Impact
The tf.compat.v1.signal.rfft2d and tf.compat.v1.signal.rfft3d lack input validation and under certain condition can result in crashes (due to CHECK-failures).
Patches
We have patched the issue in GitHub commit 0a8a781e597b18ead006d19b7d23d0a369e…
[tensorflow-gpu] Core dump when loading TFLite models with quantization
Impact
Certain TFLite models that were created using TFLite model converter would crash when loaded in the TFLite interpreter. The culprit is that during quantization the scale of values could be greater than 1 but code was always assuming sub-unit sca…
[github.com/pion/dtls] Header reconstruction method can be thrown into an infinite loop
Impact
An attacker can send packets that will send Pion DTLS into an infinite loop when processing.
Patches
Upgrade to Pion DTLS v2.1.4
Workarounds
No workarounds available, upgrade to Pion DTLS v2.1.4
References
Thank you to Juho Nurminen and the Matt…
[github.com/pion/dtls] Buffer for inbound DTLS fragments has no limit
Impact
A buffer that was used for inbound network traffic had no upper limit. Pion DTLS would buffer all network traffic from the remote user until the handshake completes or times out. An attacker could exploit this to cause excessive memory usage.
Pa…
[github.com/stripe/smokescreen] Smokescreen SSRF via deny list bypass (square brackets)
Impact
The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure.
Smokescreen also offers an option to d…
[next-auth] URL Redirection to Untrusted Site (‘Open Redirect’) in next-auth
Impact
We found that this vulnerability is present when the developer is implementing an OAuth 1 provider (by extension, it means Twitter, which is the only built-in provider using OAuth 1), but upgrading is still recommended.
next-auth v3 users before…
[totp-rs] Observable Timing Discrepancy in totp-rs
Impact
Token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The attacker would have to know the password beforehand nonetheless.
Patches
Library now used const…
[github.com/cilium/cilium] Cilium enables rogue node to cluster admin privilege escalation
Impact
If an attacker is able to perform a container escape of a container running as root on a host where Cilium is installed, the attacker can leverage Cilium’s Kubernetes service account to gain access to cluster privileges that are more permissive …
[github.com/cilium/cilium] Access to Unix domain socket can lead to privileges escalation in Cilium
Impact
Users with host file system access on a node and the privileges to run as group ID 1000 can gain access to the per node API of Cilium via Unix domain socket on the host where Cilium is running. If a malicious user is able to gain unprivileged ac…
[github.com/charmbracelet/charm] Server-Side Request Forgery in charm
We’ve discovered a vulnerability in which attackers could forge HTTP requests to manipulate the charm data directory to access or delete anything on the server. This has been patched in https://github.com/charmbracelet/charm/commit/3c90668f955c7ce5ef72…