OwningRef::map_with_owner is unsound and may result in a use-after-free.
OwningRef::map is unsound and may result in a use-after-free.
OwningRefMut::as_owner and OwningRefMut::as_owner_mut are unsound and may result in a use-after-free.
The crate viol…
[apache-avro] Apache Avro Rust SDK’s Reader could consume memory beyond allowed constraints
It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should updat…
[apache-avro] Apache Avro Rust SDK corrupted data read can cause crash
It is possible to crash (panic) an application by providing a corrupted data to be read. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 wh…
[apache-avro] Apache Avro Rust SDK vulnerable to reader looping in cycle endlessly, consuming CPU
It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avr…
[org.postgresql:postgresql] PostgreSQL JDBC Driver SQL Injection in ResultSet.refreshRow() with malicious column names
Impact
The PGJDBC implementation of the java.sql.ResultRow.refreshRow() method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. ;, could lead to SQL injection. This could lead to executing…
[mongoose] automattic/mongoose vulnerable to Prototype pollution via Schema.path
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.\n\nAffected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the sch…
[mistune] Mistune v2.0.2 vulnerable to catastrophic backtracking
In Mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.
References
https://nvd.nist…
[tzinfo] TZInfo relative path traversal vulnerability allows loading of arbitrary files
Impact
Affected versions
0.3.60 and earlier.
1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data).
Vulnerability
With the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and later and built-in to earlier versions), time zon…
[xalan:xalan] Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.
A fix…
[gollum] Gollum Cross-site Scripting vulnerability via filename parameter to New Page dialog
Cross site scripting (XSS) in gollum 5.0 to 5.1.2 via the filename parameter to the ‘New Page’ dialog.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-35305
https://github.com/Szarny/
https://github.com/gollum/
https://github.com/gollum/gollum/re…