All versions of fs-path are vulnerable to command injection is unsanitized user input is passed in.
Recommendation
No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available…
[org.springframework.data:spring-data-jpa] Improper Neutralization of Wildcards or Matching Symbols
This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results…
[omniauth] Cross-site Request Forgery in OmniAuth
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the use…
[org.apache.camel:camel-xmljson] XML External Entity injection in Apache Camel
Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.
References
https://nvd.nist.go…
[org.exist-db:exist-core] exist-db:exist-core XML External Entity (XXE) vulnerability
exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.
References
https://nvd.nist.gov/vuln/detail/CVE-…
[org.springframework.security:spring-security-oauth2-jose] Spring Security vulnerable to Authorization Bypass
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that ca…
[org.springframework.security:spring-security-oauth2-jose] Spring Security vulnerable to Authorization Bypass
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that ca…
[flatmap-stream] Critical severity vulnerability that affects event-stream and flatmap-stream
The NPM package flatmap-stream is considered malicious. A malicious actor added this package as a dependency to the NPM event-stream package in version 3.3.6. Users of event-stream are encouraged to downgrade to the last non-malicious version, 3.3.4,…
[org.eclipse.jetty:jetty-server] Jetty vulnerable to authorization bypass due to inconsistent HTTP request handling (HTTP Request Smuggling)
Eclipse Jetty Server versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), are vulnerable to HTTP Request Smuggling when presented with two content-lengths headers, allowing authorization bypass. Wh…
[org.apache.struts:struts2-core] Apache Struts vulnerable to remote command execution (RCE) due to improper input validation
Apache Struts contains a Remote Code Execution when using results with no namespace and it’s upper actions have no or wildcard namespace. The same flaw exists when using a url tag with no value, action set, and it’s upper actions have no or wildcard n…