Impact
CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an account’s cryptographic keys. This affects CaSS servers using standalone username/password authen…
[tensorflow-gpu] `CHECK` failure in depthwise ops via overflows
Impact
The implementation of depthwise ops in TensorFlow is vulnerable to a denial of service via CHECK-failure (assertion failure) caused by overflowing the number of elements in a tensor:
import tensorflow as tf
input = tf.constant(1, shape=[1, 4, 4…
[github.com/pion/dtls] Client Certificates are accepted without CertificateVerify
Impact
A DTLS Client could provide a Certificate that it doesn’t posses the private key for and Pion DTLS wouldn’t reject it.
This issue affects users that are using Client certificates only. The connection itself is still secure. The Certificate prov…
[github.com/hyperledger/fabric] NULL Pointer Dereference in HyperLedger Fabric
A vulnerability has been detected in HyperLedger Fabric v1.4.0, v2.0.0, v2.1.0. This bug can be leveraged by constructing a message whose payload is nil and sending this message with the method ‘forwardToLeader’. This bug has been admitted and fixed by…
[ansible] Exposure of Sensitive Information in ansible
A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive informati…
[github.com/buger/jsonparser] Denial of Service in jsonparser
jsonparser before 1.1.1 allows attackers to cause a denial of service via a GET call.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-35381
https://github.com/buger/jsonparser/issues/219
https://github.com/buger/jsonparser/pull/221
https://github…
[guzzlehttp/guzzle] Cross-domain cookie leakage in Guzzle
Impact
Previous version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious…
[helloxz/imgurl] SQL injection in helloxz/imgurl
imgurl v2.31 was discovered to contain a Blind SQL injection vulnerability via /upload/localhost.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-29305
https://github.com/helloxz/imgurl/issues/75
https://github.com/advisories/GHSA-rrjv-34p5-4c7r
[filegator/filegator] Path traversal in filegator
Path Traversal in GitHub repository filegator/filegator prior to 7.8.0 for non-admin users. Files created with ..\ as part of their name will be interpreted as a path. Users are thus able to add filesystem entries outside the scope of their user to the…
[github.com/tidwall/gjson] ReDoS via crafted JSON input in GJSON
GJSON <= 1.9.2 allows attackers to cause a redos via crafted JSON input.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-42248
https://github.com/tidwall/gjson/issues/237
https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f…