Impact
It is possible to craft an environment variable with newlines to add entries to a container’s /etc/passwd. It is possible to circumvent admission validation of username/UID by adding such an entry.
Note: because the pod author is in control of t…
[github.com/openshift/osin] OpenShift OSIN vulnerable to Observable Timing Discrepancy
A vulnerability was found in OpenShift OSIN. It has been classified as problematic. This affects the function ClientSecretMatches/CheckClientSecret. The manipulation of the argument secret leads to observable timing discrepancy. The name of the patch i…
[github.com/usememos/memos] usememos/memos has Insufficient Granularity of Access Control
An Insufficient Granularity of Access Control in usememos/memos prior to 0.9.0 can allow an attacker to delete a memo from the archives.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4813
https://github.com/usememos/memos/commit/3556ae4e651d944…
[github.com/usememos/memos] usememos/memos Improper Access Control vulnerability
An Improper Access Control vulnerability in usememos/memos 0.9.0 and prior can result in a user deleting others’ public and private memos.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4806
https://github.com/usememos/memos/commit/3556ae4e651d9…
[github.com/usememos/memos] usememos/memos Improper Access Control vulnerability
In usememos/memos 0.9.0 and prior, users can edit and delete all other users’ shortcuts.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4807
https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53
https://huntr.dev/boun…
[github.com/usememos/memos] usememos/memos Improper Access Control vulnerability
In usememos/memos 0.9.0 and prior, a user can view any content from private memos from other users via the API.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4810
https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53…
[github.com/usememos/memos] usememos/memos Incorrect Use of Privileged APIs vulnerability
In usememos/memos 0.9.0 and prior, a user can archive any private memos, delete any shortcut, and edit any shortcut from other users via API.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4805
https://github.com/usememos/memos/commit/3556ae4e65…
[github.com/usememos/memos] usememos/memos Improper Authorization vulnerability
In usememos/memos 0.9.0 and prior, an unauthorized user can access any private memo by URL hacking a memo on the editing screen.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4811
https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a…
[github.com/usememos/memos] usememos/memos vulnerable to Comparison of Object References Instead of Object Contents
Comparison of Object References Instead of Object Contents in GitHub repository usememos/memos 0.9.0 and prior.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4812
https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53…
[github.com/usememos/memos] usememos/memos Improper Access Control vulnerability
Improper Access Control in GitHub repository usememos/memos 0.9.0 and prior.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4814
https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53
https://huntr.dev/bounties/e65b345…