Source
ghsa
### Impact Unprivileged user accounts can write to arbitrary files on the filesystem. We could demonstrate its exploitation to force a re-installation of the instance, granting administrator rights. It allows accessing and altering any user's code hosted on the same instance. ### Patches Unintended Git options has been ignored for diff preview (https://github.com/gogs/gogs/pull/7871). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. ### Workarounds No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions. ### References https://www.cve.org/CVERecord?id=CVE-2024-39932
### Impact Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by `RUN_USER` in the configuration. It allows attackers to access and alter any users' code hosted on the same instance. ### Patches Deletion of `.git` files has been prohibited (https://github.com/gogs/gogs/pull/7870). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. ### Workarounds No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions. ### References https://www.cve.org/CVERecord?id=CVE-2024-39931
### Impact Unprivileged user accounts with at least one SSH key can read arbitrary files on the system. For instance, they could leak the configuration files that could contain database credentials (`[database] *`) and `[security] SECRET_KEY`. Attackers could also exfiltrate TLS certificates, other users' repositories, and the Gogs database when the SQLite driver is enabled. ### Patches Unintended Git options has been ignored for creating tags (https://github.com/gogs/gogs/pull/7872). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. ### Workarounds No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions. ### References https://www.cve.org/CVERecord?id=CVE-2024-39933
The `VariantStrIter::impl_get` function (called internally by implementations of the `Iterator` and `DoubleEndedIterator` traits for this type) was unsound, resulting in undefined behaviour. An immutable reference `&p` to a `*mut libc::c_char` pointer initialized to `NULL` was passed as an argument to a C function that that mutates the pointer behind `&p` in-place (i.e. as an out-argument), which was unsound. After changes in recent versions of the Rust compiler, these unsound writes through `&p` now seem to be completely disregarded when building the `glib` crate with optimizations. This subsequently caused all calls of `VariantStrIter::impl_get` to violate the safety requirements of the `std::ffi::CStr::from_ptr` function - which requires its argument to be a valid pointer to a C-style string - resulting in crashes due to `NULL` pointer dereferences. This was fixed by passing the out-argument pointer explitly as `&mut p` instead of `&p`. This issue has been present since this cod...
Navidrome stores the JWT secret in plaintext in the `navidrome.db` database file under the `property` table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. The JWT secret is critical for the authentication and authorization system. If exposed, an attacker could: - Forge valid tokens to impersonate users, including administrative accounts. - Gain unauthorized access to sensitive data or perform privileged actions. This vulnerability has been tested on the latest version of Navidrome and poses a significant risk in environments where the database file is not adequately secured. 
A vulnerability was found in the WildFly management console. A user may perform cross-site scripting in the deployment system. An attacker (or insider) may execute a malicious payload which could trigger an undesired behavior against the server. ### Impact Cross-site scripting (XSS) vulnerability in the management console. ### Patches Fixed in [HAL 3.7.7.Final](https://github.com/hal/console/releases/tag/v3.7.7) ### Workarounds No workaround available ### References See also: https://issues.redhat.com/browse/WFLY-19969
The library provides a safe public API `unpack` to cast `u8` array to arbitrary types, which can cause to undefined behaviors. The length check of array can only prevent out-of-bound access on the return type. However, it can't prevent misaligned pointer when casting `u8` pointer to a type aligned to larger bytes. For example, if we assign `u16` to `T`, **misaligned raw pointer dereference** could happen and cause to panic. Even if we pass the type aligned to same byte as `u8` (e.g., `bool`), it could construct a illegal type since `bool` can only have 0 or 1 as bit patterns, which is also an undefined behavior. The further exploits of the bug here are still not clear, so we would report this issue as unsound. The details of PoC to reproduce undefined behavior are provided in the [issue](https://github.com/solana-labs/solana-program-library/issues/5243).
The library breaks the safety assumptions when using unsafe API `slice::from_raw_parts_mut`. The pointer passed to `from_raw_parts_mut` is misaligned by casting `u8` to `u16` raw pointer directly, which is unsound. The bug is patched by using `align_offset`, which could make sure the memory address is aligned to 2 bytes for `u16`. This was patched in 0.11.2 in the [commit](https://github.com/AFLplusplus/LibAFL/pull/1530/commits/5a60cb31ef587d71d09d534bba39bd3973c4b35d).
An issue was identified in the `VmFd::create_device function`, leading to undefined behavior and miscompilations on rustc 1.82.0 and newer due to the function's violation of Rust's pointer safety rules. The function downcasted a mutable reference to its `struct kvm_create_device` argument to an immutable pointer, and then proceeded to pass this pointer to a mutating system call. Rustc 1.82.0 and newer elides subsequent reads of this structure's fields, meaning code will not see the value written by the kernel into the `fd` member. Instead, the code will observe the value that this field was initialized to prior to calling `VmFd::create_device` (usually, 0). The issue started in kvm-ioctls 0.1.0 and was fixed in 0.19.1 by correctly using a mutable pointer.
An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request. Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.