Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-2ccp-vqmv-4r4x: S3Proxy allows insecure path traversal in filesystem and filesystem-nio2 storage backends

### Impact Users of the filesystem and filesystem-nio2 storage backends could unintentionally expose local files to authenticated clients. ### Patches Upgrade to S3Proxy 2.6.0 which includes apache/jclouds@b0819e0ef5e08c792a4d1724b938714ce9503aa3 and 86b6ee4749aa163a78e7898efc063617ed171980. ### Workarounds None ### References Privately reported by XBOW Team @xbow-security.

ghsa
Open in Source
#vulnerability#web#apache#auth
GHSA-r3r4-g7hq-pq4f: CometBFT allows a malicious peer to stall the network by disseminating seemingly valid block parts

Name: ASA-2025-002: Malicious peer can stall network by disseminating seemingly valid block parts Component: CometBFT Criticality: High (Catastrophic Impact; Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) Affected versions: <= v0.38.16, v1.0.0 Affected users: Validators, Full nodes, Users ### Description A bug was identified in the CometBFT validation of block part indices and the corresponding proof part indices that can lead to incorrect processing and dissemination of invalid parts, which in turn could lead to a network halt. Additional validation was added to prevent this condition from happening. ### Patches The new CometBFT releases [v1.0.1](https://github.com/cometbft/cometbft/releases/tag/v1.0.1) and [v0.38.17](https://github.com/cometbft/cometbft/releases/tag/v0.38.17) fix this issue. Unreleased code in the main branch is patched as well. ### Workarounds There are no known workarounds for this is...

GHSA-f8mx-cwfh-7hr2: TShock allows chat while not fully connected, possible ban evasion

This issue was reported to TShock by @ohayo, but was found by the Discord user by the name of `sofurry.com`. Please note that this user **does not own this domain on the internet, just the discord handle**. TShock overrides certain Terraria vanilla systems, including chat, and the connection handling, for its own purposes, like enforcing bans. When clients connect but do not complete the connection handshake (e.g., send message number 6), they can "exist" on the server, occupy a player slot, chat, and receive data from the server despite not being fully connected. Individuals who exploit this will be able to effectively harass the server, observe the server, and utilize server resources even if banned from the server. For servers that operate with a proxy that strictly enforces the connection handshake/sequence, this is not an issue, but for smaller servers or servers running vanilla TShock this is an issue worth patching for. PR body supplied by @ohayo (patch writer): Terraria's s...

ghsa
Open in Source
GHSA-22qq-3xwm-r5x4: CometBFT allows a malicious peer to make node stuck in blocksync

Name: ASA-2025-001: Malicious peer can disrupt node's ability to sync via blocksync Component: CometBFT Criticality: Medium (Considerable Impact; Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) Affected versions: <= v0.38.16, v1.0.0 Affected users: Validators, Full nodes ### Impact A malicious peer may be able to interfere with a node's ability to sync blocks with peers via the blocksync mechanism. In the `blocksync` protocol peers send their `base` and `latest` heights when they connect to a new node (`A`), which is syncing to the tip of a network. `base` acts as a lower ground and informs `A` that the peer only has blocks starting from height `base`. `latest` height informs `A` about the latest block in a network. Normally, nodes would only report increasing heights: ``` B: {base: 100, latest: 1000} B: {base: 100, latest: 1001} B: {base: 100, latest: 1002} ... ``` If `B` fails to provide the latest block,...

GHSA-g9wf-5777-gq43: Django-Unicorn Class Pollution Vulnerability, Leading to XSS, DoS and Authentication Bypass

# Summary Django-Unicorn is vulnerable to python class pollution vulnerability, a new type of vulnerability categorized under [CWE-915](https://cwe.mitre.org/data/definitions/915.html). The vulnerability arises from the core functionality `set_property_value`, which can be remotely triggered by users by crafting appropriate component requests and feeding in values of second and third parameter to the vulnerable function, leading to arbitrary changes to the python runtime status. With this finding, so far we've found at least five ways of vulnerability exploitation, stably resulting in Cross-Site Scripting (XSS), Denial of Service (DoS), and Authentication Bypass attacks in almost every Django-Unicorn-based application. # Analysis of Vulnerable Function By taking a look at the vulnerable function `set_property_value` located at: `django_unicorn/views/action_parsers/utils.py`. You can observe the functionality is responsible for modifying a property value of an object. The propert...

GHSA-r57h-547h-w24f: PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters

**Product:** PhpSpreadsheet **Version:** 3.8.0 **CWE-ID:** CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1:** 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) **CVSS vector v.4.0:** 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) **Description:** an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link **Impact:** executing arbitrary JavaScript code in the browser **Vulnerable component:** class `PhpOffice\PhpSpreadsheet\Writer\Html`, method `generateRow` **Exploitation conditions:** a user viewing a specially generated xml file **Mitigation:** additional sanitization of special characters in a string **Researcher: Igor Sak-Sakovskiy (Positive Technologies)** # Research The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet. The following code...

GHSA-wxcc-2f3q-4h58: Grafana Alerting VictorOps integration could be exposed to users with Viewer permission

Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15

GHSA-qr6x-62gq-4ccp: WildFly improper RBAC permission

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action. ### Impact Standalone server (Domain mode is not affected) with use access control enabled with RBAC provider can be suspended or resumed by unauthorized users. When a server is suspended, the server will stop receiving user requests. The resume handle does the opposite; it will cause a suspended server to start accepting user requests. ### Patches Fixed in [WildFly Core 27.0.1.Final](https://github.com/w...

GHSA-88m4-h43f-wx84: PMD Designer's release key passphrase (GPG) available on Maven Central in cleartext

### Summary While rebuilding [PMD Designer](https://github.com/pmd/pmd-designer) for Reproducible Builds and digging into issues, I found out that passphrase for `gpg.keyname=0xD0BF1D737C9A1C22` is included in jar published to Maven Central. ### Details See https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/net/sourceforge/pmd/pmd-designer/README.md I removed 2 lines from https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/net/sourceforge/pmd/pmd-designer/pmd-designer-7.0.0.diffoscope but real content is: ``` ├── net/sourceforge/pmd/util/fxdesigner/designer.properties │ @@ -1,14 +1,12 @@ │ #Properties │ checkstyle.plugin.version=3.3.1 │ checkstyle.version=10.14.0 │ -gpg.keyname=0xD0BF1D737C9A1C22 │ -gpg.passphrase=evicx0nuPfvSVhVyeXpw │ jar.plugin.version=3.3.0 │ -java.version=11.0.22 │ +java.version=11.0.25 │ javadoc.plugin.version=3.6.3 │ jflex-output=/home/runner/work/pmd-designer/pmd-designer/target/generated-sources/jflex...

GHSA-hj49-h7fq-px5h: Soundness issue with Plonky2 look up tables

### Impact Lookup tables, whose length is not divisible by `26 = floor(num_routed_wires / 3)` always include the `0 -> 0` input-output pair. Thus a malicious prover can always prove that `f(0) = 0` for any lookup table f (unless its length happens to be divisible by 26). The cause of problem is that the `LookupTableGate`-s are [padded with zeros](https://github.com/0xPolygonZero/plonky2/blob/main/plonky2/src/plonk/prover.rs#L97). The fix is done by padding with an existing table pair, similarly to `LookupGate`. A workaround from the user side is to extend the table (by repeating some entries) so that its length becomes divisible by 26. Fortunately, the seemingly most common use case, namely, hash functions with table-based sbox-es, are not vulnerable: * both Monolith's and Tip5/Tip4's s-box tables already map 0 to 0; * more generally, forcing several (0,0) pairs inside such a hash function appears to be a too strong restriction to find an otherwise valid trace. A malicious prover...