Source
ghsa
In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue
In Apache Airflow versions before 3.1.6, the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue
Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens.
Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.
## Impact There is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with `acme-tls/1`, then stop responding, leading to denial of service of the entrypoint. ## Patches - https://github.com/traefik/traefik/releases/tag/v2.11.35 - https://github.com/traefik/traefik/releases/tag/v3.6.7 ## For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues). <details> <summary>Original Description</summary> # \[Security\] ACME TLS-ALPN fast path lacks timeouts and close on handshake stall Dear Traefik security team, We believe we have identified a resource-exhaustion issue in the ACME TLS-ALPN fast path that can allow unauthenticated clients to...
### Summary The latest versions of both 4.x and 5.x are using Axios versions < 1.7.5 and as such are subject to known vulnerabilities as per: https://security.snyk.io/package/npm/axios ### Details We've had this flagged up in a pen test, which indicates the issue stems from this script: /freeform/plugin.js. I couldn't see any reference to vulnerable axios versions in your package.json files, but noticed some precompiled files in packages/plugin so I'm assuming those are where the issue lies.
### Summary _Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._ \PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ See https://github.com/advisories/GHSA-wgmf-q9vr-vww6 ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ Example target script: ``` <?php require 'vendor/autoload.php'; $reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx"); $spreadsheet = $reader->load(__DIR__ . '/book.xlsx'); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll()); ``` Save this fil...
## Summary Certain inputs can cause `devalue.parse` to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using `devalue.parse` on externally-supplied data. The root cause is the `ArrayBuffer` hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. ## Details The parser's `ArrayBuffer` hydration logic does not properly validate input before processing. Specially crafted inputs can cause disproportionate memory allocation or CPU usage on the receiving system. ## Impact This is a denial of service vulnerability affecting systems that use `devalue.parse` to handle data from potentially untrusted sources. Affected systems should upgrade to patched versions immediately.
The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);
### Impact LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. An attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. ### Patches This issue affects all versions of lakeFS up to and including v1.74.4. The vulnerability has been fixed in version v1.75.0. Users should upgrade to version v1.75.0. ### Workarounds Until upgraded, implement these mitigations: - **Use short-lived credentials** - Rotate access keys frequently and **deactivate old keys**. For regular requests, captured requests only work until rotation. For presigned URLs, they remain valid until the credentials used to create them are deactivated. - **Network controls** - Restrict S3 gateway access to trusted networks/IPs to limit where replay attacks can originate. Note: These workarounds reduce risk but do not f...