ghsa

In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorized operations. This is same vulnerability that CVE-2020-13946 was issued for, but the Java option was changed in JDK10. This issue affects Apache Cassandra from 4.0.2 through 5.0.2 running Java 11. Operators are recommended to upgrade to a release equal to or later than 4.0.15, 4.1.8, or 5.0.3 which fixes the issue.

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches. This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2. Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.

Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions. This issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both CassandraNetworkAuthorizer and CassandraCIDRAuthorizer. Operators using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions should review data access rules for potential breaches. Users are recommended to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.

### Impact This vulnerability is an **Environment Variable Injection** issue in `dotenv.stringify`, affecting `google/zx` version **8.3.1**. An attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to **arbitrary command execution** or **unexpected behavior** in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through `dotenv.stringify` are particularly vulnerable. ### Patches This issue has been **patched** in version **8.3.2**. Users should **immediately upgrade** to this version to mitigate the vulnerability. ### Workarounds If upgrading is not feasible, users can mitigate the vulnerability by **sanitizing user-controlled environment variable values** before passing them to `dotenv.stringify`. Specifically, avoid using `"`, `'`, and backticks in values, or enforce strict validation of environment variables before u...

### Impact `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `server` buffer's lifetime is shorter than the `client` buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client. ### Patches `openssl` 0.10.70 fixes the signature of `ssl::select_next_proto` to properly constrain the output buffer's lifetime to that of both input buffers. ### Workarounds In standard usage of `ssl::select_next_proto` in the callback passed to `SslContextBuilder::set_alpn_select_callback`, code is only affected if the `server` buffer is constructed *within* the callback. For example: Not vulnerable - the server buffer has a `'static` lifetime: ```rust builder.set_alpn_select_callback(|_, client_protos| { ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK) }); ``` Not vulnerable - the serve...

### Impact Users of the filesystem and filesystem-nio2 storage backends could unintentionally expose local files to authenticated clients. ### Patches Upgrade to S3Proxy 2.6.0 which includes apache/jclouds@b0819e0ef5e08c792a4d1724b938714ce9503aa3 and 86b6ee4749aa163a78e7898efc063617ed171980. ### Workarounds None ### References Privately reported by XBOW Team @xbow-security.

Name: ASA-2025-002: Malicious peer can stall network by disseminating seemingly valid block parts Component: CometBFT Criticality: High (Catastrophic Impact; Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) Affected versions: <= v0.38.16, v1.0.0 Affected users: Validators, Full nodes, Users ### Description A bug was identified in the CometBFT validation of block part indices and the corresponding proof part indices that can lead to incorrect processing and dissemination of invalid parts, which in turn could lead to a network halt. Additional validation was added to prevent this condition from happening. ### Patches The new CometBFT releases [v1.0.1](https://github.com/cometbft/cometbft/releases/tag/v1.0.1) and [v0.38.17](https://github.com/cometbft/cometbft/releases/tag/v0.38.17) fix this issue. Unreleased code in the main branch is patched as well. ### Workarounds There are no known workarounds for this is...

This issue was reported to TShock by @ohayo, but was found by the Discord user by the name of `sofurry.com`. Please note that this user **does not own this domain on the internet, just the discord handle**. TShock overrides certain Terraria vanilla systems, including chat, and the connection handling, for its own purposes, like enforcing bans. When clients connect but do not complete the connection handshake (e.g., send message number 6), they can "exist" on the server, occupy a player slot, chat, and receive data from the server despite not being fully connected. Individuals who exploit this will be able to effectively harass the server, observe the server, and utilize server resources even if banned from the server. For servers that operate with a proxy that strictly enforces the connection handshake/sequence, this is not an issue, but for smaller servers or servers running vanilla TShock this is an issue worth patching for. PR body supplied by @ohayo (patch writer): Terraria's s...

Name: ASA-2025-001: Malicious peer can disrupt node's ability to sync via blocksync Component: CometBFT Criticality: Medium (Considerable Impact; Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) Affected versions: <= v0.38.16, v1.0.0 Affected users: Validators, Full nodes ### Impact A malicious peer may be able to interfere with a node's ability to sync blocks with peers via the blocksync mechanism. In the `blocksync` protocol peers send their `base` and `latest` heights when they connect to a new node (`A`), which is syncing to the tip of a network. `base` acts as a lower ground and informs `A` that the peer only has blocks starting from height `base`. `latest` height informs `A` about the latest block in a network. Normally, nodes would only report increasing heights: ``` B: {base: 100, latest: 1000} B: {base: 100, latest: 1001} B: {base: 100, latest: 1002} ... ``` If `B` fails to provide the latest block,...

# Summary Django-Unicorn is vulnerable to python class pollution vulnerability, a new type of vulnerability categorized under [CWE-915](https://cwe.mitre.org/data/definitions/915.html). The vulnerability arises from the core functionality `set_property_value`, which can be remotely triggered by users by crafting appropriate component requests and feeding in values of second and third parameter to the vulnerable function, leading to arbitrary changes to the python runtime status. With this finding, so far we've found at least five ways of vulnerability exploitation, stably resulting in Cross-Site Scripting (XSS), Denial of Service (DoS), and Authentication Bypass attacks in almost every Django-Unicorn-based application. # Analysis of Vulnerable Function By taking a look at the vulnerable function `set_property_value` located at: `django_unicorn/views/action_parsers/utils.py`. You can observe the functionality is responsible for modifying a property value of an object. The propert...