ghsa

Mongoose before 8.8.3 can improperly use $where in match.

Versions of the library from 0.2.2 to 1.0.9 are vulnerable to the arbitrary code execution due to unsafe usage of `new Function(...)` in the module that handles points format. Applications passing the 3rd parameter to the `hull` function without sanitising may be impacted. The vulnerability has been fixed in version 1.0.10, please update the library. Check project homepage on GitHub to see how to fetch the latest version: https://github.com/andriiheonia/hull?tab=readme-ov-file#npm-package

### Summary When making any HTTP request, the automatically enabled and self-managed `CookieStore` (aka cookie jar) will silently replace explicitly defined `Cookie`s with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's `Cookie` being used for another user's requests. ### Details This issue is described without security warnings here: https://github.com/AsyncHttpClient/async-http-client/issues/1964 I already have a PR to fix this issue: https://github.com/AsyncHttpClient/async-http-client/pull/2033 ### PoC 1. Add an auth `Cookie` to the `CookieStore` - This is identical to receiving an HTTP response that uses `Set-Cookie`, as shown in issue #1964 above. 2. Handle a different user's request where the same `Cookie` is provided as a passthrough, like a JWT, and attempt to use it by explicitly providing it. 3. Observe that the user's cookie in step 2 is passed as the Cookie in step 1. ### Impact Thi...

### Summary Note: i'm reporting this in this way purely because it's private and i don't want to broadcast vulnerabilities. > An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115. ### Details https://github.com/redis/lettuce/blob/main/pom.xml#L67C9-L67C53 The netty version pinned here is currently ``` <netty.version>4.1.113.Final</netty.version> ``` This version is vulnerable according to Snyk and is affecting one of our products:  Here is a [link](https://www.cve.org/CVERecord?id=CVE-2024-47535) to the CVE ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ Not applicable ### Impact _What kind of vuln...

# Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. ## Mitigation: Remove the `LIBXML_DTDLOAD | LIBXML_DTDATTR` options from `$options` is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 ## Background / details To be published on Dec 8th

### Impact This is not a vulnerability in the code per se, but included platform.sh Varnish VCL templates and Apache/Nginx vhost templates enable compression of API and JSON messages. This is a potential case of the BREACH vulnerability, which affects HTTP compression, where secrets can be extracted through carefully crafted requests. The fix disables compression in these templates. Please make sure to make the same change in your configuration files, see the release notes for specific instructions. ### Patches - See "Patched versions". - v1.0: https://github.com/ibexa/post-install/commit/d91cc02623dd3263a99a94ace133c95e48909e5d - v4.6: https://github.com/ibexa/post-install/commit/ae7c3c2081a862c75b90828f08bd74436ceb8fe8 ### Workarounds Make sure HTTP compression is disabled for REST API requests and other communication that might contain secrets. ### References - Advisory: https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-comm...

### Impact This is not a vulnerability in the code per se, but included Varnish VCL templates enable compression of API and JSON messages. This is a potential case of the BREACH vulnerability, which affects HTTP compression, where secrets can be extracted through carefully crafted requests. The fix disables compression in these templates. Please make sure to make the same change in your configuration files, see the release notes for specific instructions. Please check your web server configuration as well. ### Patches - See "Patched versions". - https://github.com/ibexa/http-cache/commit/e03f683e8db53b6d253e1af8177befeecc8d3914 ### Workarounds Make sure HTTP compression is disabled for REST API requests and other communication that might contain secrets. ### References - Advisory: https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates - Release notes: https://doc.ibexa.co/en/latest/update_an...

### Impact This is not a vulnerability in the code per se, but included Varnish VCL templates enable compression of API and JSON messages. This is a potential case of the BREACH vulnerability, which affects HTTP compression, where secrets can be extracted through carefully crafted requests. The fix disables compression in these templates. Please make sure to make the same change in your configuration files, see the release notes for specific instructions. Please check your web server configuration as well. ### Patches - See "Patched versions". - https://github.com/ezsystems/ezplatform-http-cache/commit/ca8a5cf69b2c14fbec90412aeeef5c755c51457b ### Workarounds Make sure HTTP compression is disabled for REST API requests and other communication that might contain secrets. ### References - Advisory: https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates - Release notes: https://doc.ibexa.co/en/l...

### Impact The Python package "zhmcclient" writes password-like properties in clear text into its HMC and API logs in the following cases: * The 'boot-ftp-password' and 'ssc-master-pw' properties when creating or updating a partition in DPM mode, in the zhmcclient API and HMC logs * The 'ssc-master-pw' and 'zaware-master-pw' properties when updating an LPAR in classic mode, in the zhmcclient API and HMC logs * The 'ssc-master-pw' and 'zaware-master-pw' properties when creating or updating an image activation profile in classic mode, in the zhmcclient API and HMC logs * The 'password' property when creating or updating an HMC user, in the zhmcclient API log * The 'bind-password' property when creating or updating an LDAP server definition, in the zhmcclient API and HMC logs This issue affects only users of the zhmcclient package that have enabled the Python loggers named "zhmcclient.api" (for the API log) or "zhmcclient.hmc" (for the HMC log) and that use the functions listed above. ...

### Impact The Content name pattern is used to build Content names from one or more fields. An XSS vulnerability has been found in this mechanism. Content edit permission is required to exploit it. After the fix, any existing injected XSS will not run. ### Patches - See "Patched versions. - https://github.com/ibexa/admin-ui/commit/8ec824a8cf06c566ed88e4c21cc66f7ed42649fc ### Workarounds None. ### References - Advisory: https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates - Release notes: https://doc.ibexa.co/en/latest/update_and_migration/from_4.6/update_from_4.6/#v4614