In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn’t prevent an already authenticated user from being able to continue using the UI or API.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-41672
https://github.com/apache/airflow…
NocoDB prior to 0.92.0 allows actors to insert large characters into the input field New Project on the create field, which can cause a Denial of Service (DoS) via a crafted HTTP request. Version 0.92.0 fixes this issue.
References
https://nvd.nist.go…
Impact
Inefficient regular expression complexity of lowercase() and uppercase() regex could lead to a denial of service attack. With a formed payload ‘a’ + ‘a’.repeat(i) + ‘A’, only 32 characters payload could take 29443 ms time execution when testing …
Impact
Twisted Web is vulnerable to request smuggling attacks:
“When presented with two content-length headers, Twisted Web ignored the first header. When the second content-length was set to zero this caused Twisted Web to interpret the request body …
This affects all versions of package Flask-Security. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such …
Impact
Blst versions v0.3.0 to v0.3.2 can produce the incorrect outputs for some inputs to the blst_fp_eucl_inverse function. This could theoretically result in the creation of an invalid signature from correct inputs. However, fuzzing of higher level …
Description
Tendermint Core v0.34.0 introduced a new way of handling evidence of misbehavior. As part of this, we added a new Timestamp field to Evidence structs. This timestamp would be calculated using the same algorithm that is used when a block is …
Impact
The general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories:
if (!fs->Match(child_path, dirs[dir_index])) { … }
Since dir_index is unconditional…
xmlquery before 1.3.1 lacks a check for whether a LoadURL response is in the XML format, which allows attackers to cause a denial of service (SIGSEGV) at xmlquery.(*Node).InnerText or possibly have unspecified other impact.
References
https://nvd.nist…
This affects all versions of package github.com/russellhaering/goxmldsig prior to 1.1.1. There is a crash on nil-pointer dereference caused by sending malformed XML signatures. This issue is patched in version 1.1.1.
References
https://nvd.nist.gov/vu…
