ghsa

A vulnerability in the `package_index` module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

Malicious package. Exfiltrated secrets to a target server.

A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system. ### References - https://github.com/widgetti/solara/security/advisories/GHSA-9794-pc4r-438w - https://github.com/widgetti/solara/commit/df2fd66a7f4e8ffd36e8678697a8a4f76760dc54 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39903

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

### Summary A time/boolean SQL Injection is present in the following resource `/api/applicationResources` via the following parameter `packageID` ### Details As it can be seen [here](https://github.com/openclarity/kubeclarity/blob/main/backend/pkg/database/id_view.go#L79), while building the SQL Query the `fmt.Sprintf` function is used to build the query string without the input having first been subjected to any validation. ### PoC The following command should be able to trigger a basic version of the behavior: `curl -i -s -k -X $'GET' \ -H $'Host: kubeclarity.test' \ $'https://kubeclarity.test/api/applicationResources?page=1&pageSize=50&sortKey=vulnerabilities&sortDir=DESC&packageID=c89973a6-4e7f-50b5-afe2-6bf6f4d3da0a\'HTTP/2'` ### Impact While using the Helm chart, the impact of this vulnerability is limited since it allows read access only to the kuberclarity database, to which access is already given as far as I understand to regular users anyway. On the other hand, if...

Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service. While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur. Fixed in Vault and Vault Enterprise 1.17.2, 1.16.6, and 1.15.12.

NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.

### Impact The Auth0 WordPress plugin allows site administrators to opt-in to allowing the use of a `wle` parameter, which can be passed to the WordPress login page by end users. When this parameter is supplied using an expected value (which is randomly generated by the plugin, by default), the end user can fallback to using WordPress' native authentication behavior. (This is generally intended as an emergency fallback for administrators to still be able to access their dashboard in the event something goes wrong.) In previous versions of the plugin, under specific conditions, this parameter could potentially accept an arbitrary string that would be improperly rendered, potentially allowing for a cross-site scripting (XSS) attack on the login page. ### Patches Please upgrade to v4.6.1 of the plugin to resolve the issue.

### Summary Denial of service vulnerability. ### Details See: https://github.com/advisories/GHSA-447r-wph3-92pm and https://github.com/dotnet/announcements/issues/312 ### PoC Update System.Security.Cryptography.Pkcs to 8.0.1 so that the transitive dependency with the issue gets updated ### Impact Denial of service vulnerability. Affects MimeKit (>= v3.0.0 and <= v4.7.0) when used to decrypt or verify incoming S/MIME messages as well as importing 3rd-party X.509 certificates for use with encrypting outgoing S/MIME messages.

### Impact Due to a bug in Red's Core API, 3rd-party cogs using the [`@commands.can_manage_channel()`](https://docs.discord.red/en/stable/framework_checks.html#redbot.core.commands.can_manage_channel) command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of the core commands or core cogs are affected. The maintainers of the project are not aware of any _public_ 3rd-party cog utilizing this API at the time of writing this advisory. The [`@commands.mod_or_can_manage_channel()`](https://docs.discord.red/en/stable/framework_checks.html#redbot.core.commands.mod_or_can_manage_channel), [`@commands.admin_or_can_manage_channel()`](https://docs.discord.red/en/stable/framework_checks.html#redbot.core.commands.admin_or_can_manage_channel), and [`@commands.guildowner_or_can_manage_channel()`](https://docs.discord.red/en/stable/framework_checks.html#redbot.core.commands.guildowne...