The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds.
Refere…
[github.com/bytebase/bytebase] Bytebase does not restrict low privilege user to access admin issues
The Bytebase application does not restrict low privilege user to access admin issues for which an unauthorized user can view the OPEN and CLOSED issues by Admin and the affected endpoint is /issue.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-…
[https://pkg.go.dev/github.com/cloudwego/hertz] Hertz contains path traversal via normalizePath function
Hertz is a a high-performance and strong-extensibility Go HTTP framework that helps developers build microservices. Versions of Hertz prior to 0.3.1 contain a path traversal vulnerability via the normalizePath function. This issue has been patched in 0…
[github.com/labstack/echo/v4] Labstack Echo Open Redirect vulnerability
Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF). Version 4.9.0 contains a patch for the issue…
[org.apache.tomcat:tomcat] Apache Tomcat Race Condition vulnerability
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0…
[com.xuxueli:xxl-job-core] XXL-JOB contains a Command execution vulnerability in background tasks
XXL-JOB versions 2.2.0 and prior contain a Command execution vulnerability in background tasks.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-40929
https://github.com/xuxueli/xxl-job/issues/2979
https://github.com/advisories/GHSA-m54f-rp6r-rrrm
[rdiffweb] rdiffweb vulnerable to Use of Cache Containing Sensitive Information
rdiffweb prior to version 2.4.9 is vulnerable to Use of Cache Containing Sensitive Information. Due to improper cache control, an attacker can view sensitive information even if they are not logged into an account. Version 2.4.9 contains a patch for th…
[vm2] vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host
Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
Patches
This vulnerability was patched in the release of version 3.9.11 of vm2
Workarounds
None.
References
Github Issue – h…
[strapi] Strapi mishandles hidden attributes within admin API responses
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-31367
https://github.com/kos0ng/CVEs/tree/main/CVE-2022-31367
https://github.com/strapi/strapi/rel…
[github.com/brokercap/Bifrost] Brokercap Bifrost subject to authentication bypass when using HTTP basic authentication
Bifrost is a middleware package which can synchronize MySQL/MariaDB binlog data to other types of databases. Versions 1.8.6-release and prior are vulnerable to authentication bypass when using HTTP basic authentication. This may allow group members who…