Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-p86w-w5rh-m3hx: Apache Kylin Files or Directories Accessible to External Parties

Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

ghsa
Open in Source
#vulnerability#web#apache#git#java#intel#maven
GHSA-f6m8-qm7j-fh65: Apache Kylin Server-Side Request Forgery (SSRF) Vulnerability

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

GHSA-mr9j-4j48-xcm2: Apache Kylin Authentication Bypass Vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

GHSA-q95w-c7qg-hrff: Django vulnerable to partial directory traversal via archives

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

GHSA-27hj-48r9-x2vx: Dolibarr vulnerable to RCE via the computed field parameter

Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter.

GHSA-hpr9-3m2g-3j9p: Django vulnerable to SQL injection in column aliases

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

GHSA-7jp2-5h22-m432: Auth0 Symfony SDK Does Not Properly Handle File Types in Bulk User Import

### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. ### Am I affected? You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0 Symfony SDK with versions between 2.0.2 and 5.4.1, 2. Auth0 Symfony SDK uses the Auth0-PHP SDK with versions between 3.3.0 and 8.16.0. ### Fix Upgrade Auth0/symfony to version 5.5.0 or greater. ### Acknowledgement Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.

GHSA-w22c-pw5m-482x: Auth0 Wordpress plugin Does Not Properly Handle File Types in Bulk User Import

### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. ### Am I affected? You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0 Wordpress plugin with version between 5.0.0-BETA0 and 5.3.0, 2. Auth0 Wordpress plugin uses the Auth0-PHP SDK with versions between 3.3.0 and 8.16.0. ### Fix Upgrade Auth0 Wordpress plugin to version 5.4.0 or greater. ### Acknowledgement Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.

GHSA-hjfh-5jmm-xr24: laravel-auth0 SDK Does Not Properly Handle File Types in Bulk User Import

### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. ### Am I affected? You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0 laravel-auth0 SDK with version between 4.0.0 and 7.18.0, 2. Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions between 3.3.0 and 8.16.0. ### Fix Upgrade Auth0 laravel-auth0 SDK to version 7.19.0 or greater. ### Acknowledgement Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.

GHSA-9mh6-g99m-ppcw: auth0-PHP SDK Does Not Properly Handle File Types in Bulk User Import

### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. ### Am I affected? You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0-PHP SDK, versions between v3.3.0 and v8.16.0, or 2. Applications using the following SDKs that rely on the Auth0-PHP SDK versions between v3.3.0 and v8.16.0: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress. ### Fix Upgrade Auth0/Auth0-PHP to version 8.17.0 or greater. ### Acknowledgement Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.