges, this may only be information from the database, or may be information from file contents on …
[@uniswap/universal-router] Uniswap Universal Router Incorrect Authorization vulnerability
Uniswap Universal Router before 1.1.0 mishandles reentrancy. This would have allowed theft of funds.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-48216
https://github.com/Uniswap/universal-router/pull/189
https://github.com/Uniswap/universal-r…