This affects the package com.diffplug.gradle:goomph before 3.37.2. It allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/di…
[markdown-nice] Markdown-Nice v1.8.22 vulnerable to Cross-site Scripting
A cross-site scripting (XSS) vulnerability in Markdown-Nice v1.8.22 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Community Posting field.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-38639
h…
[github.com/goharbor/harbor] Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs
Impact
Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs – API call
GET /projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}/tasks/{task_id}/…
[org.yaml:snakeyaml] snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
References
https://nv…
[org.yaml:snakeyaml] snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
References
https://n…
[org.yaml:snakeyaml] snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
References
https://nv…
[org.yaml:snakeyaml] snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
References
https://nv…
[apache-airflow] Apache Airflow exposes arbitrary file content
In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the –daemon flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local u…
[indy-node] Indy’s NODE_UPGRADE transaction vulnerable to remote code execution
Impact
The pool-upgrade request handler in Indy-Node <=1.12.4 allows an improperly authenticated attacker to remotely execute code on nodes within the network.
Network operators are strongly encouraged to upgrade to the latest Indy-Node release >…
[francoisjacquet/rosariosis] francoisjacquet/rosariosis vulnerable to Cross-Site Scripting (XSS)
Cross-site Scripting (XSS) – Stored in GitHub repository francoisjacquet/rosariosis prior to 8.9.3.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3072
https://github.com/francoisjacquet/rosariosis/commit/dcd3b86156bf9e981944e1a9e01ea23d8ad7c83a…