Summary
The rubygem sqlite3 v1.5.1 upgrades the packaged version of libsqlite from v3.39.3 to v3.39.4.
libsqlite v3.39.4 addresses a vulnerability described as follows in the release notification:
Version 3.39.4 is a minimal patch against the prior re…
Impact
Dex instances with public clients (and by extension, clients accepting tokens issued by those Dex instances) are affected by this vulnerability.
An attacker can exploit this vulnerability by making a victim navigate to a malicious website and gu…
In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4.1 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is …
In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only wi…
Impact
The sflow decode package prior to version 3.4.4 is vulnerable to a denial of service attack. Attackers can craft malformed packets causing the process to consume huge amounts of memory resulting in a denial of service.
Patches
Version 3.4.4 cont…
DNN (GitHub repository dnnsoftware/dnn.platform) prior to 9.11.0 is vulnerable to Relative Path Traversal. Version 9.11.0 contains a patch for this issue.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2922
https://github.com/dnnsoftware/dnn.pla…
The package css-what before 2.1.3 is vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse f…
The package react-native-reanimated before 3.0.0-rc.1 is vulnerable to Regular Expression Denial of Service (ReDoS) due to improper usage of regular expression in the parser of Colors.js.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-24373
http…
rdiffweb prior to 2.5.0a3 is vulnerable to Allocation of Resources Without Limits or Throttling. A lack of limit in the length of the Token name parameter can result in denial of service or memory corruption. Version 2.5.0a3 fixes this issue.
Reference…
A vulnerability in the LIEF::MachO::SegmentCommand::virtual_address function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file. A patch is available at commit number 24935f654f6df7…
