The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
The particular code…
[github.com/go-gitea/gitea] Gitea vulnerable to Argument Injection
Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-42968
https://github.com/go-gitea/gitea/pull/21463
https://github.com/go-gitea/git…
[rdiffweb] Missing rate limit on rdiffweb
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3439
https://github.com/ikus060/rdiffweb/commit/b78ec09f4582e363f6f449df6f987127e126c311
h…
[golang.org/x/text/language] Denial of service in golang.org/x/text/language
The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language hea…
[loader-utils] loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted…
[rdiffweb] Origin Validation Error in rdiffweb
ikus060/rdiffweb prior to 2.5.0a5 did not enforce origin validation in web traffic. Users are advised to upgrade to version 2.5.0a5.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3457
https://github.com/ikus060/rdiffweb/commit/afc1bdfab5161c740…
[rdiffweb] Missing rate limit on rdiffweb
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3456
https://github.com/ikus060/rdiffweb/commit/b78ec09f4582e363f6f449df6f987127e126c311
ht…
[github.com/hyperledger/fabric] Remote denial of service in Hyperledger Fabric Gateway
Impact
If a gateway client application sends a malformed request to a gateway peer it may crash the peer node.
This fix checks for the malformed gateway request and returns an error to the gateway client.
Patches
Fixed in v2.4.6.
Workarounds
None, user…
[october/system] October CMS Safe Mode bypass leads to authenticated Remote Code Execution
Impact
This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the “Editor” section, …
[org.apache.commons:commons-text] Arbitrary code execution in Apache Commons Text
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup…