Versions of require-node prior to 1.3.4 for 1.x and 2.0.4 for 2.x are vulnerable to Arbitrary Code Execution. The package fails to sanitize requests to the require-node endpoint, allowing attackers to execute arbitrary code in the server through the in…
[flood] Server secret was included in static assets and served to clients
Impact
Server JWT signing secret was included in static assets and served to clients.
This ALLOWS Flood’s builtin authentication to be bypassed. Given Flood is granted access to rTorrent’s SCGI interface (which is unprotected and ALLOWS arbitrary code …
[com.google.guava:guava] Denial of Service in Google Guava
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray c…
[mongoose] Improper Input Validation in Automattic Mongoose
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding “_bsontype”:”a” can sometimes interfere with a query filter. NOTE: th…
[netaddr] netaddr before 1.5.3 and 2.0.4 has Incorrect Default Permissions
The netaddr gem before 1.5.3 and 2.0.4 for Ruby has misconfigured file permissions, such that a gem install may result in 0777 permissions in the target filesystem.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-17383
https://github.com/dspinhir…
[org.apache.tapestry:tapestry-core] Timing attack on HMAC signature comparison in Apache Tapestry
The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the corr…
[com.diffplug.spotless:spotless-maven-plugin] Improper Restriction of XML External Entity Reference in DiffPlug Spotless
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn’t respect the resolveExternalEntities setting. For example, this allows di…
[com.diffplug.spotless:spotless-maven-plugin] Improper Restriction of XML External Entity Reference in DiffPlug Spotless
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn’t respect the resolveExternalEntities setting. For example, this allows di…
[org.springframework.security:spring-security-cas] Insufficiently Protected Credentials and Improper Authentication in Spring Security
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user h…
[org.springframework.security:spring-security-cas] Insufficiently Protected Credentials and Improper Authentication in Spring Security
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user h…